Infostealer and Infostealer.Gamepass

Hi

My computer has been infected with Infostealer and Infostealer.Gamepass for a week. Symantec first alerted the presence of infostealer, but it is unable to delete it. I have also scanned my computer using Trendmicro, but it does not detect anything.

At the present, Symantec doesn't work anymore on my computer, not even in safe mode. It freezes everytime I try to start it in normal mode, and in safe mode, it stops scanning after scanning 219 files.

I have tried to delete the infected files manually, but I cannot find them, and Symantec cannot clean or delete them. Also, the date on my computer always reverts back to June 2000.

This is the most recent HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:11 PM, on 07/06/2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe,pr570.exe,,gpr58D.exe,,gpr27.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: tisqatyu.dll - {18093456-9012-4568-9076-908765467181} - C:\WINDOWS\system32\tisqatyu.dll (file missing)
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll (file missing)
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll (file missing)
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll (file missing)
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: Eye Class - {41BE3A3D-6E4B-43F4-AAEB-5B4E95971968} - C:\WINDOWS\system32\dueoduxz.dll
O2 - BHO: lofsdjbo.dll - {470165F1-9F65-569F-F895-F14F58F41074} - C:\WINDOWS\system32\lofsdjbo.dll (file missing)
O2 - BHO: apsgdjba.dll - {4FD45A54-9875-698F-E56E-65102358FDF4} - C:\WINDOWS\system32\apsgdjba.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll (file missing)
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} - C:\WINDOWS\system32\oohxdbyt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\system32\yxfhcjpg.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [svc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ¨?¨2??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O20 - AppInit_DLLs: m,msosmhfp00.dll,nhmxcjkl.dll,tisqatyu.dll
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9435 bytes

 

Deckard Main txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:48 PM, on 07/06/2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yi Quan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\YIQUAN~1.EXE

F2 - REG:system.ini: Shell=Explorer.exe,pr570.exe,,gpr58D.exe,,gpr27.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: tisqatyu.dll - {18093456-9012-4568-9076-908765467181} - C:\WINDOWS\system32\tisqatyu.dll (file missing)
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll (file missing)
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll (file missing)
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll (file missing)
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: Eye Class - {41BE3A3D-6E4B-43F4-AAEB-5B4E95971968} - C:\WINDOWS\system32\dueoduxz.dll
O2 - BHO: lofsdjbo.dll - {470165F1-9F65-569F-F895-F14F58F41074} - C:\WINDOWS\system32\lofsdjbo.dll (file missing)
O2 - BHO: apsgdjba.dll - {4FD45A54-9875-698F-E56E-65102358FDF4} - C:\WINDOWS\system32\apsgdjba.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll (file missing)
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} - C:\WINDOWS\system32\oohxdbyt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: yxfhcjpg.dll - {83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} - C:\WINDOWS\system32\yxfhcjpg.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - C:\PROGRA~1\KuGoo3\KUGOO3~1.OCX (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [svc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ¨?¨2??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O20 - AppInit_DLLs: m,msosmhfp00.dll,nhmxcjkl.dll,tisqatyu.dll
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9474 bytes

-- Files created between 2000-05-07 and 2000-06-07 -----------------------------

2008-06-02 21:53:42 94383892 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-05-15 23:04:50 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-05-15 23:04:19 0 d-------- C:\Program Files\Common Files\Thunder Network
2008-05-12 17:11:46 0 d-------- C:\Program Files\eMule
2008-04-30 08:31:36 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-27 18:58:36 0 d-------- C:\Program Files\CCTV
2008-04-09 19:25:39 0 d-------- C:\Program Files\QuickTime
2008-03-29 10:47:03 0 d-------- C:\Program Files\Flock
2008-03-26 11:51:16 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\BITS
2008-03-26 11:50:18 0 d-------- C:\Program Files\FlashGet Network
2008-03-01 21:01:56 0 d-------- C:\Program Files\PPStream
2008-02-20 11:26:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-03 09:40:49 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-01-19 19:56:06 0 d--h----- C:\WINDOWS\PIF
2008-01-02 21:00:22 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-23 23:05:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-23 18:25:43 0 d-------- C:\OneNote1
2007-12-23 17:40:16 376 --a------ C:\WINDOWS\mozregistry.dat
2007-12-23 17:37:30 0 d-------- C:\Program Files\hp deskjet 656c series
2007-12-22 13:54:03 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\DivX
2007-12-22 13:37:58 0 d-------- C:\Program Files\DivX
2007-12-15 15:49:27 0 d-------- C:\Program Files\ApexDC++
2007-12-09 21:49:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-09 21:49:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-09 21:49:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-09 21:49:04 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-09 21:49:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-09 21:49:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-09 21:49:04 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-09 21:49:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-09 21:49:04 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-09 21:49:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-09 21:49:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-09 21:49:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-09 21:49:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-09 21:49:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-09 21:49:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-09 21:49:03 1310720 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-12-02 22:21:27 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-12-02 22:20:45 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-11-21 20:13:15 0 d-------- C:\Program Files\Passware
2007-11-21 19:54:13 0 d-------- C:\Documents and Settings\All Users\Application Data\mvcache
2007-11-21 19:53:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2007-11-06 16:44:29 18048 -ra------ C:\WINDOWS\system32\drivers\USB200M2.sys <Not Verified; Linksys; Linksys USB 2.0 Network Adapter ver.2>
2007-11-04 13:10:18 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-11-04 13:10:18 0 d-------- C:\Program Files\IPS5e
2007-11-03 12:08:40 0 d-------- C:\Documents and Settings\Yi Quan\.housecall6.6
2007-10-31 21:42:09 26368 --a------ C:\WINDOWS\system32\drivers\USB100TX.sys <Not Verified; Linksys; Linksys EtherFast 10/100 USB Network Adapter>
2007-10-24 21:30:24 0 d-------- C:\WINDOWS\pss
2007-10-24 13:22:40 0 d-------- C:\Program Files\Neuro
2007-10-07 19:46:22 0 d-------- C:\Program Files\Dictionary
2007-10-03 19:20:02 0 d--hs---- C:\Documents and Settings\NetworkService\Temporary Internet Files
2007-10-03 19:20:02 0 d--hs---- C:\Documents and Settings\NetworkService\History
2007-10-01 20:34:13 0 d-------- C:\Program Files\Apple Software Update
2007-10-01 20:33:51 0 d-------- C:\Program Files\Common Files\Apple
2007-10-01 20:33:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-30 15:58:28 0 d-------- C:\Program Files\Imagiers-dictees-1
2007-09-30 11:58:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\PPStream
2007-09-15 17:52:16 0 d-------- C:\Program Files\MINITAB 14 Student
2007-09-14 17:02:55 322048 --a------ C:\WINDOWS\system32\sculptapi.dll <Not Verified; Interactive Simulations Inc.; Interactive Simulations Inc. Sculptapi>
2007-09-14 16:58:10 0 d-------- C:\WINDOWS\aim95
2007-09-14 16:58:03 61952 --a------ C:\WINDOWS\system32\nabapi32.dll <Not Verified; Netscape Communications Corporation; Netscape Communications Address Book API>
2007-09-14 16:57:56 634087 --a------ C:\WINDOWS\cd32.exe
2007-09-14 16:57:29 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-09-14 16:56:50 0 d-------- C:\Documents and Settings\Yi Quan\WINDOWS
2007-09-04 07:56:26 0 d--hs---- C:\Documents and Settings\LocalService\Temporary Internet Files
2007-09-04 07:56:26 0 d--hs---- C:\Documents and Settings\LocalService\History
2007-09-04 07:56:26 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-09-04 07:56:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-09-03 23:04:46 0 d-------- C:\Program Files\Symantec
2007-09-03 23:04:37 0 d-------- C:\Program Files\Symantec AntiVirus
2007-09-03 22:54:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-03 21:58:09 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Sonic
2007-06-03 21:57:57 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Leadertech
2007-06-03 18:44:40 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\CyberLink
2007-05-08 15:03:04 1275392 --a------ C:\WINDOWS\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP 2>
2007-05-06 22:20:26 0 d-------- C:\WINDOWS\wt
2007-04-23 18:27:48 0 d-------- C:\WINDOWS\system32\ini
2007-04-23 18:27:35 0 d-------- C:\Program Files\Funshion Online
2007-04-21 16:17:05 147456 --a------ C:\WINDOWS\system32\uwLibs.dll <Not Verified; UsefulWare, Inc.; uwLibs>
2007-04-21 16:17:05 77824 --a------ C:\WINDOWS\system32\ODBCTL32.DLl <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2007-04-21 16:17:05 86016 --a------ C:\WINDOWS\system32\nsprof.dll
2007-04-21 16:17:05 251664 --a------ C:\WINDOWS\system32\MSRD2X35.DLl <Not Verified; Microsoft Corporation; Microsoft? Jet>
2007-04-21 16:17:05 24336 --a------ C:\WINDOWS\system32\MSJTER35.DLl <Not Verified; Microsoft Corporation; Microsoft? Jet>
2007-04-21 16:17:05 121104 --a------ C:\WINDOWS\system32\MSJINT35.DLl <Not Verified; Microsoft Corporation; Microsoft? Jet>
2007-04-21 16:17:05 1050384 --a------ C:\WINDOWS\system32\MSJET35.DLl <Not Verified; Microsoft Corporation; Microsoft? Jet>
2007-04-21 16:17:05 570128 --a------ C:\WINDOWS\system32\DAO350.DLl <Not Verified; Microsoft Corporation; Microsoft? Jet>
2007-04-21 16:12:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2007-04-21 16:11:58 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\GTek
2007-03-01 19:16:27 107520 --a------ C:\WINDOWS\system32\dxdugvqhk.exe <Not Verified; ; Update>
2007-02-25 02:07:07 1308 --a------ C:\WINDOWS\system32\eggdcn.exe
2007-02-24 23:00:17 0 d-------- C:\Program Files\Overture 4.0 中文版
2007-02-24 22:44:24 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\WinRAR
2007-02-24 20:31:13 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\FileMaker
2007-02-15 23:44:49 1308 --a------ C:\WINDOWS\system32\wiesfm.exe
2007-02-07 23:12:10 21 --a------ C:\WINDOWS\KwYl.dat
2007-02-02 00:30:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-02-02 00:25:26 20480 --a------ C:\WINDOWS\system32\qscxaiwhp.dll
2007-02-02 00:25:25 32768 --a------ C:\WINDOWS\system32\qscxaiwhs.exe <Not Verified; Update; Update>
2007-02-01 23:59:16 0 --a------ C:\WINDOWS\system32\wyncim.exe
2007-02-01 20:57:09 0 d-------- C:\WINDOWS\network diagnostic
2007-01-26 21:56:14 0 --a------ C:\WINDOWS\system32\dxdugvqhs.exe
2007-01-26 21:56:14 20480 --a------ C:\WINDOWS\system32\dxdugvqhp.dll
2007-01-26 20:55:31 0 -rahs---- C:\MSDOS.SYS
2007-01-26 20:55:31 0 -rahs---- C:\IO.SYS
2007-01-26 20:55:30 1308 --a------ C:\WINDOWS\system32\vkkpsi.exe
2007-01-21 21:57:39 40960 --a------ C:\WINDOWS\system32\tohwstazs.exe <Not Verified; SKDN; SKDN SkDnUpdate>
2007-01-21 21:57:39 20480 --a------ C:\WINDOWS\system32\tohwstazp.dll
2007-01-12 19:43:37 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\ppstream
2006-12-22 12:28:14 271360 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft? .NET Framework>
2006-12-15 19:32:39 0 d-------- C:\Program Files\Windows Media Connect 2
2006-12-15 19:31:26 0 d-------- C:\WINDOWS\system32\LogFiles
2006-12-15 19:31:26 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-07 17:29:51 0 d-------- C:\Program Files\Windows Defender
2006-11-24 16:31:04 0 d-------- C:\Program Files\NJStar Communicator
2006-11-19 00:01:21 0 d-------- C:\a622bd1e94086933633b21badffe23
2006-11-18 23:59:35 0 d-------- C:\Program Files\MSXML 4.0
2006-11-13 14:45:02 0 d-------- C:\Program Files\BitComet
2006-10-31 21:55:04 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Help
2006-10-31 21:52:02 0 d-------- C:\Program Files\VSTPlugins
2006-10-31 21:52:02 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\GenieSoft
2006-10-29 15:16:02 0 d-------- C:\temp
2006-10-22 14:41:42 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\NJStar
2006-10-16 22:17:46 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Apple Computer
2006-10-16 22:17:20 1763 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2006-10-15 22:42:15 24576 --a------ C:\WINDOWS\system32\DllReg.dll <Not Verified; ; DllReg Module>
2006-10-15 22:41:40 74368 -----n--- C:\WINDOWS\system32\cns.dat
2006-10-15 22:41:20 2564 --a------ C:\WINDOWS\cnsinfo.dat
2006-10-15 22:30:23 0 d-------- C:\KuGoo
2006-10-15 22:30:22 2120 --a------ C:\WINDOWS\mslistenido.dat
2006-10-15 22:28:15 5256 --a------ C:\WINDOWS\LoginUsers.dat
2006-10-15 22:27:50 153088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2006-10-15 22:05:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Tencent
2006-10-15 22:05:01 0 d-------- C:\WINDOWS\system32\qqedit
2006-10-15 21:59:51 0 d-------- C:\Program Files\Tencent
2006-10-15 21:53:07 0 d-------- C:\TDdownload
2006-10-15 21:52:39 2560 --a------ C:\WINDOWS\system32\cid_store.dat
2006-10-15 21:52:32 0 d-------- C:\Program Files\Thunder Network
2006-10-15 21:44:21 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Kingsoft
2006-10-15 21:43:12 0 d-------- C:\Program Files\Common Files\kingsoft
2006-10-15 21:43:03 0 d-------- C:\Program Files\Kingsoft
2006-10-15 21:36:06 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\ACD Systems
2006-10-15 21:35:28 0 d-------- C:\Program Files\Common Files\ACD Systems
2006-10-15 21:35:28 0 d-------- C:\Program Files\ACD Systems
2006-10-15 21:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2006-10-15 21:35:21 10368 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
2006-10-15 21:34:50 0 d-------- C:\WINDOWS\Downloaded Installations
2006-09-29 15:11:43 0 d-------- C:\WINDOWS\Sun
2006-09-29 15:11:43 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Sun
2006-09-26 11:32:32 0 d-------- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2006-09-22 16:17:39 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Google
2006-09-22 14:26:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-09-13 18:24:59 0 d-------- C:\Documents and Settings\Yi Quan\Contacts
2006-09-13 18:13:52 0 d-------- C:\Program Files\MSN Messenger
2006-09-12 17:08:27 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\muvee Technologies
2006-09-12 17:08:26 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2006-09-11 19:38:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-09-11 19:30:33 0 d-------- C:\Program Files\Real
2006-09-11 19:30:33 0 d-------- C:\Program Files\Common Files\Real
2006-09-11 19:30:03 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Real
2006-09-11 19:27:26 0 d-------- C:\My Downloads
2006-09-10 20:12:56 0 d-------- C:\Program Files\Common Files\AOL
2006-09-09 21:44:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-09-09 21:41:11 0 d-------- C:\WINDOWS\system32\PreInstall
2006-09-09 21:34:03 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-09-09 21:32:55 0 d--hs---- C:\Documents and Settings\Yi Quan\UserData
2006-09-09 21:30:30 40485 --a------ C:\WINDOWS\nsreg.dat
2006-09-09 21:30:19 3286 --a------ C:\WINDOWS\mozver.dat
2006-09-09 21:30:18 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Mozilla
2006-09-09 21:23:10 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\AdobeUM
2006-09-09 21:22:48 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Adobe
2006-09-09 21:22:47 0 d-------- C:\Program Files\Common Files\Adobe
2006-09-08 18:59:24 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Template
2006-09-08 18:59:23 152 --a------ C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2006-09-08 18:06:51 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\HP
2006-09-08 18:05:29 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Macromedia
2006-09-08 17:44:31 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Netscape
2006-09-08 17:37:14 0 d--hs---- C:\Documents and Settings\Yi Quan\Temporary Internet Files
2006-09-08 17:37:14 0 d--hs---- C:\Documents and Settings\Yi Quan\History
2006-09-08 17:36:13 0 d--h----- C:\Documents and Settings\Yi Quan\Templates
2006-09-08 17:36:13 0 dr------- C:\Documents and Settings\Yi Quan\Start Menu
2006-09-08 17:36:13 0 dr-h----- C:\Documents and Settings\Yi Quan\SendTo
2006-09-08 17:36:13 0 dr-h----- C:\Documents and Settings\Yi Quan\Recent
2006-09-08 17:36:13 0 d--h----- C:\Documents and Settings\Yi Quan\PrintHood
2006-09-08 17:36:13 0 d--h----- C:\Documents and Settings\Yi Quan\NetHood
2006-09-08 17:36:13 0 dr------- C:\Documents and Settings\Yi Quan\My Documents
2006-09-08 17:36:13 0 d--h----- C:\Documents and Settings\Yi Quan\Local Settings
2006-09-08 17:36:13 0 dr------- C:\Documents and Settings\Yi Quan\Favorites
2006-09-08 17:36:13 0 d-------- C:\Documents and Settings\Yi Quan\Desktop
2006-09-08 17:36:13 0 d--hs---- C:\Documents and Settings\Yi Quan\Cookies
2006-09-08 17:36:13 0 dr-h----- C:\Documents and Settings\Yi Quan\Application Data
2006-09-08 17:36:13 0 d-------- C:\Documents and Settings\Yi Quan\Application Data\Identities
2006-09-08 17:36:12 7077888 --a------ C:\Documents and Settings\Yi Quan\NTUSER.DAT
2006-09-08 17:35:18 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2006-09-08 17:35:11 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2006-09-08 17:33:55 0 d-------- C:\WINDOWS\Prefetch
2006-09-08 15:29:08 0 d-------- C:\bin
2006-09-08 15:21:41 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-08 15:13:30 117094 --a------ C:\WINDOWS\hpoins11.dat
2006-07-30 04:47:10 49152 --a------ C:\WINDOWS\system32\comploader.dll <Not Verified; Sogou.com Inc.; Sogou Express>
2006-07-28 10:04:40 73728 --a------ C:\WINDOWS\system32\SODAHK.DLL <Not Verified; Sogou.com Inc.; Sogou Express>
2006-07-28 06:11:51 30208 --a------ C:\WINDOWS\system32\unsocul.exe <Not Verified; Sogou.com Inc.; Address Bar Express>
2006-07-28 05:43:55 61440 --a------ C:\WINDOWS\system32\socul.dll <Not Verified; ; Sogou Express>
2006-05-19 04:33:20 0 d--hs---- C:\System Volume Information
2006-05-19 04:08:14 0 d-------- C:\WINDOWS\CREATOR
2006-05-19 04:01:14 0 d-------- C:\Program Files\NetWaiting
2006-05-19 03:47:54 0 d-------- C:\WINDOWS\SMINST
2006-05-19 03:46:42 266240 --a------ C:\WINDOWS\system32\ShellvRTF64.dll <Not Verified; XSS; XSS ShellvRTF>
2006-05-19 03:46:42 237568 --a------ C:\WINDOWS\system32\ShellvRTF.dll <Not Verified; XSS; XSS ShellvRTF>
2006-05-19 03:46:20 0 d-------- C:\Program Files\Common Files\LightScribe
2006-05-19 03:45:57 987136 --a------ C:\WINDOWS\system32\BttnCmn.dll <Not Verified; Hewlett-Packard Company; Q Menu>
2006-05-19 03:35:35 0 d-------- C:\Program Files\Microsoft Office Trial Wizard
2006-05-19 03:34:59 0 d-------- C:\Program Files\muvee Technologies
2006-05-19 03:34:59 0 d-------- C:\Program Files\Common Files\muvee Technologies
2006-05-19 03:33:59 0 d-------- C:\Program Files\Google
2006-05-19 03:31:57 45929 --a------ C:\WINDOWS\NSSetDefaultBrowser.EXE
2006-05-19 03:31:49 0 d-------- C:\Program Files\Netscape
2006-05-19 03:24:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-05-19 03:24:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2006-05-19 03:20:27 0 d-------- C:\Program Files\WildTangent
2006-05-19 03:15:34 0 d-------- C:\hp
2006-05-19 03:14:43 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2006-05-19 03:14:42 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2006-05-19 03:14:32 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2006-05-19 03:14:15 53248 --a------ C:\WINDOWS\iwlandrvxpver.dll <Not Verified; hp; hp iwlandrvxpver>
2006-05-19 03:14:07 0 d------c- C:\WINDOWS\system32\DRVSTORE
2006-05-19 03:13:45 0 d-------- C:\Program Files\Synaptics
2006-05-19 03:13:20 0 d-------- C:\WINDOWS\tiinst
2006-05-19 03:12:43 0 d-------- C:\Program Files\Microsoft ActiveSync
2006-05-19 03:12:30 0 d-------- C:\WINDOWS\SHELLNEW
2006-05-19 03:12:19 0 d-------- C:\Program Files\Microsoft.NET
2006-05-19 03:11:58 0 dr-h----- C:\MSOCache
2006-05-19 03:10:59 0 d-------- C:\Program Files\Microsoft Works
2006-05-19 03:10:45 0 d-------- C:\Program Files\MSN Encarta Plus
2006-05-19 03:10:08 0 d-------- C:\Program Files\Microsoft Money 2006
2006-05-19 03:02:38 0 d-------- C:\Program Files\CONEXANT
2006-05-19 03:01:46 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2006-05-19 03:01:45 0 d-------- C:\Program Files\Intel
2006-05-19 03:01:24 32356 --a------ C:\WINDOWS\system32\pusbfd1.sys <Not Verified; Phoenix Technologies K.K.; USB FDD DRIVER>
2006-05-19 02:56:38 229376 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2006-05-19 02:56:38 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2006-05-19 02:56:38 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2006-05-19 02:56:38 0 d-------- C:\Documents and Settings\LocalService\Application Data
2006-05-19 02:56:38 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2006-05-19 02:56:36 229376 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2006-05-19 02:56:36 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2006-05-19 02:56:36 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2006-05-19 02:56:36 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2006-05-19 02:56:36 0 d---s---- C:\Documents and

 

Rest of Deckard file

Settings\NetworkService\Application Data\Microsoft
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\WinSxS
2006-05-19 00:51:19 0 dr------- C:\WINDOWS\Web
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\twain_32
2006-05-19 00:51:19 0 d---s---- C:\WINDOWS\Tasks
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\xircom
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\wins
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\wbem
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\usmt
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\URTTemp
2006-05-19 00:51:19 0 d-------- C:\WINDOWS\system32\spool
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\ShellExt
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\Setup
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\Restore
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\ras
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\oobe
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\npp
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\mui
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\MsDtc
2006-05-19 00:51:18 0 d---s---- C:\WINDOWS\system32\Microsoft
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\Macromed
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\inetsrv
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\IME
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\icsxml
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\ias
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\export
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\drivers
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\drivers\etc
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\drivers\disdn
2006-05-19 00:51:18 0 dr-hs---- C:\WINDOWS\system32\dllcache
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\DirectX
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\dhcp
2006-05-19 00:51:18 0 d-------- C:\WINDOWS\system32\config
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\Com
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\CatRoot2
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\CatRoot
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\3com_dmi
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\3076
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\2052
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1054
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1042
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1041
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1037
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1033
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1031
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1028
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system32\1025
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\system
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\srchasst
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\SoftwareDistribution
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\security
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\Resources
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\repair
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\Registration
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\RegisteredPackages
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\Provisioning
2006-05-19 00:51:17 0 d-------- C:\WINDOWS\PeerNet
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\pchealth
2006-05-19 00:51:16 0 dr------- C:\WINDOWS\Offline Web Pages
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\mui
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\msapps
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\msagent
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\Media
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\java
2006-05-19 00:51:16 0 d--hs---- C:\WINDOWS\Installer
2006-05-19 00:51:16 0 d--h----- C:\WINDOWS\inf
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\ime
2006-05-19 00:51:16 0 d-------- C:\WINDOWS\Hewlett-Packard
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Help
2006-05-19 00:51:15 0 dr--s---- C:\WINDOWS\Fonts
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Driver Cache
2006-05-19 00:51:15 0 d---s---- C:\WINDOWS\Downloaded Program Files
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Debug
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Cursors
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Connection Wizard
2006-05-19 00:51:15 0 d-------- C:\WINDOWS\Config
2006-05-19 00:51:14 0 d-------- C:\WINDOWS
2006-05-19 00:51:14 0 d-------- C:\WINDOWS\AppPatch
2006-05-19 00:51:14 0 d-------- C:\WINDOWS\addins
2006-05-19 00:51:14 0 d--h----- C:\WINDOWS\$hf_mig$
2006-05-19 00:51:13 0 d--h----- C:\Program Files\WindowsUpdate
2006-05-19 00:51:13 0 d-------- C:\Program Files\Windows NT
2006-05-19 00:51:12 0 d-------- C:\Program Files\Sonic
2006-05-19 00:51:12 0 d-------- C:\Program Files\Online Services
2006-05-19 00:51:12 0 d-------- C:\Program Files\MSN Gaming Zone
2006-05-19 00:51:12 0 d-------- C:\Program Files\Movie Maker
2006-05-19 00:51:12 0 d-------- C:\Program Files\microsoft frontpage
2006-05-19 00:51:12 0 d-------- C:\Program Files\Messenger
2006-05-19 00:51:12 0 d-------- C:\Program Files\Java
2006-05-19 00:51:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2006-05-19 00:51:12 0 d-------- C:\Program Files\HPQ
2006-05-19 00:51:11 0 d-------- C:\Program Files\Hp
2006-05-19 00:51:11 0 d-------- C:\Program Files\Hewlett-Packard
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\TiVo Shared
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\SureThing Shared
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\SpeechEngines
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\Sonic Shared
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\ODBC
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\MSSoap
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\Java
2006-05-19 00:51:11 0 d-------- C:\Program Files\Common Files\InstallShield
2006-05-19 00:51:10 0 d-------- C:\Program Files
2006-05-19 00:51:10 0 d-------- C:\Program Files\Common Files
2006-05-19 00:51:10 0 d-------- C:\Program Files\Common Files\HP
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings
2006-05-19 00:51:10 0 d--h----- C:\Documents and Settings\Default User\Templates
2006-05-19 00:51:10 0 dr------- C:\Documents and Settings\Default User\Start Menu
2006-05-19 00:51:10 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2006-05-19 00:51:10 0 dr-h----- C:\Documents and Settings\Default User\Recent
2006-05-19 00:51:10 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2006-05-19 00:51:10 0 d--h----- C:\Documents and Settings\Default User\NetHood
2006-05-19 00:51:10 0 dr------- C:\Documents and Settings\Default User\My Documents
2006-05-19 00:51:10 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2006-05-19 00:51:10 0 dr------- C:\Documents and Settings\Default User\Favorites
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\Default User\Desktop
2006-05-19 00:51:10 0 d---s---- C:\Documents and Settings\Default User\Cookies
2006-05-19 00:51:10 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2006-05-19 00:51:10 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2006-05-19 00:51:10 0 d--h----- C:\Documents and Settings\All Users\Templates
2006-05-19 00:51:10 0 dr------- C:\Documents and Settings\All Users\Start Menu
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\All Users\Favorites
2006-05-19 00:51:10 0 d--hs---- C:\Documents and Settings\All Users\DRM
2006-05-19 00:51:10 0 dr------- C:\Documents and Settings\All Users\Documents
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\All Users\Desktop
2006-05-19 00:51:10 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SBSI
2006-05-19 00:51:10 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-05-19 00:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-05-19 00:51:08 0 d-------- C:\I386
2006-05-05 19:19:28 11634 --a------ C:\WINDOWS\hpomdl11.dat
2006-05-02 18:38:24 72444 --a------ C:\WINDOWS\SetBrowser.exe
2006-04-20 07:51:50 360064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2006-03-27 12:24:48 87268 --a------ C:\WINDOWS\hpqins69.dat
2006-03-27 12:00:10 786432 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2006-03-27 11:56:52 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2006-03-02 07:03:32 57096 --a------ C:\WINDOWS\system32\drivers\btwusb.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.3400>
2006-03-02 07:03:32 77824 --a------ C:\WINDOWS\system32\btw_ci.dll <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.3400>
2006-03-01 19:16:27 69632 ---h----- C:\WINDOWS\system32\dueoduxz.dll <Not Verified; ; Patch Module>
2006-02-16 22:33:10 1216 -ra------ C:\WINDOWS\Twunk_32.dll <Not Verified; Hewlett-Packard; >
2006-02-16 22:33:10 1216 -ra------ C:\WINDOWS\Twunk_16.dll <Not Verified; Hewlett-Packard; >
2006-01-26 21:49:46 0 --a------ C:\WINDOWS\system32\ambpnugw.dll
2006-01-26 15:06:52 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll <Not Verified; Hewlett Packard; Hewlett Packard Rediscovery Library>
2005-12-23 13:14:44 233472 --a------ C:\WINDOWS\system32\HPTcpMUI.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2005-12-23 13:12:22 155648 --a------ C:\WINDOWS\system32\HPTcpMon.dll <Not Verified; Hewlett Packard; HP(R) Standard Port Monitor>
2005-12-23 13:11:02 102400 --a------ C:\WINDOWS\system32\HPTcpMib.dll <Not Verified; Hewlett Packard; HP(R) Standard Port Monitor>
2005-11-23 15:48:12 0 d-------- C:\SWSETUP
2005-10-15 22:28:04 65536 ---h----- C:\WINDOWS\system32\wybbkutk.dll <Not Verified; ; MaxSysPatch Module>
2005-10-15 22:28:02 0 --a------ C:\WINDOWS\system32\tohwstaz.dll
2005-08-27 08:05:24 1415680 --a------ C:\WINDOWS\system32\WMV9VCM.dll <Not Verified; Microsoft Corporation; Windows Media Video 9 VCM>
2005-08-27 08:05:24 539968 --a------ C:\WINDOWS\system32\Voctool.dll <Not Verified; Kingsoft, Co.; VocTool>
2005-08-27 08:05:24 525824 --a------ C:\WINDOWS\system32\VOCTL32.DLL <Not Verified; Voxware, Inc.; ToolVox>
2005-08-27 08:05:24 19760 --a------ C:\WINDOWS\system32\Ractdnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2005-08-27 08:05:24 53568 --a------ C:\WINDOWS\system32\Ract14_4.dll <Not Verified; Progressive Networks, Inc.; 14.4 Audio Codec for RealAudio(tm) (16-bit) Version 3.0>
2005-08-27 08:05:24 14848 --a------ C:\WINDOWS\system32\Ra32dnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2005-08-27 08:05:24 72704 --a------ C:\WINDOWS\system32\Ra3228_8.dll <Not Verified; Progressive Networks, Inc.; 28.8 Audio Codec for RealAudio(tm) (32-bit) Version 3.0>
2005-08-27 08:05:24 81920 --a------ C:\WINDOWS\system32\Ra3214_4.dll <Not Verified; Progressive Networks, Inc.; 14.4 Audio Codec for RealAudio(tm) (32-bit) Version 3.0>
2005-08-27 08:05:24 189952 --a------ C:\WINDOWS\system32\Pnui3230.dll <Not Verified; Progressive Networks, Inc.; High-level Support Library for RealAudio? (32-bit) Version 3.0>
2005-08-27 08:05:24 27024 --a------ C:\WINDOWS\system32\Pnloader.dll <Not Verified; Progressive Networks, Inc.; Dynamic Load and Bind Support for RealAudio?(16-bit) Version 3.0>
2005-08-27 08:05:24 163328 --a------ C:\WINDOWS\system32\Pnen3230.dll <Not Verified; Progressive Networks, Inc.; Core Support Library for RealAudio? (32-bit) Version 3.0>
2005-08-27 08:05:24 61440 --a------ C:\WINDOWS\system32\Decdnet.dll <Not Verified; Progressive Networks, Inc.; RealAudio(tm) Shared Component (32-bit)>
2005-07-18 22:38:59 98304 --a------ C:\WINDOWS\system32\hpzjsn01.dll <Not Verified; Hewlett Packard Company; HPJZSN01 Dynamic Link Library>
2005-07-07 16:47:06 528384 --a------ C:\WINDOWS\system32\ACDSee.scr <Not Verified; ACD Systems; ACD Screen Saver>
2005-06-20 12:56:52 462848 --a------ C:\WINDOWS\system32\ACDV.dll <Not Verified; ACD Systems; ACDV>
2004-08-08 14:55:58 520 ---hs---- C:\WINDOWS\system32\xzfhbjpg.sys
2004-08-08 14:55:49 520 ---hs---- C:\WINDOWS\system32\xbfsbjbo.sys
2004-08-08 14:55:28 520 ---hs---- C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 14:55:03 520 ---hs---- C:\WINDOWS\system32\erjxakin.sys
2004-08-08 14:54:19 520 ---hs---- C:\WINDOWS\system32\jashbbty.sys
2004-08-08 14:54:10 520 ---hs---- C:\WINDOWS\system32\cgsqatyu.sys
2004-08-08 14:53:28 520 ---hs---- C:\WINDOWS\system32\xzcsbhlp.sys
2004-08-08 14:53:20 520 ---hs---- C:\WINDOWS\system32\smhxbbyt.sys
2004-08-08 14:53:12 520 ---hs---- C:\WINDOWS\system32\gpsgajba.sys
2004-08-08 14:52:38 520 ---hs---- C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 14:51:45 520 ---hs---- C:\WINDOWS\system32\pmjhbhlp.sys
2004-08-04 17:00:00 1033216 --a------ C:\WINDOWS\explorer.exe <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2004-07-15 11:34:06 16896 --a------ C:\WINDOWS\system32\mscorier.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2004-05-27 14:00:52 118784 -ra------ C:\WINDOWS\system32\HPODXPAT.DLL <Not Verified; Hewlett Packard Company; Hewlett Packard Company hpodxpat>
2004-02-27 08:33:18 1638400 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2004-01-27 08:56:20 28672 --a------ C:\WINDOWS\system32\hpzjfw01.dll <Not Verified; Hewlett-Packard; Firewall>
2003-11-21 13:09:42 31744 -ra------ C:\WINDOWS\system32\hlp95en.dll <Not Verified; Microsoft Corporation; Microsoft Office>
2003-11-21 12:45:18 37888 -ra------ C:\WINDOWS\system32\ochlp30e.dll <Not Verified; Microsoft Corporation; Microsoft Multimedia Controls>
2003-11-21 12:12:08 76288 -ra------ C:\WINDOWS\system32\PUBOLE32.DLL <Not Verified; Microsoft Corporation; Microsoft Publisher for Windows>
2003-11-21 11:45:06 91136 -ra------ C:\WINDOWS\system32\msls2.dll <Not Verified; Microsoft Corporation; Microsoft? Line Services>
2003-03-19 09:20:00 1060864 --a------ C:\WINDOWS\system32\mfc71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 09:12:12 1047552 --a------ C:\WINDOWS\system32\mfc71u.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:38 49152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:38 57344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:36 61440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:36 61440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:36 45056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:36 40960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:34 49152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:34 61440 --a------ C:\WINDOWS\system32\MFC71FRA.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:44:34 65536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 08:14:52 499712 --a------ C:\WINDOWS\system32\msvcp71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-03-19 07:05:50 89088 --a------ C:\WINDOWS\system32\atl71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-02-21 16:42:22 348160 --a------ C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2003-02-21 07:16:34 32768 --a------ C:\WINDOWS\system32\netfxperf.dll <Not Verified; Microsoft Corporation; Microsoft (R) .NET Framework>
2003-02-21 07:09:14 106496 --a------ C:\WINDOWS\system32\mscories.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2002-06-06 23:02:02 212480 -ra------ C:\WINDOWS\system32\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2002-03-21 14:39:02 73728 --a------ C:\WINDOWS\system32\UNACEV2.DLL
2002-03-20 21:01:58 446464 --a------ C:\WINDOWS\system32\HHActiveX.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>
2002-02-04 14:43:00 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2002-01-05 15:40:20 487424 --a------ C:\WINDOWS\system32\msvcp70.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2002-01-05 15:37:28 344064 --a------ C:\WINDOWS\system32\msvcr70.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2002-01-05 04:48:16 974848 --a------ C:\WINDOWS\system32\mfc70.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2002-01-05 04:36:38 964608 --a------ C:\WINDOWS\system32\mfc70u.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2002-01-05 03:38:38 54784 --a------ C:\WINDOWS\system32\msvci70.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>
2001-08-03 04:35:09 53248 --a------ C:\WINDOWS\system32\hpfinsta.exe <Not Verified; Hewlett-Packard Co.; HP DeskJet>
2001-08-03 04:16:59 270336 --a------ C:\WINDOWS\system32\hpfinst.dll <Not Verified; Hewlett-Packard Co.; HP DeskJet>
2001-06-05 17:31:28 148 --a------ C:\WINDOWS\system32\midimapzt.dat
2001-06-04 14:54:46 148 --a------ C:\WINDOWS\system32\midimapqn3.dat
2001-06-04 14:54:39 288 --a------ C:\WINDOWS\system32\midimapcb.dat
2001-06-04 14:53:04 428 --a------ C:\WINDOWS\system32\midimapjr.dat
2001-06-04 14:52:45 568 --a------ C:\WINDOWS\system32\midimapwl.dat
2001-06-04 14:52:30 288 --a------ C:\WINDOWS\system32\midimaptl.dat
2001-06-04 14:52:16 568 --a------ C:\WINDOWS\system32\midimapzx.dat
2001-06-04 14:51:59 288 --a------ C:\WINDOWS\system32\midimapwd.dat
2001-06-04 14:51:52 148 --a------ C:\WINDOWS\system32\midimapcq.dat
2001-06-04 14:51:37 428 --a------ C:\WINDOWS\system32\midimapmy.dat
2001-06-03 17:21:52 22816 --a------ C:\WINDOWS\system32\midimapcb.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2001-06-03 09:27:22 288 --a------ C:\WINDOWS\system32\midimapms.dat
2000-06-07 12:33:55 0 --a-s---- C:\WINDOWS\system32\d32dx9.sys
2000-06-05 17:33:49 27376 --a------ C:\WINDOWS\system32\gpr27.exe
2000-06-05 17:31:20 0 --a------ C:\WINDOWS\system32\drivers\msosmsp2p32.sys
2000-06-04 14:55:29 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2000-06-04 14:55:04 24 --a------ C:\WINDOWS\system32\ngjxakin.sys
2000-06-04 14:53:13 24 --a------ C:\WINDOWS\system32\ijsgajba.sys
2000-06-03 21:24:28 0 d-------- C:\Program Files\Trend Micro
2000-06-02 11:59:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2000-06-01 23:21:35 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2000-06-01 23:20:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2000-06-01 23:20:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2000-06-01 22:46:59 0 --a------ C:\WINDOWS\system32\gpr570.exe
2000-06-01 22:44:53 768 --a------ C:\WINDOWS\system32\msosmhfp.dat
2000-05-24 01:45:58 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2000-05-11 16:06:20 397312 --a------ C:\WINDOWS\system32\MSRDO20.DLL <Not Verified; Microsoft Corporation; Microsoft Corporation Remote Data Object>

-- Find3M Report ---------------------------------------------------------------

2006-11-27 22:16:30 707 --a------ C:\Documents and Settings\Yi Quan\Application Data\.googlewebacchosts
2006-03-27 03:49:50 62 --ahs---- C:\Documents and Settings\Yi Quan\Application Data\desktop.ini
2000-04-03 20:52:54 151552 --a------ C:\WINDOWS\system32\RDOCURS.DLL <Not Verified; Microsoft Corporation; Microsoft RDO Client Cursor Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18093456-9012-4568-9076-908765467181}]
C:\WINDOWS\system32\tisqatyu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22596546-2036-9451-6058-658402589722}]
C:\WINDOWS\system32\opshbbty.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
C:\WINDOWS\system32\rijxbkin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]
C:\WINDOWS\system32\yxcschlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
C:\WINDOWS\system32\nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41BE3A3D-6E4B-43F4-AAEB-5B4E95971968}]
01/03/2006 07:16 PM 69632 ---h----- C:\WINDOWS\system32\dueoduxz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{470165F1-9F65-569F-F895-F14F58F41074}]
C:\WINDOWS\system32\lofsdjbo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD45A54-9875-698F-E56E-65102358FDF4}]
C:\WINDOWS\system32\apsgdjba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{528DF602-9541-A985-210A-984A698C6F25}]
C:\WINDOWS\system32\ptjhehlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
C:\WINDOWS\system32\ozfyebyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5}]
C:\WINDOWS\system32\oohxdbyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38}]
C:\WINDOWS\system32\yxfhcjpg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/04/2008 08:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"svc "=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bb.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [27/08/2005 8:05:24 AM]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [23/06/2004 2:23:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [19/02/2006 4:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [10/02/2006 7:56:20 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F4F0064-71E0-4f0d-0006-708476C7815F} "= C:\WINDOWS\system32\midimapcb.dll [04/06/2001 02:54 PM 22816]
"{37AC9076-C898-B098-D098-A18319080973} "= C:\WINDOWS\system32\nhmxcjkl.dll [ ]
"{5A069845-2036-6084-9054-6087502480A5} "= C:\WINDOWS\system32\ozfyebyt.dll [ ]
"{22596546-2036-9451-6058-658402589722} "= C:\WINDOWS\system32\opshbbty.dll [ ]
"{18093456-9012-4568-9076-908765467181} "= C:\WINDOWS\system32\tisqatyu.dll [ ]
"{35671234-7890-ABCD-CDEF-567801237653} "= C:\WINDOWS\system32\yxcschlp.dll [ ]
"{25FD6584-698F-BCD2-602C-698745210352} "= C:\WINDOWS\system32\rijxbkin.dll [ ]
"{470165F1-9F65-569F-F895-F14F58F41074} "= C:\WINDOWS\system32\lofsdjbo.dll [ ]
"{5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} "= C:\WINDOWS\system32\oohxdbyt.dll [ ]
"{4FD45A54-9875-698F-E56E-65102358FDF4} "= C:\WINDOWS\system32\apsgdjba.dll [ ]
"{528DF602-9541-A985-210A-984A698C6F25} "= C:\WINDOWS\system32\ptjhehlp.dll [ ]
"{83BA45AF-FAAA-CDDD-BEEE-BCDE1234AB38} "= C:\WINDOWS\system32\yxfhcjpg.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [04/06/2001 02:54 PM 22816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell "= "Explorer.exe,pr570.exe,,gpr58D.exe,,gpr27.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=m,msosmhfp00.dll,nhmxcjkl.dll,tisqatyu.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - HIDDFLDY

-- End of Deckard's System Scanner: finished at 2000-06-07 15:04:36 ------------

 

Hi EmmaQ
Welcome to Windowsbbs.

Sorry for the wait.

You have a good mess here.

Lets do this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Now this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


Please post the MBAM log and the combofix log.
Thanks
Geri

 

MBAM, ComboFix and HJT logs

Hi Geri!

Thank you so much for helping me.

Here are the log files you requested:

HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:45 PM, on 09/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: rijxbkin.dll - {25FD6584-698F-BCD2-602C-698745210352} - C:\WINDOWS\system32\rijxbkin.dll (file missing)
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: Eye Class - {41BE3A3D-6E4B-43F4-AAEB-5B4E95971968} - C:\WINDOWS\system32\dueoduxz.dll
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7625 bytes

 

ComboFix log

ComboFix 08-06-09.7 - Yi Quan 2008-06-09 20:36:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1553 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\#SharedObjects\XYLUAKPD\www.inter-focus.cn
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\#SharedObjects\XYLUAKPD\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\WINDOWS\cnsinfo.dat
C:\WINDOWS\Downloaded Program Files.\CnsMinEx.ini
C:\WINDOWS\Downloaded Program Files\CnsMinEx.ini
C:\WINDOWS\Downloaded Program Files\sms.ico
C:\WINDOWS\Downloaded Program Files\taobao.ico
C:\WINDOWS\Downloaded Program Files\yahoomsg.ico
C:\WINDOWS\Downloaded Program Files\ymail.ico
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\comploader.dll
C:\WINDOWS\system32\gpr570.exe
C:\WINDOWS\system32\jashbbty.sys
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\pmjhbhlp.sys
C:\WINDOWS\system32\socul.dll
C:\WINDOWS\system32\sodahk.dll
C:\WINDOWS\system32\unsocul.exe
C:\WINDOWS\system32\xzcsbhlp.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MHFP
-------\Legacy_MSP2P32
-------\Legacy_P4P_SERVICE
-------\Service_mhfp


((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-05-15 23:04 . 2008-05-15 23:04 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-05-15 23:04 . 2008-06-01 13:49 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-05-12 17:11 . 2008-05-19 15:12 <DIR> d-------- C:\Program Files\eMule

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 00:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-27 22:58 --------- d-----w C:\Program Files\CCTV
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2004-08-08 18:54 520 --sh--w C:\WINDOWS\system32\cgsqatyu.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\erjxakin.sys
2004-08-08 18:53 520 --sh--w C:\WINDOWS\system32\gpsgajba.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 18:53 520 --sh--w C:\WINDOWS\system32\smhxbbyt.sys
2004-08-08 18:52 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\xbfsbjbo.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\xzfhbjpg.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys

2007-06-13 06:23 1033216 78411281147a565f077de0b3245c654a C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 17:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
C:\WINDOWS\system32\rijxbkin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
C:\WINDOWS\system32\nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41BE3A3D-6E4B-43F4-AAEB-5B4E95971968}]
2006-03-01 19:16 69632 ---h----- C:\WINDOWS\system32\dueoduxz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
C:\WINDOWS\system32\ozfyebyt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{37AC9076-C898-B098-D098-A18319080973} "= C:\WINDOWS\system32\nhmxcjkl.dll [ ]
"{5A069845-2036-6084-9054-6087502480A5} "= C:\WINDOWS\system32\ozfyebyt.dll [ ]
"{25FD6584-698F-BCD2-602C-698745210352} "= C:\WINDOWS\system32\rijxbkin.dll [ ]
"{4F4F0064-71E0-4f0d-0006-708476C7815F} "= C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=
"C:\\Program Files\\eMule\\emule.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 66208e00bd13e962;66208e00bd13e962;C:\66208e00bd13e962.dat []
S3 9ac93798b98b8595;9ac93798b98b8595;C:\9ac93798b98b8595.dat []
S3 ac6cc34072b93995;ac6cc34072b93995;C:\ac6cc34072b93995.dat []
S3 c528b574eb7bee44;c528b574eb7bee44;C:\c528b574eb7bee44.dat []
S3 c7d41980ca75b438;c7d41980ca75b438;C:\c7d41980ca75b438.dat []
S3 d2e49fc0d8a8f197;d2e49fc0d8a8f197;C:\d2e49fc0d8a8f197.dat []
S3 d5a0822459b4de2e;d5a0822459b4de2e;C:\d5a0822459b4de2e.dat []
S3 d98823800af1b66a;d98823800af1b66a;C:\d98823800af1b66a.dat []
S3 f233975c18d20f87;f233975c18d20f87;C:\f233975c18d20f87.dat []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 23:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-10 00:44:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 20:41:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\66208e00bd13e962]
"ImagePath "= "\??\C:\66208e00bd13e962.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\9ac93798b98b8595]
"ImagePath "= "\??\C:\9ac93798b98b8595.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ac6cc34072b93995]
"ImagePath "= "\??\C:\ac6cc34072b93995.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\c528b574eb7bee44]
"ImagePath "= "\??\C:\c528b574eb7bee44.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\c7d41980ca75b438]
"ImagePath "= "\??\C:\c7d41980ca75b438.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d2e49fc0d8a8f197]
"ImagePath "= "\??\C:\d2e49fc0d8a8f197.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d5a0822459b4de2e]
"ImagePath "= "\??\C:\d5a0822459b4de2e.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d98823800af1b66a]
"ImagePath "= "\??\C:\d98823800af1b66a.dat "

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\f233975c18d20f87]
"ImagePath "= "\??\C:\f233975c18d20f87.dat "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-09 20:48:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 00:48:49

Pre-Run: 18,936,700,928 bytes free
Post-Run: 18,850,557,952 bytes free

212 --- E O F --- 2000-06-06 12:20:54

 

MBAM Log

Malwarebytes' Anti-Malware 1.15
Database version: 844

8:22:47 PM 09/06/2000
mbam-log-6-9-2000 (20-22-47).txt

Scan type: Quick Scan
Objects scanned: 37709
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22596546-2036-9451-6058-658402589722} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22596546-2036-9451-6058-658402589722} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{528df602-9541-a985-210a-984a698c6f25} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528df602-9541-a985-210a-984a698c6f25} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b1aef69-ddae-fdad-dcab-698f026abdb5} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b1aef69-ddae-fdad-dcab-698f026abdb5} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{18093456-9012-4568-9076-908765467181} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18093456-9012-4568-9076-908765467181} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{470165f1-9f65-569f-f895-f14f58f41074} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{470165f1-9f65-569f-f895-f14f58f41074} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4fd45a54-9875-698f-e56e-65102358fdf4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4fd45a54-9875-698f-e56e-65102358fdf4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msp2p32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msp2p32 (Spyware.OnLineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msp2p32 (Spyware.OnLineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{35671234-7890-abcd-cdef-567801237653} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{22596546-2036-9451-6058-658402589722} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{528df602-9541-a985-210a-984a698c6f25} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5b1aef69-ddae-fdad-dcab-698f026abdb5} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{83ba45af-faaa-cddd-beee-bcde1234ab38} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{18093456-9012-4568-9076-908765467181} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{470165f1-9f65-569f-f895-f14f58f41074} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4fd45a54-9875-698f-e56e-65102358fdf4} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\msosmsp2p32.sys (Spyware.OnLineGames) -> Quarantined and deleted successfully.

 

Hi EmmaQ

Before we go any furture we need to install the recovery console on your machine.

Please do the followining and post the CF_RC.txt.

You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!

• Microsoft Windows XP Home Edition
  • Without Service Packs
    http://www.microsoft.com/downloads/details.aspx?FamilyID=E8FE6868-6E4F-471C-B455-BD5AFEE126D8
    
    
  • Service Pack 1
    http://www.microsoft.com/downloads/details.aspx?FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4
    
    
  • Service Pack 2
    http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464
  
  
  
• Microsoft Windows XP Professional
  • Without Service Packs
    http://www.microsoft.com/downloads/details.aspx?FamilyID=55820EDB-5039-4955-BCB7-4FED408EA73F
    
    
  • Service Pack 1
    http://www.microsoft.com/downloads/details.aspx?FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26
    
    
  • Service Pack 2
    http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Thanks
Geri

 

Recovery console

Hey Geri

I don't have a recovery console, but my hard disk drive D is labelled "HP Recovery ". Also, I have CDs for system recovery. Is this the same as a recovery console? Should I still download the recovery console?

Thank you for your help

 

Hi EmmaQ
Yes please do, it is a good idea to have it installed. because of the nature of your infections it would be a good idea,

Thanks
Geri

 

combo fix log

Hey Geri

I really appreciate you helping me. I installed the recovery console and ran Combofix, and here is the log it generated (except that its only titled "log ")



ComboFix 08-06-09.7 - Yi Quan 2008-06-13 17:17:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1440 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-05-15 23:04 . 2008-05-15 23:04 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-05-15 23:04 . 2008-06-01 13:49 26 --a------ C:\WINDOWS\system32\xlhcc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 16:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2004-08-08 18:54 520 --sh--w C:\WINDOWS\system32\cgsqatyu.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\erjxakin.sys
2004-08-08 18:53 520 --sh--w C:\WINDOWS\system32\gpsgajba.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 18:53 520 --sh--w C:\WINDOWS\system32\smhxbbyt.sys
2004-08-08 18:52 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\xbfsbjbo.sys
2004-08-08 18:55 520 --sh--w C:\WINDOWS\system32\xzfhbjpg.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-09_20.48.33.63 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 00:40:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 16:44:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 22:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2000-06-02 03:37:02 593,920 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-11 03:00:20 593,920 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2000-06-02 03:37:02 12,288 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-11 03:00:20 12,288 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2000-06-02 03:37:02 86,016 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-06-11 03:00:20 86,016 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2000-06-02 03:37:02 135,168 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-11 03:00:20 135,168 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2000-06-02 03:37:03 11,264 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-11 03:00:20 11,264 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2000-06-02 03:37:03 27,136 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-11 03:00:20 27,136 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2000-06-02 03:37:03 4,096 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-11 03:00:21 4,096 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2000-06-02 03:37:03 794,624 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-11 03:00:21 794,624 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2000-06-02 03:37:02 249,856 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-11 03:00:20 249,856 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2000-06-02 03:37:02 61,440 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-11 03:00:20 61,440 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2000-06-02 03:37:03 23,040 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-11 03:00:21 23,040 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2000-06-02 03:37:02 286,720 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-11 03:00:20 286,720 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2000-06-02 03:37:02 409,600 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-11 03:00:20 409,600 ----a-r C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2000-06-02 03:35:00 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-11 03:00:36 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2000-06-02 03:35:00 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-11 03:00:35 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2000-06-02 03:35:00 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-11 03:00:36 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2000-06-02 03:35:00 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-11 03:00:36 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2000-06-02 03:35:00 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-11 03:00:36 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2000-06-02 03:35:00 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-11 03:00:36 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2000-06-02 03:35:00 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-11 03:00:36 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2000-06-02 03:35:00 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-11 03:00:36 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2000-06-02 03:34:59 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-11 03:00:35 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2000-06-02 03:34:59 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-11 03:00:35 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-09-25 22:58:48 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
C:\WINDOWS\system32\rijxbkin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
C:\WINDOWS\system32\nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41BE3A3D-6E4B-43F4-AAEB-5B4E95971968}]
2006-03-01 19:16 69632 ---h----- C:\WINDOWS\system32\dueoduxz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
C:\WINDOWS\system32\ozfyebyt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{37AC9076-C898-B098-D098-A18319080973} "= C:\WINDOWS\system32\nhmxcjkl.dll [ ]
"{5A069845-2036-6084-9054-6087502480A5} "= C:\WINDOWS\system32\ozfyebyt.dll [ ]
"{25FD6584-698F-BCD2-602C-698745210352} "= C:\WINDOWS\system32\rijxbkin.dll [ ]
"{4F4F0064-71E0-4f0d-0006-708476C7815F} "= C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 66208e00bd13e962;66208e00bd13e962;C:\66208e00bd13e962.dat []
S3 9ac93798b98b8595;9ac93798b98b8595;C:\9ac93798b98b8595.dat []
S3 ac6cc34072b93995;ac6cc34072b93995;C:\ac6cc34072b93995.dat []
S3 c528b574eb7bee44;c528b574eb7bee44;C:\c528b574eb7bee44.dat []
S3 c7d41980ca75b438;c7d41980ca75b438;C:\c7d41980ca75b438.dat []
S3 d2e49fc0d8a8f197;d2e49fc0d8a8f197;C:\d2e49fc0d8a8f197.dat []
S3 d5a0822459b4de2e;d5a0822459b4de2e;C:\d5a0822459b4de2e.dat []
S3 d98823800af1b66a;d98823800af1b66a;C:\d98823800af1b66a.dat []
S3 f233975c18d20f87;f233975c18d20f87;C:\f233975c18d20f87.dat []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-13 16:47:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 17:19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\66208e00bd13e962]
"ImagePath "= "\??\C:\66208e00bd13e962.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\9ac93798b98b8595]
"ImagePath "= "\??\C:\9ac93798b98b8595.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ac6cc34072b93995]
"ImagePath "= "\??\C:\ac6cc34072b93995.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c528b574eb7bee44]
"ImagePath "= "\??\C:\c528b574eb7bee44.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c7d41980ca75b438]
"ImagePath "= "\??\C:\c7d41980ca75b438.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d2e49fc0d8a8f197]
"ImagePath "= "\??\C:\d2e49fc0d8a8f197.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d5a0822459b4de2e]
"ImagePath "= "\??\C:\d5a0822459b4de2e.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d98823800af1b66a]
"ImagePath "= "\??\C:\d98823800af1b66a.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\f233975c18d20f87]
"ImagePath "= "\??\C:\f233975c18d20f87.dat "
.
Completion time: 2008-06-13 17:21:02
ComboFix-quarantined-files.txt 2008-06-13 21:20:37
ComboFix2.txt 2008-06-10 00:48:54

Pre-Run: 18,492,039,168 bytes free
Post-Run: 18,502,516,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons

376 --- E O F --- 2008-06-11 03:02:07

 

Hi EmmaQ

OK Good.

Now please do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smhxbbyt.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\xbfsbjbo.sys
C:\WINDOWS\system32\xzfhbjpg.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41BE3A3D-6E4B-43F4-AAEB-5B4E95971968}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks]
 "{37AC9076-C898-B098-D098-A18319080973} "=-
 "{5A069845-2036-6084-9054-6087502480A5} "=-
 "{25FD6584-698F-BCD2-602C-698745210352} "=-
 "{4F4F0064-71E0-4f0d-0006-708476C7815F} "=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\66208e00bd13e962]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\9ac93798b98b8595]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ac6cc34072b93995]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\c528b574eb7bee44]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\c7d41980ca75b438]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d2e49fc0d8a8f197]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d5a0822459b4de2e]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d98823800af1b66a]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\f233975c18d20f87] 

Please post the combofix log.

Thanks
Geri

 

New virus....????

Hey Geri

Symantec alerted me that there's a new virus called Trojan.Downexec.B!inf on my computer. However my computer is working fine and doesn't seem to have any problems.

This is the new Combofix Log

ComboFix 08-06-09.7 - Yi Quan 2008-06-14 9:20:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1408 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smhxbbyt.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\xbfsbjbo.sys
C:\WINDOWS\system32\xzfhbjpg.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cgsqatyu.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\smhxbbyt.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\xbfsbjbo.sys
C:\WINDOWS\system32\xzfhbjpg.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-05-15 23:04 . 2008-05-15 23:04 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-05-15 23:04 . 2008-06-01 13:49 26 --a------ C:\WINDOWS\system32\xlhcc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 16:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
C:\WINDOWS\system32\nhmxcjkl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-13 16:47:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 09:21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\66208e00bd13e962]
"ImagePath "= "\??\C:\66208e00bd13e962.dat "
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\9ac93798b98b8595]
"ImagePath "= "\??\C:\9ac93798b98b8595.dat "
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ac6cc34072b93995]
"ImagePath "= "\??\C:\ac6cc34072b93995.dat "
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c528b574eb7bee44]
"ImagePath "= "\??\C:\c528b574eb7bee44.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c7d41980ca75b438]
"ImagePath "= "\??\C:\c7d41980ca75b438.dat "
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d2e49fc0d8a8f197]
"ImagePath "= "\??\C:\d2e49fc0d8a8f197.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d5a0822459b4de2e]
"ImagePath "= "\??\C:\d5a0822459b4de2e.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d98823800af1b66a]
"ImagePath "= "\??\C:\d98823800af1b66a.dat "
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\f233975c18d20f87]
"ImagePath "= "\??\C:\f233975c18d20f87.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\66208e00bd13e962]
"ImagePath "= "\??\C:\66208e00bd13e962.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\9ac93798b98b8595]
"ImagePath "= "\??\C:\9ac93798b98b8595.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ac6cc34072b93995]
"ImagePath "= "\??\C:\ac6cc34072b93995.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c528b574eb7bee44]
"ImagePath "= "\??\C:\c528b574eb7bee44.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c7d41980ca75b438]
"ImagePath "= "\??\C:\c7d41980ca75b438.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d2e49fc0d8a8f197]
"ImagePath "= "\??\C:\d2e49fc0d8a8f197.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d5a0822459b4de2e]
"ImagePath "= "\??\C:\d5a0822459b4de2e.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d98823800af1b66a]
"ImagePath "= "\??\C:\d98823800af1b66a.dat "

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\f233975c18d20f87]
"ImagePath "= "\??\C:\f233975c18d20f87.dat "
.
Completion time: 2008-06-14 9:23:40
ComboFix-quarantined-files.txt 2008-06-14 13:22:58
ComboFix2.txt 2008-06-13 21:21:03
ComboFix3.txt 2008-06-10 00:48:54

Pre-Run: 18,489,827,328 bytes free
Post-Run: 18,472,202,240 bytes free

192 --- E O F --- 2008-06-11 03:02:07


Thank you so much for helping me
EmmaQ

 

HJT log

And here's a fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:14 AM, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7258 bytes

 

Hi

Please have this file scanned.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\system32\xlhcc.dat
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Thank you so much for your help!!!!!

Hey Geri

I scanned the file you requested, and the results say "Found nothing" for all scanners:

File: xlhcc.dat_
Status: OK
MD5: bb8640485be85259c09373c65c25d6d9
Packers detected: -

Scanner results
Scan taken on 14 Jun 2008 17:29:54 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Thank you for all your help!!!! My computer is working fine again!!!!

 

Hi EmmaQ
I'm glad things are getting better, still a few things to do.


Please backup your registry using ERUNT before proceeding to any of the steps.

Download ERUNT from Derfisch or Aumha and save it to your desktop.

• For version with the Installer:
Use the setup program to install ERUNT on your computer
Uncheck the "Create NTREGOPT desktop icon" box.
• For the zipped version:
Unzip all the files into a folder of your choice.

After it is installed
Click "Start" > "All Programs "
Find and go to ERUNT in the menu.
In the window that opens click on ERUNT.
By Defult the backup location is c:\windows\erunt\ (current date)
Click OK to continue with the registry backup.
If the folder does not exist then let ERUNT create the folder for you by clicking Yes
You should see a progress bar when ERUNT is backing up the Windows Registry.
After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT

• Now Download RegASSASSIN by malwarebytes.org from here
• Unzip/extract it to a folder on your desktop
• Double-click on RegASSASSIN.exe to start RegASSASSIN
• Copy and paste the below into the white box
  • 
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\f233975c18d20f87]
• Click Delete
• Answer Yes to any prompts

Now also do these one at a time.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\66208e00bd13e962]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\9ac93798b98b8595]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ac6cc34072b93995]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c528b574eb7bee44]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\c7d41980ca75b438]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d2e49fc0d8a8f197]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d5a0822459b4de2e]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\d98823800af1b66a]

Reboot your computer.


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}] 

Please post the Combofix log.

Thanks
Geri

 

Cannot delete registry keys...

Hey Geri

I downloaded ERUNT and RegAssassin, but I cannot delete those registry keys in RegAssassin. The error message says: "ERROR: Hive returned NULL ". What should I do? should I do this in safe mode?

 

Hi
Ok I will write up a fix, it will take me some time so please be patent.

I'll get back to you.

Thanks
Geri

 

Hi
Ok lets try it this way before doing a harder fix.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\ac6cc34072b93995.dat
C:\c528b574eb7bee44.dat
C:\c7d41980ca75b438.dat
C:\d2e49fc0d8a8f197.dat
C:\d5a0822459b4de2e.dat
C:\d98823800af1b66a.dat
C:\f233975c18d20f87.dat
C:\66208e00bd13e962.dat
C:\9ac93798b98b8595.dat
Driver::
ac6cc34072b93995
c528b574eb7bee44
c7d41980ca75b438
d2e49fc0d8a8f197
d5a0822459b4de2e
d98823800af1b66a
f233975c18d20f87
66208e00bd13e962
9ac93798b98b8595 

Please post the CF log.

Thanks
Geri