1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan Virus can't seem to remove it

Discussion in 'Malware and Virus Removal Archive' started by Dhunter224, 2008/07/19.

  1. 2008/07/19
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    [Resolved] Trojan Virus can't seem to remove it

    Hi, I'm new here so please let me know if I'm not providing enough info...

    I recently got this virus from someone else on msn... I was stupid enough to open the file....
    I've tried to use AVAST to clean it, and it had detected the virus and I also chose to delete the infected file... however, when I restart computer it seems to be back and people on my contact said I'm still spreading the virus through messages...

    Anyway, here's the log from Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 上午 12:38:07, on 2008/7/20
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\zurouporuj.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [jycaruc] C:\WINDOWS\system32\zurouporuj.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204030470734
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dreamhunter1983.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} (GetWebContent Class) - http://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Zip Backup to CD (qeesy4id) - Unknown owner - C:\WINDOWS\system32\bosi.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 9815 bytes
     
    Dhunter224,
    #1
  2. 2008/07/19
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Here's the DSS log too:

    Deckard's System Scanner v20071014.68
    Run by Steven Chang on 2008-07-20 00:54:19
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    System Restore is disabled; attempting to re-enable...success.


    -- Last 1 Restore Point(s) --
    1: 2008-07-19 14:54:22 UTC - RP1 - 系統檢查點


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Steven Chang.exe) ----------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 上午 12:55:26, on 2008/7/20
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\zurouporuj.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Documents and Settings\Steven Chang\桌面\dss.exe
    C:\WINDOWS\system32\conime.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Steven Chang.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [jycaruc] C:\WINDOWS\system32\zurouporuj.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204030470734
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dreamhunter1983.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} (GetWebContent Class) - http://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Zip Backup to CD (qeesy4id) - Unknown owner - C:\WINDOWS\system32\bosi.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 9674 bytes

    -- File Associations -----------------------------------------------------------

    .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
    .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1 ",%*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R2 enodpl - c:\windows\system32\drivers\enodpl.sys
    R2 tandpl - c:\windows\system32\drivers\tandpl.sys
    R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
    R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

    S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
    S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>
    R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

    S2 qeesy4id (Zip Backup to CD) - c:\windows\system32\bosi.exe


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID:
    Description: High Definition Audio 匯流排上的音訊裝置
    Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0885&SUBSYS_10ECE601&REV_1001\4&1FF4EC3B&0&0001
    Manufacturer:
    Name: High Definition Audio 匯流排上的音訊裝置
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0885&SUBSYS_10ECE601&REV_1001\4&1FF4EC3B&0&0001
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-05-30 10:28:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-06-20 and 2008-07-20 -----------------------------

    2008-07-20 00:37:51 0 d-------- C:\Program Files\Trend Micro
    2008-07-19 10:56:13 0 d-------- C:\Program Files\iPod
    2008-07-19 10:46:06 0 d-------- C:\WINDOWS\Prefetch
    2008-07-19 10:41:18 0 d-------- C:\WINDOWS\system32\zh-cht
    2008-07-19 10:41:18 0 d-------- C:\WINDOWS\system32\bits
    2008-07-19 10:41:18 0 d-------- C:\WINDOWS\l2schemas
    2008-07-19 10:40:12 0 d-------- C:\WINDOWS\ServicePackFiles
    2008-07-19 10:39:18 0 d-------- C:\WINDOWS\network diagnostic
    2008-07-19 10:38:11 0 d-------- C:\WINDOWS\EHome
    2008-07-19 00:19:55 0 d-------- C:\Program Files\Alwil Software
    2008-07-17 22:02:58 145920 --ah----- C:\WINDOWS\system32\bosi.exe
    2008-07-17 01:01:00 0 d-------- C:\WINDOWS\BDOSCAN8
    2008-07-15 22:09:56 145920 --ah----- C:\WINDOWS\system32\zurouporuj.exe
    2008-07-14 18:55:50 0 dr-h----- C:\Documents and Settings\Steven Chang\Application Data\SecuROM
    2008-07-14 18:45:38 0 d-------- C:\Program Files\Common Files\BioWare
    2008-07-13 15:22:06 0 d-------- C:\Documents and Settings\Gary\Application Data\Foxy
    2008-07-05 12:14:53 0 d-------- C:\Program Files\Fraps
    2008-07-05 12:14:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-03 22:04:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-07-03 15:30:15 0 d-------- C:\Program Files\OpenAL
    2008-07-03 15:13:34 0 d-------- C:\Program Files\Codemasters


    -- Find3M Report ---------------------------------------------------------------

    2008-07-19 10:56:20 0 d-------- C:\Program Files\iTunes
    2008-07-19 10:55:42 0 d-------- C:\Program Files\QuickTime
    2008-07-19 10:48:02 214710 --a------ C:\WINDOWS\system32\prfh0404.dat
    2008-07-19 10:48:02 61080 --a------ C:\WINDOWS\system32\prfc0404.dat
    2008-07-19 10:45:40 0 d-------- C:\Program Files\Messenger
    2008-07-19 10:41:18 0 d-------- C:\Program Files\Movie Maker
    2008-07-19 10:40:00 0 d-------- C:\Program Files\Windows NT
    2008-07-14 18:45:38 0 d-------- C:\Program Files\Common Files
    2008-07-03 15:13:33 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-06-18 16:51:14 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
    2008-06-18 16:13:50 0 d-------- C:\Program Files\D3DWindower-English
    2008-06-18 16:11:58 437809 --a------ C:\Program Files\D3DWindower-English.rar
    2008-06-17 19:12:49 0 d-------- C:\Program Files\eREAD
    2008-06-17 18:45:35 9159824 --a------ C:\Program Files\eREAD7.0Setup.exe <Not Verified; www.isoshu.com; eREAD>
    2008-06-15 13:38:55 0 d-------- C:\Program Files\Common Files\INCA Shared
    2008-06-09 22:35:53 0 d-------- C:\Documents and Settings\Steven Chang\Application Data\uTorrent
    2008-06-06 23:41:44 0 d-------- C:\Program Files\CAPCOM
    2008-05-30 17:37:30 0 d-------- C:\Program Files\Naruto
    2008-05-30 16:49:06 0 d-------- C:\Documents and Settings\Steven Chang\Application Data\Help
    2008-05-30 14:56:49 0 d-------- C:\Documents and Settings\Steven Chang\Application Data\DMCache


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
    2008/06/05 上午 12:57 87688 --a------ C:\Program Files\eREAD\eREAD\WebHook.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/03 下午 10:32]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008/04/15 上午 02:31]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008/04/15 上午 02:31]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003/06/18 上午 01:00]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005/11/04 下午 06:07]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005/11/04 下午 06:07]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005/10/14 上午 11:01]
    "CTHelper "= "CTHELPER.EXE" [2006/12/12 上午 10:46 C:\WINDOWS\system32\CtHelper.exe]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006/12/12 上午 10:46 C:\WINDOWS\system32\Ctxfihlp.exe]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000/05/11 上午 01:00]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005/12/15 上午 11:18]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/26 下午 11:41]
    "ClubBox "=" " []
    "NWEReboot "=" " []
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008/01/11 下午 10:16]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006/01/12 下午 04:40]
    "@ "=" " []
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007/01/22 下午 05:22]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007/03/14 下午 09:01]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007/01/08 下午 10:17]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007/12/05 上午 01:41]
    "nwiz "= "nwiz.exe" [2007/12/05 上午 01:41 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007/12/05 上午 01:41]
    "jycaruc "= "C:\WINDOWS\system32\zurouporuj.exe" [2008/07/19 下午 04:50]
    "AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008/07/10 上午 09:47]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008/05/27 上午 10:50]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008/07/10 上午 10:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008/04/15 上午 02:30]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007/10/18 上午 11:34]
    "Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004/12/02 下午 06:23]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008/04/15 上午 02:30]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007/12/22 下午 05:20]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005/12/15 上午 11:40:44]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
    C:\WINDOWS\System32\dimsntfy.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    eapsvcs eaphost
    dot3svc dot3svc

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    napagent
    hkmsvc


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a944df2-e4b8-11dc-941b-806d6172696f}]
    AutoRun\command- I:\autorun.exe -auto

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a944dfc-e4b8-11dc-941b-806d6172696f}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL quagebenik.exe
    explore\command- D:\quagebenik.exe
    find\command- D:\quagebenik.exe
    open\command- D:\quagebenik.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a944dfd-e4b8-11dc-941b-806d6172696f}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL quagebenik.exe
    explore\command- E:\quagebenik.exe
    find\command- E:\quagebenik.exe
    open\command- E:\quagebenik.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a944dfe-e4b8-11dc-941b-806d6172696f}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL quagebenik.exe
    explore\command- J:\quagebenik.exe
    find\command- J:\quagebenik.exe
    open\command- J:\quagebenik.exe




    -- End of Deckard's System Scanner: finished at 2008-07-20 00:56:02 ------------
     
    Dhunter224,
    #2


  3. to hide this advert.

  4. 2008/07/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Dhunter224 :)

    You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

    NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

    • Plug in your USB flash drive.
    • Double-click Flash_Disinfector.exe to run it.
    • Follow any prompts that may appear.
    • Your desktop will vanish for a while, and then reappear. This is normal.
    • Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

    Next, download MsnCleaner_eng.zip from here, but don't use it yet.

    http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

    (Copy/Paste the URL into the address bar or use "Save Target As ")

    • Now reboot into Safe Mode
    • Double-click MsnCleaner_eng.exe to run it.
    • Click the Analyze button.
    • A report will be created once after you finish scan.
    • If it finds an infection, click the Deleted button.
    • Now, please reboot back to normal mode.
    • Please post the contents of C:\MsnCleaner.txt in a reply here.


    And finally, download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


    Please don't use Messenger till we get this cleaned up, as it could lead to re-infection.
     
    noahdfear,
    #3
  5. 2008/07/20
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Thanks Noahdfear for the prompt reply!

    I've done as you asked... here is the log for the msncleaner:

    - Logfile MSNCleaner 1.6.4 by Foro de Spywares, Adwares, Malwares - InfoSpyware
    - Created Logfile: 2008/7/20 on 下午 04:48:56
    - Operative System: Windows XP
    - Boot mode: Safe mode
    _________________________________________

    Detected files: 0
    Deleted file: 0
    Undeleted Files: 0

    <<<<<<< No file found >>>>>>>

    Next is the log for Combofix:

    ComboFix 08-07-19.1 - Steven Chang 2008-07-20 16:52:08.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.950.886.1028.18.1637 [GMT 10:00]
    執行位置: C:\Documents and Settings\Steven Chang\桌面\ComboFix.exe
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    D:\Autorun.inf
    E:\Autorun.inf
    J:\Autorun.inf

    ----- BITS: Possible infected sites -----

    hxxp://msxb
    .
    (((((((((((((((((((((((((((( 2008-06-20 - 2008-07-20 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-07-20 16:48 . 2008-07-20 16:48 <DIR> d-------- C:\Program Files\MsnCleaner_eng
    2008-07-20 16:48 . 2008-07-20 16:48 <DIR> d-------- C:\MSNCleaner
    2008-07-20 16:40 . 2008-07-20 16:40 159,988 --a------ C:\Program Files\MsnCleaner_eng.zip
    2008-07-20 00:53 . 2008-07-20 00:53 <DIR> d-------- C:\Deckard
    2008-07-20 00:37 . 2008-07-20 00:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-20 00:37 . 2008-07-20 00:37 812,344 --a------ C:\Program Files\HJTInstall.exe
    2008-07-19 10:56 . 2008-07-19 10:56 <DIR> d-------- C:\Program Files\iPod
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\zh-cht
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-19 10:40 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-19 10:38 . 2008-07-19 10:38 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-19 00:19 . 2008-07-19 00:19 <DIR> d-------- C:\Program Files\Alwil Software
    2008-07-19 00:18 . 2008-07-19 00:18 23,862,448 --a------ C:\Program Files\setupcht.exe
    2008-07-17 22:02 . 2008-07-20 01:14 141,824 --ah----- C:\WINDOWS\system32\bosi.exe
    2008-07-17 01:01 . 2008-07-17 02:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-07-15 22:09 . 2008-07-20 01:14 141,824 --ah----- C:\WINDOWS\system32\zurouporuj.exe
    2008-07-14 18:55 . 2008-07-14 18:55 <DIR> dr-h----- C:\Documents and Settings\Steven Chang\Application Data\SecuROM
    2008-07-14 18:45 . 2008-07-14 18:45 <DIR> d-------- C:\Program Files\Common Files\BioWare
    2008-07-13 15:22 . 2008-07-13 15:57 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Foxy
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-------- C:\Program Files\Fraps
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-05 12:12 . 2008-07-05 12:12 992,536 --a------ C:\Program Files\setup.exe
    2008-07-03 22:04 . 2008-07-03 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-07-03 22:03 . 2008-07-03 22:03 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-07-03 15:30 . 2008-07-03 15:30 <DIR> d-------- C:\Program Files\OpenAL
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E7.tmp
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E6.tmp
    2008-07-03 15:13 . 2008-07-03 15:13 <DIR> d-------- C:\Program Files\Codemasters
    2008-06-21 03:45 . 2008-06-21 03:45 240,640 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-21 03:45 . 2008-06-21 03:45 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-06-20 21:51 . 2008-06-20 21:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-20 21:40 . 2008-06-20 21:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
    2008-06-20 21:08 . 2008-06-20 21:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-19 00:56 --------- d-----w C:\Program Files\iTunes
    2008-07-19 00:55 --------- d-----w C:\Program Files\QuickTime
    2008-07-03 05:30 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-07-03 05:30 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-07-03 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-20 17:45 240,640 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-18 06:51 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-06-18 06:13 --------- d-----w C:\Program Files\D3DWindower-English
    2008-06-18 06:11 437,809 ----a-w C:\Program Files\D3DWindower-English.rar
    2008-06-17 09:12 --------- d-----w C:\Program Files\eREAD
    2008-06-17 08:45 9,159,824 ----a-w C:\Program Files\eREAD7.0Setup.exe
    2008-06-15 03:38 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-06-14 17:32 269,568 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-13 06:55 718,400 ----a-w C:\WINDOWS\system32\WebReadOnLine_ATL.dll
    2008-06-09 12:35 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\uTorrent
    2008-06-06 13:41 --------- d-----w C:\Program Files\CAPCOM
    2008-05-30 07:37 --------- d-----w C:\Program Files\Naruto
    2008-05-30 04:56 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\DMCache
    2008-05-11 10:18 2,650,544 ----a-w C:\Program Files\idman512b8.exe
    2008-05-09 10:54 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
    2008-05-09 10:54 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
    2008-05-09 10:54 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
    2008-05-09 10:54 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
    2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
    2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
    2008-05-07 05:10 1,269,760 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-30 08:09 73,665,272 ----a-w C:\Program Files\169.21_forceware_winxp_32bit_international_whql.exe
    2008-04-23 05:22 50,531,640 ----a-w C:\Program Files\CyberLink.3118(EVR)_DVD070604-04.exe
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-04-22 11:51 9,868,672 ----a-w C:\Program Files\Alcohol120_trial_1.9.7.6022.exe
    2008-03-26 12:36 72,909,136 ----a-w C:\Program Files\169.44_forceware_winxp_32bit_international_beta.exe
    2008-03-26 07:08 43,947,944 ----a-w C:\Program Files\9.53_nforce_680i_winxp_international_whql.exe
    2008-03-26 06:39 499,862 ----a-w C:\Program Files\CPU-Z 1.41.zip
    2008-03-25 11:51 4,277 ----a-w C:\Program Files\results.txt
    2008-03-24 18:54 430 ----a-w C:\Program Files\local.ini
    2008-03-24 15:26 334 ----a-w C:\Program Files\prime.ini
    2008-03-23 04:49 1,149,820 ----a-w C:\Program Files\p95v2414.zip
    2008-03-21 04:02 17,941,978 ----a-w C:\Program Files\klmcodec380.exe
    2008-03-21 03:48 2,002,432 ----a-w C:\Program Files\EMPG2_Dec_Strm_Pack.zip
    2008-03-15 04:45 23,454,528 ----a-w C:\Program Files\AdbeRdr812_en_US.exe
    2008-03-08 03:44 59,163,944 ----a-w C:\Program Files\iTunesSetup.exe
    2008-03-02 11:14 22,328 ----a-w C:\Documents and Settings\Steven Chang\Application Data\PnkBstrK.sys
    2008-02-27 15:27 2,316,787 ----a-w C:\Program Files\GOGOBoxSetup.exe
    2008-02-26 14:15 2,395,152 ----a-w C:\Program Files\WLinstaller.exe
    2008-01-16 09:42 13,313,544 ----a-w C:\Program Files\RealPlayer11GOLD.exe
    2007-03-29 06:54 2,338,104 ----a-w C:\Program Files\WindowsXP-KB896256-v4-x86-CHT.exe
    2007-03-23 15:51 35,302,248 ----a-w C:\Program Files\5.05.25.00_ntune_winxp_international.exe
    2007-02-09 15:50 181,559,006 ----a-w C:\Program Files\nzd_FroggySetup.exe
    2007-02-09 15:23 102,121,724 ----a-w C:\Program Files\nzd_AdrianneSetup.exe
    2007-02-09 14:29 6,188,097 ----a-w C:\Program Files\nzd_SmokeSetup.exe
    2007-01-17 04:36 16,332,072 ----a-w C:\Program Files\Install_Messenger_nous.exe
    2005-08-09 04:32 4,333,568 ----a-w C:\Program Files\PRIME95.EXE
    2005-08-09 04:31 336,082 ----a-w C:\Program Files\PRIME95.CHM
    2005-07-23 10:02 47,814 ----a-w C:\Program Files\WHATSNEW.TXT
    2005-07-23 10:00 4,960 ----a-w C:\Program Files\LICENSE.TXT
    2005-07-02 02:08 15,932 ----a-w C:\Program Files\UNDOC.TXT
    2005-03-07 07:35 30,918 ----a-w C:\Program Files\README.TXT
    2005-02-22 08:33 1,416,944 ----a-w C:\Program Files\WM9Codecs.exe
    2005-02-22 08:26 7,741,336 ----a-w C:\Program Files\DivX521XP2K.exe
    2005-01-02 03:45 7,019 ----a-w C:\Program Files\STRESS.TXT
    2003-02-25 12:49 965,066 ----a-w C:\Program Files\wrar311.exe
    2008-02-26 14:40 56 --sh--r C:\WINDOWS\system32\D17DED463C.sys
    2008-02-26 14:40 2,098 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 02:30 15360]
    "MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
    "Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-04-15 02:30 1695232]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 17:20 222080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 23:41 185896]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "jycaruc "= "C:\WINDOWS\system32\zurouporuj.exe" [2008-07-20 01:14 141824]
    "AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
    "CTHelper "= "CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 02:30 15360]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "D:\\Games\\Savage 2 - A Tortured Soul\\savage2.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "D:\\Games\\Ubisoft\\XIII\\system\\XIII.exe "=
    "D:\\Games\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "C:\\Program Files\\eREAD\\eREAD_Cookcase.exe "=
    "D:\\Games\\Rohan\\rohanclient.exe "=
    "C:\\Program Files\\eREAD\\eREAD\\eREAD_Cookcase.exe "=
    "C:\\Program Files\\Codemasters\\GRID\\GRID.exe "=
    "D:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "=
    "D:\\Games\\Mass Effect\\MassEffectLauncher.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "11777:TCP "= 11777:TCP:Foxy (192.168.0.137:11777) 11777 TCP
    "11777:UDP "= 11777:UDP:Foxy (192.168.0.137:11777) 11777 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]
    S2 qeesy4id;Zip Backup to CD;C:\WINDOWS\system32\bosi.exe [2008-07-20 01:14]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    排程工作資料夾的內容
    "2008-05-30 00:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-ClubBox - (no file)
    HKLM-Run-NWEReboot - (no file)


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-20 16:54:20
    Windows 5.1.2600 Service Pack 3 NTFS

    掃描隱藏的程序...

    掃描隱藏的進程...

    掃描隱藏的檔案...

    掃描完成
    隱藏檔案: 0

    **************************************************************************
    .
    完成時間: 2008-07-20 16:54:48
    ComboFix-quarantined-files.txt 2008-07-20 06:54:43

    Pre-Run: 128,514,297,856 位元組可用
    Post-Run: 128,713,428,992 位元組可用

    234 --- E O F --- 2008-07-19 04:10:08


    and lastly... a new hijackthis log after the above 2 steps:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 下午 04:59:45, on 2008/7/20
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\zurouporuj.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [jycaruc] C:\WINDOWS\system32\zurouporuj.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204030470734
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dreamhunter1983.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} (GetWebContent Class) - http://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Zip Backup to CD (qeesy4id) - Unknown owner - C:\WINDOWS\system32\bosi.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 9356 bytes


    Thanks again for the help..
     
    Dhunter224,
    #4
  6. 2008/07/20
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/removing-spyware-viruses/75268-trojan-virus-cant-seem-remove.html

Suspect::[22]
C:\WINDOWS\system32\bosi.exe
C:\WINDOWS\system32\zurouporuj.exe
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!
     
    noahdfear,
    #5
  7. 2008/07/20
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Hi, I've done as instructed... the only thing was that there didn't seems to be a zip file or any prompt for uploading that zipfile.

    here's the combofix log:

    ComboFix 08-07-19.1 - Steven Chang 2008-07-21 7:47:25.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.950.1.1028.18.1553 [GMT 10:00]
    執行位置: C:\Documents and Settings\Steven Chang\桌面\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Steven Chang\桌面\CFScript.txt
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\Autorun.inf
    E:\Autorun.inf
    J:\Autorun.inf

    .
    (((((((((((((((((((((((((((( 2008-06-20 - 2008-07-20 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-07-20 16:48 . 2008-07-20 16:48 <DIR> d-------- C:\Program Files\MsnCleaner_eng
    2008-07-20 16:48 . 2008-07-20 16:58 <DIR> d-------- C:\MSNCleaner
    2008-07-20 16:40 . 2008-07-20 16:40 159,988 --a------ C:\Program Files\MsnCleaner_eng.zip
    2008-07-20 00:53 . 2008-07-20 00:53 <DIR> d-------- C:\Deckard
    2008-07-20 00:37 . 2008-07-20 00:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-20 00:37 . 2008-07-20 00:37 812,344 --a------ C:\Program Files\HJTInstall.exe
    2008-07-19 10:56 . 2008-07-19 10:56 <DIR> d-------- C:\Program Files\iPod
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\zh-cht
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-19 10:40 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-19 10:38 . 2008-07-19 10:38 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-19 00:19 . 2008-07-19 00:19 <DIR> d-------- C:\Program Files\Alwil Software
    2008-07-19 00:18 . 2008-07-19 00:18 23,862,448 --a------ C:\Program Files\setupcht.exe
    2008-07-17 22:02 . 2008-07-20 01:14 141,824 --ah----- C:\WINDOWS\system32\bosi.exe
    2008-07-17 01:01 . 2008-07-17 02:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-07-15 22:09 . 2008-07-20 01:14 141,824 --ah----- C:\WINDOWS\system32\zurouporuj.exe
    2008-07-14 18:55 . 2008-07-14 18:55 <DIR> dr-h----- C:\Documents and Settings\Steven Chang\Application Data\SecuROM
    2008-07-14 18:45 . 2008-07-14 18:45 <DIR> d-------- C:\Program Files\Common Files\BioWare
    2008-07-13 15:22 . 2008-07-13 15:57 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Foxy
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-------- C:\Program Files\Fraps
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-05 12:12 . 2008-07-05 12:12 992,536 --a------ C:\Program Files\setup.exe
    2008-07-03 22:04 . 2008-07-03 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-07-03 22:03 . 2008-07-03 22:03 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-07-03 15:30 . 2008-07-03 15:30 <DIR> d-------- C:\Program Files\OpenAL
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E7.tmp
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E6.tmp
    2008-07-03 15:13 . 2008-07-03 15:13 <DIR> d-------- C:\Program Files\Codemasters
    2008-06-21 03:45 . 2008-06-21 03:45 240,640 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-21 03:45 . 2008-06-21 03:45 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-06-20 21:51 . 2008-06-20 21:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-20 21:40 . 2008-06-20 21:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
    2008-06-20 21:08 . 2008-06-20 21:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-19 00:56 --------- d-----w C:\Program Files\iTunes
    2008-07-19 00:55 --------- d-----w C:\Program Files\QuickTime
    2008-07-03 05:30 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-07-03 05:30 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-07-03 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-20 17:45 240,640 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-18 06:51 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-06-18 06:13 --------- d-----w C:\Program Files\D3DWindower-English
    2008-06-18 06:11 437,809 ----a-w C:\Program Files\D3DWindower-English.rar
    2008-06-17 09:12 --------- d-----w C:\Program Files\eREAD
    2008-06-17 08:45 9,159,824 ----a-w C:\Program Files\eREAD7.0Setup.exe
    2008-06-15 03:38 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-06-14 17:32 269,568 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-13 06:55 718,400 ----a-w C:\WINDOWS\system32\WebReadOnLine_ATL.dll
    2008-06-09 12:35 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\uTorrent
    2008-06-06 13:41 --------- d-----w C:\Program Files\CAPCOM
    2008-05-30 07:37 --------- d-----w C:\Program Files\Naruto
    2008-05-30 04:56 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\DMCache
    2008-05-11 10:18 2,650,544 ----a-w C:\Program Files\idman512b8.exe
    2008-05-09 10:54 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
    2008-05-09 10:54 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
    2008-05-09 10:54 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
    2008-05-09 10:54 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
    2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
    2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
    2008-05-07 05:10 1,269,760 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-30 08:09 73,665,272 ----a-w C:\Program Files\169.21_forceware_winxp_32bit_international_whql.exe
    2008-04-23 05:22 50,531,640 ----a-w C:\Program Files\CyberLink.3118(EVR)_DVD070604-04.exe
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-04-22 11:51 9,868,672 ----a-w C:\Program Files\Alcohol120_trial_1.9.7.6022.exe
    2008-03-26 12:36 72,909,136 ----a-w C:\Program Files\169.44_forceware_winxp_32bit_international_beta.exe
    2008-03-26 07:08 43,947,944 ----a-w C:\Program Files\9.53_nforce_680i_winxp_international_whql.exe
    2008-03-26 06:39 499,862 ----a-w C:\Program Files\CPU-Z 1.41.zip
    2008-03-25 11:51 4,277 ----a-w C:\Program Files\results.txt
    2008-03-24 18:54 430 ----a-w C:\Program Files\local.ini
    2008-03-24 15:26 334 ----a-w C:\Program Files\prime.ini
    2008-03-23 04:49 1,149,820 ----a-w C:\Program Files\p95v2414.zip
    2008-03-21 04:02 17,941,978 ----a-w C:\Program Files\klmcodec380.exe
    2008-03-21 03:48 2,002,432 ----a-w C:\Program Files\EMPG2_Dec_Strm_Pack.zip
    2008-03-15 04:45 23,454,528 ----a-w C:\Program Files\AdbeRdr812_en_US.exe
    2008-03-08 03:44 59,163,944 ----a-w C:\Program Files\iTunesSetup.exe
    2008-03-02 11:14 22,328 ----a-w C:\Documents and Settings\Steven Chang\Application Data\PnkBstrK.sys
    2008-02-27 15:27 2,316,787 ----a-w C:\Program Files\GOGOBoxSetup.exe
    2008-02-26 14:15 2,395,152 ----a-w C:\Program Files\WLinstaller.exe
    2008-01-16 09:42 13,313,544 ----a-w C:\Program Files\RealPlayer11GOLD.exe
    2007-03-29 06:54 2,338,104 ----a-w C:\Program Files\WindowsXP-KB896256-v4-x86-CHT.exe
    2007-03-23 15:51 35,302,248 ----a-w C:\Program Files\5.05.25.00_ntune_winxp_international.exe
    2007-02-09 15:50 181,559,006 ----a-w C:\Program Files\nzd_FroggySetup.exe
    2007-02-09 15:23 102,121,724 ----a-w C:\Program Files\nzd_AdrianneSetup.exe
    2007-02-09 14:29 6,188,097 ----a-w C:\Program Files\nzd_SmokeSetup.exe
    2007-01-17 04:36 16,332,072 ----a-w C:\Program Files\Install_Messenger_nous.exe
    2005-08-09 04:32 4,333,568 ----a-w C:\Program Files\PRIME95.EXE
    2005-08-09 04:31 336,082 ----a-w C:\Program Files\PRIME95.CHM
    2005-07-23 10:02 47,814 ----a-w C:\Program Files\WHATSNEW.TXT
    2005-07-23 10:00 4,960 ----a-w C:\Program Files\LICENSE.TXT
    2005-07-02 02:08 15,932 ----a-w C:\Program Files\UNDOC.TXT
    2005-03-07 07:35 30,918 ----a-w C:\Program Files\README.TXT
    2005-02-22 08:33 1,416,944 ----a-w C:\Program Files\WM9Codecs.exe
    2005-02-22 08:26 7,741,336 ----a-w C:\Program Files\DivX521XP2K.exe
    2005-01-02 03:45 7,019 ----a-w C:\Program Files\STRESS.TXT
    2003-02-25 12:49 965,066 ----a-w C:\Program Files\wrar311.exe
    2008-02-26 14:40 56 --sh--r C:\WINDOWS\system32\D17DED463C.sys
    2008-02-26 14:40 2,098 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-20_16.54.38.81 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-07-20 12:25:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_170.dat
    .
    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 02:30 15360]
    "Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-04-15 02:30 1695232]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 17:20 222080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 23:41 185896]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "jycaruc "= "C:\WINDOWS\system32\zurouporuj.exe" [2008-07-20 01:14 141824]
    "AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
    "CTHelper "= "CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "jycaruc "= "C:\WINDOWS\system32\zurouporuj.exe" [2008-07-20 01:14 141824]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 02:30 15360]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "D:\\Games\\Savage 2 - A Tortured Soul\\savage2.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "D:\\Games\\Ubisoft\\XIII\\system\\XIII.exe "=
    "D:\\Games\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "C:\\Program Files\\eREAD\\eREAD_Cookcase.exe "=
    "D:\\Games\\Rohan\\rohanclient.exe "=
    "C:\\Program Files\\eREAD\\eREAD\\eREAD_Cookcase.exe "=
    "C:\\Program Files\\Codemasters\\GRID\\GRID.exe "=
    "D:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "=
    "D:\\Games\\Mass Effect\\MassEffectLauncher.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "11777:TCP "= 11777:TCP:Foxy (192.168.0.137:11777) 11777 TCP
    "11777:UDP "= 11777:UDP:Foxy (192.168.0.137:11777) 11777 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]
    S2 qeesy4id;Zip Backup to CD;C:\WINDOWS\system32\bosi.exe [2008-07-20 01:14]
    .
    排程工作資料夾的內容
    "2008-05-30 00:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-21 07:48:56
    Windows 5.1.2600 Service Pack 3 NTFS

    掃描隱藏的程序...

    ? [7912]
    ? [4504]
    ? [9980]
    ? [9264]
    ? [9760]
    ? [8608]
    ? [8612]

    掃描隱藏的進程...

    掃描隱藏的檔案...

    掃描完成
    隱藏檔案: 0

    **************************************************************************
    .
    完成時間: 2008-07-21 7:49:17
    ComboFix-quarantined-files.txt 2008-07-20 21:49:14
    ComboFix2.txt 2008-07-20 06:54:49

    Pre-Run: 128,521,052,160 位元組可用
    Post-Run: 128,643,452,928 位元組可用

    239 --- E O F --- 2008-07-19 04:10:08


    ...and the new Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 上午 07:51:58, on 2008/7/21
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\zurouporuj.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [jycaruc] C:\WINDOWS\system32\zurouporuj.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\RunServices: [jycaruc] C:\WINDOWS\system32\zurouporuj.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204030470734
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dreamhunter1983.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} (GetWebContent Class) - http://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Zip Backup to CD (qeesy4id) - Unknown owner - C:\WINDOWS\system32\bosi.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 9293 bytes
     
    Dhunter224,
    #6
  8. 2008/07/20
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    OK, we're gonna nuke those files because they appear rogue and behave like rogues. Once they are analyzed, should they be legitimate files, we can restore them from a backup.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    
http://www.windowsbbs.com/removing-spyware-viruses/75268-trojan-virus-cant-seem-remove.html#post407032

Collect::[22]
C:\WINDOWS\system32\bosi.exe
C:\WINDOWS\system32\zurouporuj.exe
Driver::
qeesy4id
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "jycaruc "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 "jycaruc "=-
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!


    Can you translate this section for me please?

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-21 07:48:56
    Windows 5.1.2600 Service Pack 3 NTFS

    掃描隱藏的程序...

    ? [7912]
    ? [4504]
    ? [9980]
    ? [9264]
    ? [9760]
    ? [8608]
    ? [8612]

    掃描隱藏的進程...

    掃描隱藏的檔案...

    掃描完成
    隱藏檔案: 0
     
    noahdfear,
    #7
  9. 2008/07/21
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    haha sorry but I have chinese windows...

    掃描隱藏的程序 = scanning hidden pragram (or program code)

    掃描隱藏的進程 = scanning hidden process (or progress?)

    掃描隱藏的檔案 = scanning hidden files

    掃描完成 (scan complete)
    隱藏檔案 (hidden files): 0

    some chinese words are too technical so the last two words of the top 2 lines I'm half guessing...

    Thanks again...
     
    Dhunter224,
    #8
  10. 2008/07/21
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Okay... here's the combofix log after the last step:

    ComboFix 08-07-19.1 - Steven Chang 2008-07-21 18:54:13.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.950.1.1028.18.1628 [GMT 10:00]
    執行位置: C:\Documents and Settings\Steven Chang\桌面\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Steven Chang\桌面\CFScript.txt
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\bosi.exe
    C:\WINDOWS\system32\zurouporuj.exe
    D:\Autorun.inf
    E:\Autorun.inf
    J:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_QEESY4ID
    -------\Service_qeesy4id


    (((((((((((((((((((((((((((( 2008-06-21 - 2008-07-21 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-07-20 16:48 . 2008-07-20 16:48 <DIR> d-------- C:\Program Files\MsnCleaner_eng
    2008-07-20 16:48 . 2008-07-20 16:58 <DIR> d-------- C:\MSNCleaner
    2008-07-20 16:40 . 2008-07-20 16:40 159,988 --a------ C:\Program Files\MsnCleaner_eng.zip
    2008-07-20 00:53 . 2008-07-20 00:53 <DIR> d-------- C:\Deckard
    2008-07-20 00:37 . 2008-07-20 00:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-20 00:37 . 2008-07-20 00:37 812,344 --a------ C:\Program Files\HJTInstall.exe
    2008-07-19 10:56 . 2008-07-19 10:56 <DIR> d-------- C:\Program Files\iPod
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\zh-cht
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-19 10:40 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-19 10:38 . 2008-07-19 10:38 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-19 00:19 . 2008-07-19 00:19 <DIR> d-------- C:\Program Files\Alwil Software
    2008-07-19 00:18 . 2008-07-19 00:18 23,862,448 --a------ C:\Program Files\setupcht.exe
    2008-07-17 01:01 . 2008-07-17 02:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-07-14 18:55 . 2008-07-14 18:55 <DIR> dr-h----- C:\Documents and Settings\Steven Chang\Application Data\SecuROM
    2008-07-14 18:45 . 2008-07-14 18:45 <DIR> d-------- C:\Program Files\Common Files\BioWare
    2008-07-13 15:22 . 2008-07-13 15:57 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Foxy
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-------- C:\Program Files\Fraps
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-05 12:12 . 2008-07-05 12:12 992,536 --a------ C:\Program Files\setup.exe
    2008-07-03 22:04 . 2008-07-03 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-07-03 22:03 . 2008-07-03 22:03 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-07-03 15:30 . 2008-07-03 15:30 <DIR> d-------- C:\Program Files\OpenAL
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E7.tmp
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E6.tmp
    2008-07-03 15:13 . 2008-07-03 15:13 <DIR> d-------- C:\Program Files\Codemasters
    2008-06-21 03:45 . 2008-06-21 03:45 240,640 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-21 03:45 . 2008-06-21 03:45 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-19 00:56 --------- d-----w C:\Program Files\iTunes
    2008-07-19 00:55 --------- d-----w C:\Program Files\QuickTime
    2008-07-03 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-18 06:51 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-06-18 06:13 --------- d-----w C:\Program Files\D3DWindower-English
    2008-06-18 06:11 437,809 ----a-w C:\Program Files\D3DWindower-English.rar
    2008-06-17 09:12 --------- d-----w C:\Program Files\eREAD
    2008-06-17 08:45 9,159,824 ----a-w C:\Program Files\eREAD7.0Setup.exe
    2008-06-15 03:38 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-06-14 17:32 269,568 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-09 12:35 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\uTorrent
    2008-06-06 13:41 --------- d-----w C:\Program Files\CAPCOM
    2008-05-30 07:37 --------- d-----w C:\Program Files\Naruto
    2008-05-30 04:56 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\DMCache
    2008-05-11 10:18 2,650,544 ----a-w C:\Program Files\idman512b8.exe
    2008-04-30 08:09 73,665,272 ----a-w C:\Program Files\169.21_forceware_winxp_32bit_international_whql.exe
    2008-04-23 05:22 50,531,640 ----a-w C:\Program Files\CyberLink.3118(EVR)_DVD070604-04.exe
    2008-04-22 11:51 9,868,672 ----a-w C:\Program Files\Alcohol120_trial_1.9.7.6022.exe
    2008-03-26 12:36 72,909,136 ----a-w C:\Program Files\169.44_forceware_winxp_32bit_international_beta.exe
    2008-03-26 07:08 43,947,944 ----a-w C:\Program Files\9.53_nforce_680i_winxp_international_whql.exe
    2008-03-26 06:39 499,862 ----a-w C:\Program Files\CPU-Z 1.41.zip
    2008-03-25 11:51 4,277 ----a-w C:\Program Files\results.txt
    2008-03-24 18:54 430 ----a-w C:\Program Files\local.ini
    2008-03-24 15:26 334 ----a-w C:\Program Files\prime.ini
    2008-03-23 04:49 1,149,820 ----a-w C:\Program Files\p95v2414.zip
    2008-03-21 04:02 17,941,978 ----a-w C:\Program Files\klmcodec380.exe
    2008-03-21 03:48 2,002,432 ----a-w C:\Program Files\EMPG2_Dec_Strm_Pack.zip
    2008-03-15 04:45 23,454,528 ----a-w C:\Program Files\AdbeRdr812_en_US.exe
    2008-03-08 03:44 59,163,944 ----a-w C:\Program Files\iTunesSetup.exe
    2008-03-02 11:14 22,328 ----a-w C:\Documents and Settings\Steven Chang\Application Data\PnkBstrK.sys
    2008-02-27 15:27 2,316,787 ----a-w C:\Program Files\GOGOBoxSetup.exe
    2008-02-26 14:15 2,395,152 ----a-w C:\Program Files\WLinstaller.exe
    2008-01-16 09:42 13,313,544 ----a-w C:\Program Files\RealPlayer11GOLD.exe
    2007-03-29 06:54 2,338,104 ----a-w C:\Program Files\WindowsXP-KB896256-v4-x86-CHT.exe
    2007-03-23 15:51 35,302,248 ----a-w C:\Program Files\5.05.25.00_ntune_winxp_international.exe
    2007-02-09 15:50 181,559,006 ----a-w C:\Program Files\nzd_FroggySetup.exe
    2007-02-09 15:23 102,121,724 ----a-w C:\Program Files\nzd_AdrianneSetup.exe
    2007-02-09 14:29 6,188,097 ----a-w C:\Program Files\nzd_SmokeSetup.exe
    2007-01-17 04:36 16,332,072 ----a-w C:\Program Files\Install_Messenger_nous.exe
    2005-08-09 04:32 4,333,568 ----a-w C:\Program Files\PRIME95.EXE
    2005-08-09 04:31 336,082 ----a-w C:\Program Files\PRIME95.CHM
    2005-07-23 10:02 47,814 ----a-w C:\Program Files\WHATSNEW.TXT
    2005-07-23 10:00 4,960 ----a-w C:\Program Files\LICENSE.TXT
    2005-07-02 02:08 15,932 ----a-w C:\Program Files\UNDOC.TXT
    2005-03-07 07:35 30,918 ----a-w C:\Program Files\README.TXT
    2005-02-22 08:33 1,416,944 ----a-w C:\Program Files\WM9Codecs.exe
    2005-02-22 08:26 7,741,336 ----a-w C:\Program Files\DivX521XP2K.exe
    2005-01-02 03:45 7,019 ----a-w C:\Program Files\STRESS.TXT
    2003-02-25 12:49 965,066 ----a-w C:\Program Files\wrar311.exe
    2008-02-26 14:40 56 --sh--r C:\WINDOWS\system32\D17DED463C.sys
    2008-02-26 14:40 2,098 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-20_16.54.38.81 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    + 2008-07-21 08:57:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_16c.dat
    .
    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 02:30 15360]
    "Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-04-15 02:30 1695232]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 17:20 222080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 23:41 185896]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
    "CTHelper "= "CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 02:30 15360]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "D:\\Games\\Savage 2 - A Tortured Soul\\savage2.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "D:\\Games\\Ubisoft\\XIII\\system\\XIII.exe "=
    "D:\\Games\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "C:\\Program Files\\eREAD\\eREAD_Cookcase.exe "=
    "D:\\Games\\Rohan\\rohanclient.exe "=
    "C:\\Program Files\\eREAD\\eREAD\\eREAD_Cookcase.exe "=
    "C:\\Program Files\\Codemasters\\GRID\\GRID.exe "=
    "D:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "=
    "D:\\Games\\Mass Effect\\MassEffectLauncher.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "11777:TCP "= 11777:TCP:Foxy (192.168.0.137:11777) 11777 TCP
    "11777:UDP "= 11777:UDP:Foxy (192.168.0.137:11777) 11777 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]
    .
    排程工作資料夾的內容
    "2008-05-30 00:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-21 18:57:40
    Windows 5.1.2600 Service Pack 3 NTFS

    掃描隱藏的程序...

    掃描隱藏的進程...

    掃描隱藏的檔案...

    掃描完成
    隱藏檔案: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTSVCCDA.EXE
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\CTxfispi.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    .
    **************************************************************************
    .
    完成時間: 2008-07-21 19:00:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-21 09:00:03
    ComboFix2.txt 2008-07-20 21:49:17
    ComboFix3.txt 2008-07-20 06:54:49

    Pre-Run: 128,647,925,760 位元組可用
    Post-Run: 128,557,125,632 位元組可用

    237 --- E O F --- 2008-07-19 04:10:08


    ...and the Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 下午 07:02:10, on 2008/7/21
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD\eREAD\WebHook.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE "
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll "
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ESC Trusted Zone: http://*.update.microsoft.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204030470734
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dreamhunter1983.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} (GetWebContent Class) - http://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 9289 bytes

    Thanks~
     
    Dhunter224,
    #9
  11. 2008/07/21
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Were you prompted to upload the zip? Was one created on the desktop? Should be name similar to [22]Submit_2008-07-21@18:54.zip

    Please scan with Kaspersky WebScanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log here.
     
    noahdfear,
    #10
  12. 2008/07/21
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    umm... there's actually no prompt to upload a zip file, and there was no zip file created on desktop :S

    I've finished the Kaspersky scan:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, July 21, 2008 10:21:58 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 21/07/2008
    Kaspersky Anti-Virus database records: 980119
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    G:\
    H:\
    I:\
    J:\
    K:\

    Scan Statistics:
    Total number of scanned objects: 104330
    Number of viruses found: 2
    Number of infected objects: 32
    Number of suspicious objects: 0
    Duration of the scan process: 01:02:25

    Infected Object Name / Virus Name / Last Action
    C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\bedol.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\boufiquify.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\geviw.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\liwaj.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\nycoo.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\pijoobuwo.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\watygouv.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\zelaqui.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Steven Chang\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temp\hpodvd09.log Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temp\~DFD1DD.tmp Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Steven Chang\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080721-185726.log Object is locked skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_bosi.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_zurouporuj.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip ZIP: infected - 3 skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/bosi.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/zurouporuj.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip ZIP: infected - 3 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000008.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000009.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000020.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000031.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000038.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000039.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000055.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP2\A0000117.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP4\A0000248.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\A0000263.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\A0000264.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_16c.dat Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\quagebenik.exe Infected: Trojan.Win32.Agent.vix skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\change.log Object is locked skipped
    E:\quagebenik.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000013.exe Infected: Trojan.Win32.Agent.vix skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000014.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\change.log Object is locked skipped
    J:\quagebenik.exe Infected: Trojan.Win32.Agent.vix skipped
    J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    J:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\change.log Object is locked skipped

    Scan process completed.
     
    Dhunter224,
    #11
  13. 2008/07/21
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    Extra::
File::
D:\quagebenik.exe
E:\quagebenik.exe
J:\quagebenik.exe
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Now, right click the folder C:\Qoobox and select Send To>Compressed (Zipped) Folder
    Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

    C:\Qoobox.zip

    Thanks!
     
    noahdfear,
    #12
  14. 2008/07/21
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Hi,

    ComboFix 08-07-21.1 - Steven Chang 2008-07-22 14:51:30.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.950.1.1028.18.1624 [GMT 10:00]
    執行位置: C:\Documents and Settings\Steven Chang\桌面\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Steven Chang\桌面\CFScript.txt
    * 已建立新的還原點

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    D:\quagebenik.exe
    E:\quagebenik.exe
    J:\quagebenik.exe
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\quagebenik.exe
    E:\quagebenik.exe
    J:\quagebenik.exe

    .
    (((((((((((((((((((((((((((( 2008-06-22 - 2008-07-22 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2008-07-20 16:48 . 2008-07-20 16:48 <DIR> d-------- C:\Program Files\MsnCleaner_eng
    2008-07-20 16:48 . 2008-07-20 16:58 <DIR> d-------- C:\MSNCleaner
    2008-07-20 16:40 . 2008-07-20 16:40 159,988 --a------ C:\Program Files\MsnCleaner_eng.zip
    2008-07-20 00:53 . 2008-07-20 00:53 <DIR> d-------- C:\Deckard
    2008-07-20 00:37 . 2008-07-20 00:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-20 00:37 . 2008-07-20 00:37 812,344 --a------ C:\Program Files\HJTInstall.exe
    2008-07-19 10:56 . 2008-07-19 10:56 <DIR> d-------- C:\Program Files\iPod
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\zh-cht
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-07-19 10:41 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-07-19 10:40 . 2008-07-19 10:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-19 10:38 . 2008-07-19 10:38 <DIR> d-------- C:\WINDOWS\EHome
    2008-07-19 00:19 . 2008-07-19 00:19 <DIR> d-------- C:\Program Files\Alwil Software
    2008-07-19 00:18 . 2008-07-19 00:18 23,862,448 --a------ C:\Program Files\setupcht.exe
    2008-07-17 01:01 . 2008-07-17 02:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-07-14 18:55 . 2008-07-14 18:55 <DIR> dr-h----- C:\Documents and Settings\Steven Chang\Application Data\SecuROM
    2008-07-14 18:45 . 2008-07-14 18:45 <DIR> d-------- C:\Program Files\Common Files\BioWare
    2008-07-13 15:22 . 2008-07-13 15:57 <DIR> d-------- C:\Documents and Settings\Gary\Application Data\Foxy
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-------- C:\Program Files\Fraps
    2008-07-05 12:14 . 2008-07-18 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-05 12:12 . 2008-07-05 12:12 992,536 --a------ C:\Program Files\setup.exe
    2008-07-03 22:04 . 2008-07-03 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-07-03 22:03 . 2008-07-03 22:03 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-07-03 15:30 . 2008-07-03 15:30 <DIR> d-------- C:\Program Files\OpenAL
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E7.tmp
    2008-07-03 15:30 . 2008-04-28 15:53 805,400 -ra------ C:\WINDOWS\system32\tmp1E6.tmp
    2008-07-03 15:13 . 2008-07-03 15:13 <DIR> d-------- C:\Program Files\Codemasters

    .
    (((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-19 00:56 --------- d-----w C:\Program Files\iTunes
    2008-07-19 00:55 --------- d-----w C:\Program Files\QuickTime
    2008-07-03 05:30 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-07-03 05:30 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-07-03 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-06-20 17:45 240,640 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-18 06:51 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-06-18 06:13 --------- d-----w C:\Program Files\D3DWindower-English
    2008-06-18 06:11 437,809 ----a-w C:\Program Files\D3DWindower-English.rar
    2008-06-17 09:12 --------- d-----w C:\Program Files\eREAD
    2008-06-17 08:45 9,159,824 ----a-w C:\Program Files\eREAD7.0Setup.exe
    2008-06-15 03:38 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-06-14 17:32 269,568 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-13 06:55 718,400 ----a-w C:\WINDOWS\system32\WebReadOnLine_ATL.dll
    2008-06-09 12:35 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\uTorrent
    2008-06-06 13:41 --------- d-----w C:\Program Files\CAPCOM
    2008-05-30 07:37 --------- d-----w C:\Program Files\Naruto
    2008-05-30 04:56 --------- d-----w C:\Documents and Settings\Steven Chang\Application Data\DMCache
    2008-05-11 10:18 2,650,544 ----a-w C:\Program Files\idman512b8.exe
    2008-05-09 10:54 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
    2008-05-09 10:54 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
    2008-05-09 10:54 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
    2008-05-09 10:54 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
    2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
    2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
    2008-05-07 05:10 1,269,760 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-30 08:09 73,665,272 ----a-w C:\Program Files\169.21_forceware_winxp_32bit_international_whql.exe
    2008-04-23 05:22 50,531,640 ----a-w C:\Program Files\CyberLink.3118(EVR)_DVD070604-04.exe
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-04-22 11:51 9,868,672 ----a-w C:\Program Files\Alcohol120_trial_1.9.7.6022.exe
    2008-03-26 12:36 72,909,136 ----a-w C:\Program Files\169.44_forceware_winxp_32bit_international_beta.exe
    2008-03-26 07:08 43,947,944 ----a-w C:\Program Files\9.53_nforce_680i_winxp_international_whql.exe
    2008-03-26 06:39 499,862 ----a-w C:\Program Files\CPU-Z 1.41.zip
    2008-03-25 11:51 4,277 ----a-w C:\Program Files\results.txt
    2008-03-24 18:54 430 ----a-w C:\Program Files\local.ini
    2008-03-24 15:26 334 ----a-w C:\Program Files\prime.ini
    2008-03-23 04:49 1,149,820 ----a-w C:\Program Files\p95v2414.zip
    2008-03-21 04:02 17,941,978 ----a-w C:\Program Files\klmcodec380.exe
    2008-03-21 03:48 2,002,432 ----a-w C:\Program Files\EMPG2_Dec_Strm_Pack.zip
    2008-03-15 04:45 23,454,528 ----a-w C:\Program Files\AdbeRdr812_en_US.exe
    2008-03-08 03:44 59,163,944 ----a-w C:\Program Files\iTunesSetup.exe
    2008-03-02 11:14 22,328 ----a-w C:\Documents and Settings\Steven Chang\Application Data\PnkBstrK.sys
    2008-02-27 15:27 2,316,787 ----a-w C:\Program Files\GOGOBoxSetup.exe
    2008-02-26 14:15 2,395,152 ----a-w C:\Program Files\WLinstaller.exe
    2008-01-16 09:42 13,313,544 ----a-w C:\Program Files\RealPlayer11GOLD.exe
    2007-03-29 06:54 2,338,104 ----a-w C:\Program Files\WindowsXP-KB896256-v4-x86-CHT.exe
    2007-03-23 15:51 35,302,248 ----a-w C:\Program Files\5.05.25.00_ntune_winxp_international.exe
    2007-02-09 15:50 181,559,006 ----a-w C:\Program Files\nzd_FroggySetup.exe
    2007-02-09 15:23 102,121,724 ----a-w C:\Program Files\nzd_AdrianneSetup.exe
    2007-02-09 14:29 6,188,097 ----a-w C:\Program Files\nzd_SmokeSetup.exe
    2007-01-17 04:36 16,332,072 ----a-w C:\Program Files\Install_Messenger_nous.exe
    2005-08-09 04:32 4,333,568 ----a-w C:\Program Files\PRIME95.EXE
    2005-08-09 04:31 336,082 ----a-w C:\Program Files\PRIME95.CHM
    2005-07-23 10:02 47,814 ----a-w C:\Program Files\WHATSNEW.TXT
    2005-07-23 10:00 4,960 ----a-w C:\Program Files\LICENSE.TXT
    2005-07-02 02:08 15,932 ----a-w C:\Program Files\UNDOC.TXT
    2005-03-07 07:35 30,918 ----a-w C:\Program Files\README.TXT
    2005-02-22 08:33 1,416,944 ----a-w C:\Program Files\WM9Codecs.exe
    2005-02-22 08:26 7,741,336 ----a-w C:\Program Files\DivX521XP2K.exe
    2005-01-02 03:45 7,019 ----a-w C:\Program Files\STRESS.TXT
    2003-02-25 12:49 965,066 ----a-w C:\Program Files\wrar311.exe
    2008-02-26 14:40 56 --sh--r C:\WINDOWS\system32\D17DED463C.sys
    2008-02-26 14:40 2,098 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-20_16.54.38.81 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    + 2008-07-22 04:43:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_190.dat
    .
    (((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *注意* 空白或合法的登錄值將不會顯示

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 02:30 15360]
    "Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2008-04-15 02:30 1695232]
    "AlcoholAutomount "= "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 17:20 222080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
    "PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 02:31 455168]
    "CTDVDDET "= "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
    "RCSystem "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "AudioDrvEmulator "= "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
    "VolPanel "= "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
    "UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-26 23:41 185896]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 17:22 81920]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
    "LanguageShortcut "= "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17 52256]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
    "CTHelper "= "CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
    "CTxfiHlp "= "CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-15 02:30 15360]

    C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12 "= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
    "D:\\Games\\Savage 2 - A Tortured Soul\\savage2.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\GFSCAgent.exe "=
    "C:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe "=
    "D:\\Games\\Ubisoft\\XIII\\system\\XIII.exe "=
    "D:\\Games\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe "=
    "D:\\Games\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe "=
    "C:\\Program Files\\eREAD\\eREAD_Cookcase.exe "=
    "D:\\Games\\Rohan\\rohanclient.exe "=
    "C:\\Program Files\\eREAD\\eREAD\\eREAD_Cookcase.exe "=
    "C:\\Program Files\\Codemasters\\GRID\\GRID.exe "=
    "D:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "=
    "D:\\Games\\Mass Effect\\MassEffectLauncher.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "11777:TCP "= 11777:TCP:Foxy (192.168.0.137:11777) 11777 TCP
    "11777:UDP "= 11777:UDP:Foxy (192.168.0.137:11777) 11777 UDP

    R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]

    *Newly Created Service* - CATCHME
    .
    排程工作資料夾的內容
    "2008-05-30 00:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.tpg.com.au/
    R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://g.live.com/1rewlsup/WinInstaller
    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
    O17 -: HKLM\CCS\Interface\{1E037770-BEA2-44E4-BF12-0CF593B48AC7}: NameServer = 203.12.160.35,203.12.160.36
    O17 -: HKLM\CCS\Interface\{20436D73-8F39-4159-972A-D421E2977419}: NameServer = 203.12.160.35,203.12.160.36

    O16 -: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.johannrain-softwareentwicklung.de/EN/scan8/oscan8.cab
    C:\WINDOWS\Downloaded Program Files\oscan8.inf
    C:\WINDOWS\bdoscandellang.ini
    C:\WINDOWS\bdoscandel.exe
    C:\WINDOWS\Downloaded Program Files\live.ini
    C:\WINDOWS\Downloaded Program Files\scanoptions.tsi
    C:\WINDOWS\Downloaded Program Files\lang.ini
    C:\WINDOWS\Downloaded Program Files\ipsupd.dll
    C:\WINDOWS\Downloaded Program Files\bdupd.dll
    C:\WINDOWS\Downloaded Program Files\libfn.dll
    C:\WINDOWS\Downloaded Program Files\bdcore.dll
    C:\WINDOWS\Downloaded Program Files\oscan8.ocx

    O16 -: {B80CBA99-2493-4343-8A83-386E9F3CA5C2} - hxxp://cnc.isoshu.com/eread/WebReadOnLine_ATL.cab
    C:\WINDOWS\Downloaded Program Files\WebReadOnLine_ATL.inf
    C:\WINDOWS\system32\WebReadOnLine_ATL.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-22 14:53:29
    Windows 5.1.2600 Service Pack 3 NTFS

    掃描隱藏的程序...

    掃描隱藏的進程...

    掃描隱藏的檔案...

    掃描完成
    隱藏檔案: 0

    **************************************************************************
    .
    完成時間: 2008-07-22 14:53:57
    ComboFix-quarantined-files.txt 2008-07-22 04:53:49
    ComboFix2.txt 2008-07-21 09:00:06
    ComboFix3.txt 2008-07-20 21:49:17
    ComboFix4.txt 2008-07-20 06:54:49

    Pre-Run: 128,379,019,264 位元組可用
    Post-Run: 128,524,460,032 位元組可用

    250 --- E O F --- 2008-07-19 04:10:08
     
    Dhunter224,
    #13
  15. 2008/07/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks great! As it turns out, those files you submitted a couple of days ago that we subsequently nuked, while not recognized as infected then, now are positively identified as rogue. :D

    How's the computer running now? Run another Kaspersky scan please. I think we'll find all infections are eithered quarantined or in System Restore points (which we will clean later), but it's best we know for sure.
     
    noahdfear,
    #14
  16. 2008/07/23
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    hey, everything's running ok I suppose. It seems a bit slower than usual though, not sure if it's because of the virus or SP3...
    but anyway, here's the Kaspersky log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, July 23, 2008 5:02:11 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 23/07/2008
    Kaspersky Anti-Virus database records: 995158
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    G:\
    H:\
    I:\
    J:\
    K:\

    Scan Statistics:
    Total number of scanned objects: 106521
    Number of viruses found: 2
    Number of infected objects: 47
    Number of suspicious objects: 0
    Duration of the scan process: 01:10:10

    Infected Object Name / Virus Name / Last Action
    C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\bedol.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\boufiquify.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\geviw.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\liwaj.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\nycoo.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\pijoobuwo.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\watygouv.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Deckard\System Scanner\backup\DOCUME~1\STEVEN~1\LOCALS~1\Temp\zelaqui.tmp Infected: Trojan.Win32.Agent.vix skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Steven Chang\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\History\History.IE5\MSHist012008072220080723\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\History\History.IE5\MSHist012008072320080724\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temp\hpodvd09.log Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temp\~DFCD8E.tmp Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Steven Chang\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Steven Chang\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080722-223937.log Object is locked skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_bosi.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_zurouporuj.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_ 74854.26.zip ZIP: infected - 3 skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/bosi.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/zurouporuj.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\catchme2008-07-21_185737.29.zip ZIP: infected - 3 skipped
    C:\QooBox\Quarantine\D\quagebenik.exe.vir Infected: Trojan.Win32.Agent.vix skipped
    C:\QooBox\Quarantine\E\quagebenik.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox\Quarantine\J\quagebenik.exe.vir Infected: Trojan.Win32.Agent.vix skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_bosi.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip/Suspect_zurouporuj.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_ 74854.26.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_ 74854.26.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/bosi.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip/zurouporuj.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_185737.29.zip/Documents and Settings/Steven Chang/catchme.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/catchme2008-07-21_185737.29.zip Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/D/quagebenik.exe.vir Infected: Trojan.Win32.Agent.vix skipped
    C:\QooBox.zip/QooBox/Quarantine/E/quagebenik.exe.vir Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\QooBox.zip/QooBox/Quarantine/J/quagebenik.exe.vir Infected: Trojan.Win32.Agent.vix skipped
    C:\QooBox.zip ZIP: infected - 11 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000008.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000009.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000020.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000031.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000038.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000039.exe Infected: Trojan.Win32.Agent.vix skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000055.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP2\A0000117.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP4\A0000248.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\A0000263.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP5\A0000264.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    C:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_288.dat Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    D:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\A0000381.exe Infected: Trojan.Win32.Agent.vix skipped
    D:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\change.log Object is locked skipped
    E:\Steven\photos\Movies\甲斐正明-正妹很好看.rmvb_CRCDATA_ Object is locked skipped
    E:\Steven\photos\Movies\甲斐正明-正妹很好看.rmvb_NEO_ Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000013.exe Infected: Trojan.Win32.Agent.vix skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP1\A0000014.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\A0000382.exe Infected: Trojan-Downloader.Win32.Agent.wig skipped
    E:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\change.log Object is locked skipped
    J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    J:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\A0000383.exe Infected: Trojan.Win32.Agent.vix skipped
    J:\System Volume Information\_restore{880704EE-F676-4D4C-B121-16CA9B835DCE}\RP6\change.log Object is locked skipped

    Scan process completed.

    thanks for the help so far
     
    Dhunter224,
    #15
  17. 2008/07/23
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Great! All infected items are in quarantine and System Restore points. Lets clean those up now. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points on the operating system drive, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.


    Delete all of the MSNCleaner files and folder.
    C:\Program Files\MsnCleaner_eng
    C:\MSNCleaner
    C:\Program Files\MsnCleaner_eng.zip


    Right click My Computer and select Properties
    Select the System Restore tab
    Select a drive (other than your operating system drive, usually C: ) in the list that is shown as Monitoring then click Settings
    Select the box in the popup to Turn off System Restore on this drive and click OK
    Repeat for all drives listed
    Once you've turned them off, you can go back and clear the box to turn it back on, if desired
    This will clear the infected System Restore points on those drives as well.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


    If you haven't done so already, check MSN to see if everything is as it should be.
     
    noahdfear,
    #16
  18. 2008/07/24
    Dhunter224

    Dhunter224 Inactive Thread Starter

    Joined:
    2008/07/19
    Messages:
    10
    Likes Received:
    0
    Thanks very much for all your help.... everything seems to be running smoothly again!
     
    Dhunter224,
    #17
  19. 2008/07/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Glad to hear that, and happy I could help. You're most welcome!

    Geri has posted some very helpful information and recommendations regarding future protection in the following link.

    http://www.windowsbbs.com/showthread.php?t=67958

    Surf safe! :)
     
    noahdfear,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...