There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt hjt log install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Msaro.exe


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Page 1 of 3 1 23 >
 
Thread Tools
leelokhin's Avatar
Junior Member with 19 posts.
  
Join Date: Feb 2008
13-Feb-2008, 01:24 AM #1
Msaro.exe
Everytime I start up Windows XP, i get this error box saying something about windows not finding "msaro.exe." The sound for an error comes out even before the startup music of windows XP

I have searched on google about msaro.exe, but all i get is some chinese websites saying that msaro.exe is a virus related to removable storage devices. I have a theory that my antivirus (Avast Home edition) deleted msaro.exe, but didnt delete the startup registry of it, so that windows keeps looking for it at startup.

I would paste a picture of the error, but since my version of windows in chinese, so....

Can somebody help me?

Msconfig doesnt work , there iss nothing there that should not be there. Any suggestions?

I THINK it may be intergrated with explorer.exe, expecially after reading the HJT log.

I have done 3 recent (around 3 days ago, when this error started happening) virus scans. One is with Avast home edition, one with Ad-aware, and after avast's virus database updated, i scanned again.

Thanks so much in advance



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19:07, on 13/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3Com\Launcher.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe msaro.exe
O1 - Hosts: 24.13.34.142 gameguard.mapleglobal.com
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05BCE06B-A300-4C4E-A42F-4C04BCCDE63B} (TRLuncherROC Control) - http://weblogin.talesrunner.com.hk/TRLuncherROC.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printe.../DrPrinter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1186315696984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186316532500
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: RCP CALLBACK Security (ISASSNT) - Unknown owner - C:\WINDOWS\system32\ISASSNT.EXE (file missing)
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9635 bytes


I was recommended by techyclick to post a hijackthis log in here. Would any of you guys be able to help me? Thanks.
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
29-Apr-2008, 11:05 AM #2
Hi and welcome to TSG,

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security

Alliance of Security Analysis Professionals
leelokhin's Avatar
Junior Member with 19 posts.
  
Join Date: Feb 2008
01-May-2008, 01:55 AM #3
Thanks for the help. That error Msaro.exe has gone somehow, but two new ones has come up. Kavo.exe, and 1.exe.I googled Kavo.exe and foudn that its a trojan, and I think combofix managed to fix it for me. Windows recovery console did not install correctly, so I skipped that part. Anyway, onto the logs.

Combofix:

ComboFix 08-04-29.5 - Lee Lok Hin 2008-05-01 13:42:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.437 [GMT 8:00]
執行位置?: C:\Documents and Settings\Lee Lok Hin\桌面\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


(((((((((((((((((((((((((((( 2008-04-01 - 2008-05-01 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-30 06:43 . 2008-04-30 06:43 118,845 -r-hs---- C:\930jn.bat
2008-04-29 20:40 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-29 19:48 . 2008-04-29 20:52 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\.housecall6.6
2008-04-27 21:29 . 2008-04-27 21:29 <DIR> d-------- C:\Temp\scarpack
2008-04-27 14:25 . 2008-04-29 19:44 118,688 -r-hs---- C:\mka.bat
2008-04-24 17:20 . 2008-04-26 13:08 117,357 -r-hs---- C:\8386nac.com
2008-04-24 17:20 . 2008-04-24 01:19 116,871 -r-hs---- C:\0.com
2008-04-20 21:09 . 2008-04-20 21:09 <DIR> d-------- C:\Program Files\Lavalys
2008-04-17 18:05 . 2008-04-17 18:05 <DIR> d-------- C:\Program Files\Java
2008-04-17 18:05 . 2008-04-17 18:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-17 18:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-17 14:20 . 2008-04-19 22:44 <DIR> d-------- C:\Program Files\xchat
2008-04-17 14:20 . 2008-04-28 17:47 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\Application Data\X-Chat 2
2008-04-14 22:30 . 2008-04-14 22:57 <DIR> d-------- C:\HideWindowPlus
2008-04-14 18:06 . 2008-04-14 18:15 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2008-04-02 10:17 . 2008-04-02 10:17 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\Application Data\Talkback
2008-04-01 13:23 . 2008-04-01 13:23 155,648 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-01 10:01 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-04-01 10:01 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 05:44 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\DNA
2008-05-01 03:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-01 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-05-01 03:32 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\VMware
2008-04-29 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 07:24 --------- d-----w C:\Program Files\LucasArts
2008-04-28 12:19 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Orbit
2008-04-23 22:51 --------- d-----w C:\Program Files\SCAR 3.15
2008-04-22 13:48 --------- d-----w C:\Program Files\Covey Inc
2008-04-17 09:06 --------- d-----w C:\Program Files\Cheat Engine
2008-04-13 11:59 --------- d-----w C:\Program Files\Animated GIF producer 4.0
2008-04-04 08:35 --------- d-----w C:\Program Files\mfk
2008-04-01 01:57 --------- d-----w C:\Program Files\CamStudio
2008-03-31 07:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 02:54 --------- d-----w C:\Program Files\TechSmith
2008-03-31 02:54 --------- d-----w C:\Program Files\Common Files\TechSmith Shared
2008-03-31 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-30 06:14 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Thinstall
2008-03-28 09:46 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\ACASystems
2008-03-28 09:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACASystems
2008-03-28 09:45 --------- d-----w C:\Program Files\ACASystems
2008-03-27 02:05 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-26 05:37 49,744 ----a-w C:\Documents and Settings\Lee Lok Hin\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 08:41 --------- d-----w C:\Program Files\Microsoft Games
2008-03-20 07:58 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-20 07:00 --------- d-----w C:\Program Files\Website Downloader
2008-03-18 13:09 --------- d-----w C:\Program Files\BitLord
2008-03-18 13:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-18 13:04 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\SystemRequirementsLab
2008-03-16 13:57 --------- d-----w C:\Program Files\BitComet
2008-03-16 13:13 --------- d-----w C:\Program Files\Smallvideosoft
2008-03-14 15:14 --------- d-----w C:\Program Files\Accessdiver
2008-03-14 12:51 --------- d-----w C:\Program Files\CCleaner
2008-03-14 12:45 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Microsoft Games
2008-03-12 14:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 12:34 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Sierra
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 22:16 171464]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 14:39 288576]
"HideWindowPlus"="C:\HideWindowPlus\HWinPlus.exe" [2006-03-19 01:05 714752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48 455168]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-07-11 02:33 176128 C:\WINDOWS\system32\VTTrayp.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 11:12 16062464 C:\WINDOWS\RTHDCPL.EXE]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 19:25 507904]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-04-30 18:46 49152]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 02:37 79224]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-09-26 23:16 2339840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2007-11-25 16:59:51 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Reboot.exe [2006-12-29 18:35:16 409088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\LittleFighter2\\LF2_v1.9c_Non_transformed\\lf2.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\xchat\\xchat.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"25331:TCP"= 25331:TCP:BitComet 25331 TCP
"25331:UDP"= 25331:UDP:BitComet 25331 UDP

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 02:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-09-22 17:34]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 02:35]
S2 ISASSNT;RCP CALLBACK Security;C:\WINDOWS\system32\ISASSNT.EXE []
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2007-12-27 05:45]
S3 DADriv1;DADriv1;C:\Documents and Settings\Lee Lok Hin\桌面\Da HackPack\DAK32.sys []
S3 DRIVER1111;DRIVER1111;C:\Documents and Settings\Lee Lok Hin\桌面\CELite\dbk32.sys []
S3 Dua1;Dua1;C:\Documents and Settings\Lee Lok Hin\桌面\DualEngine2\DualEngi.sys []
S3 Engine;Engine;C:\Documents and Settings\Lee Lok Hin\桌面\stripper_v213b9\Engine.sys []
S3 geebers12;geebers12;C:\Documents and Settings\Lee Lok Hin\桌面\packard engine\packard engine\PACKARD Engine\nvid888.sys []
S3 GR;GR;C:\Documents and Settings\Lee Lok Hin\桌面\DualEngine2\GR.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Lee Lok Hin\桌面\Akash's v.46 HackPack\Akash's v.46 HackPack\IlvMoney1083.sys []
S3 MzBot;MzBot;C:\MzBot.sys []
S3 projectx1;projectx1;C:\Documents and Settings\Lee Lok Hin\桌面\Project X\Project X\FelipeZe.sys []
S3 Revolution1;Revolution1;C:\Documents and Settings\Lee Lok Hin\桌面\Rev Engine, and UPDATED CT(2)\Rev Engine, and UPDATED CT\Revolution_Engine_8.3_ShaK3\SHAK3.sys []
S3 Sex1;Sex1;C:\Documents and Settings\Lee Lok Hin\桌面\Guess\SexEngine\Sex.sys [2007-10-05 22:25]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service []
S3 SoRa01;SoRa01;C:\Documents and Settings\Lee Lok Hin\桌面\新資料夾\PedZing_Engine\PedZing Engine\SoRa.sys []
S3 SoRa1;SoRa1;C:\Documents and Settings\Lee Lok Hin\桌面\sora_engine_2.3__1058__157\SoRa_Engine_2.3__1058_\SoRa Engine 2.3\SoRa23.sys []
S3 SoRa11;SoRa11;C:\Documents and Settings\Lee Lok Hin\桌面\SoRa_0.3\So Ra 0.3\SoRa.sys []
S3 sys_com001;sys_com001;C:\Documents and Settings\Lee Lok Hin\桌面\SysComEngine_1059\SysComEngine_1059\syscom.sys []
S3 WLUX96;3Com 3CRSHEW696 Wireless LAN USB Adapter;C:\WINDOWS\system32\DRIVERS\WLUX96F.SYS [2002-09-06 12:45]
S3 白目國中生1;白目國中生1;C:\Documents and Settings\Lee Lok Hin\桌面\VE5_1032\VE5 1032\nvid999.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{8ecf9d20-bf66-11dc-9132-000475bb4bd6}]
\Shell\AutoRun\command - G:\mka.bat
\Shell\explore\Command - G:\mka.bat
\Shell\open\Command - G:\mka.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{9fe4d3d6-8b8a-11dc-9078-000475bb572b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{d46da128-a656-11dc-90f3-000475bb4bd6}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - F:\System~1\com1.{21ec2020-3aea-1069-a2dd-08002b30309d}\ntldr.pif
\Shell\open\Command - F:\System~1\com1.{21ec2020-3aea-1069-a2dd-08002b30309d}\ntldr.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{e1030f82-8e90-11dc-9083-000475bb572b}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - System~1\com1.{21ec2020-3aea-1069-a2dd-08002b30309d}\ntldr.pif
\Shell\open\Command - System~1\com1.{21ec2020-3aea-1069-a2dd-08002b30309d}\ntldr.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f12b58a6-c658-11dc-9143-000475bb4bd6}]
\Shell\AutoRun\command - k2.cmd
\Shell\explore\Command - k2.cmd
\Shell\open\Command - k2.cmd

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:46:00
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...


folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\Lee Lok Hin\「開始」功能表\程式集\啟動\

掃描完成
隱藏檔案?: 15

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\}v襒 W-Nu1 ]
"ImagePath"="\??\C:\Documents and Settings\Lee Lok Hin\桌面\VE5_1032\VE5 1032\nvid999.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SM_clp300_FUService]
"ImagePath"="\"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間?: 2008-05-01 13:50:02 - machine was rebooted [Lee Lok Hin]
ComboFix-quarantined-files.txt 2008-05-01 05:49:58

14 個目錄 85,583,974,400 位元組可用
16 個目錄 85,621,321,728 位元組可用

260 --- E O F --- 2008-04-13 14:49:43



HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:29, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\HideWindowPlus\HWinPlus.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HideWindowPlus] C:\HideWindowPlus\HWinPlus.exe -background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: ACA Capture: Capture all Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: ACA Capture: Capture all images... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: ACA Capture: Capture current image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O8 - Extra context menu item: ACA Capture: Capture webpage contents to image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 超級屏捕: 將網頁內容擷取存為圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有 Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取當前圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.44/uploader2.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printe.../DrPrinter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1186315696984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186316532500
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: RCP CALLBACK Security (ISASSNT) - Unknown owner - C:\WINDOWS\system32\ISASSNT.EXE (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8466 bytes
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
01-May-2008, 01:43 PM #4
First, you need to insert your F and G drives so they are connected when doing this.

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


With the external drives still connected, please do the following:

Note: The script we are going to run will delete the following scarpack folder, which I'm 99% sure is malware, but if you recognize it as something you created and/or want, please let me know and do NOT proceed beyond this point.

C:\Temp\scarpack


We are also removing drivers for various game cheats because their files are missing so I assume you uninstalled or they were infected and deleted by virus scanners.


Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\930jn.bat
C:\mka.bat
C:\8386nac.com
C:\0.com
G:\mka.bat

Folder::
C:\Temp\scarpack

Driver::
DADriv1
DRIVER1111
Dua1
Engine
geebers12
GR
IlvMoneyDRIVER53
ISASSNT
MzBot
projectx1
Revolution1
SoRa01
SoRa1
SoRa11
sys_com001
白目國中生1

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ecf9d20-bf66-11dc-9132-000475bb4bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d46da128-a656-11dc-90f3-000475bb4bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1030f82-8e90-11dc-9083-000475bb572b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b58a6-c658-11dc-9143-000475bb4bd6}]
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security

Alliance of Security Analysis Professionals
leelokhin's Avatar
Junior Member with 19 posts.
  
Join Date: Feb 2008
02-May-2008, 02:47 AM #5
I recognise Scarpack, And I am sure it is not a virus. Thanks for the help. I did not run the CFSscript as you said not to proceed after that point, but I ran the flash cleaner, and here is a new HJThis log.

Oh, and on another topic. There should not be any more torrent installations on my computer, but there seems to be some registery entries left. Is it possible to clean them?

HJThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:38, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\HideWindowPlus\HWinPlus.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Lee Lok Hin\桌面\SCAR 3.15\scar.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HideWindowPlus] C:\HideWindowPlus\HWinPlus.exe -background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: ACA Capture: Capture all Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: ACA Capture: Capture all images... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: ACA Capture: Capture current image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O8 - Extra context menu item: ACA Capture: Capture webpage contents to image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 超級屏捕: 將網頁內容擷取存為圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有 Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取當前圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.44/uploader2.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printe.../DrPrinter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1186315696984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186316532500
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: RCP CALLBACK Security (ISASSNT) - Unknown owner - C:\WINDOWS\system32\ISASSNT.EXE (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9171 bytes
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
02-May-2008, 11:22 AM #6
Thanks for letting me know about that folder. I've removed it from this new script so it won't be deleted.

Please follow the previous instructions but use this new script:

Code:
File::
C:\930jn.bat
C:\mka.bat
C:\8386nac.com
C:\0.com
G:\mka.bat

Driver::
DADriv1
DRIVER1111
Dua1
Engine
geebers12
GR
IlvMoneyDRIVER53
ISASSNT
MzBot
projectx1
Revolution1
SoRa01
SoRa1
SoRa11
sys_com001
白目國中生1

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ecf9d20-bf66-11dc-9132-000475bb4bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d46da128-a656-11dc-90f3-000475bb4bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1030f82-8e90-11dc-9083-000475bb572b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f12b58a6-c658-11dc-9143-000475bb4bd6}]
leelokhin's Avatar
Junior Member with 19 posts.
  
Join Date: Feb 2008
02-May-2008, 11:57 AM #7
Thanks for all the help. There are no more visible symptoms of any viruses now, and everything seems to be normal, apart from the face that Acast!'s virus protection icon at the lower right corner of the screen seems to have disapeared, but it is still in processes, and when I turn it off, windows security warning pops up, So I suppose thats just a minor bug.

What antivirus would you recommend me to use? And here is the combofix log and the HJThis log.

ComboFix

ComboFix 08-04-29.5 - Lee Lok Hin 2008-05-02 23:43:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.515 [GMT 8:00]
執行位置?: C:\Documents and Settings\Lee Lok Hin\桌面\HJT\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee Lok Hin\桌面\HJT\Cfscript.txt.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\0.com
C:\8386nac.com
C:\930jn.bat
C:\mka.bat
G:\mka.bat
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0.com
C:\8386nac.com
C:\930jn.bat
C:\mka.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DADRIV1
-------\Legacy_DRIVER1111
-------\Legacy_DUA1
-------\Legacy_ENGINE
-------\Legacy_GEEBERS12
-------\Legacy_GR
-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_ISASSNT
-------\Legacy_MZBOT
-------\Legacy_PROJECTX1
-------\Legacy_REVOLUTION1
-------\Legacy_SORA01
-------\Legacy_SORA1
-------\Legacy_SORA11
-------\Legacy_SYS_COM001
-------\Service_DADriv1
-------\Service_DRIVER1111
-------\Service_Dua1
-------\Service_Engine
-------\Service_geebers12
-------\Service_GR
-------\Service_IlvMoneyDRIVER53
-------\Service_ISASSNT
-------\Service_MzBot
-------\Service_projectx1
-------\Service_Revolution1
-------\Service_SoRa01
-------\Service_SoRa1
-------\Service_SoRa11
-------\Service_sys_com001
-------\Service_白目國中生1


(((((((((((((((((((((((((((( 2008-04-02 - 2008-05-02 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-04-29 20:40 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-29 19:48 . 2008-04-29 20:52 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\.housecall6.6
2008-04-27 21:29 . 2008-04-27 21:29 <DIR> d-------- C:\Temp\scarpack
2008-04-20 21:09 . 2008-04-20 21:09 <DIR> d-------- C:\Program Files\Lavalys
2008-04-17 18:05 . 2008-04-17 18:05 <DIR> d-------- C:\Program Files\Java
2008-04-17 18:05 . 2008-04-17 18:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-17 18:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-17 14:20 . 2008-04-19 22:44 <DIR> d-------- C:\Program Files\xchat
2008-04-17 14:20 . 2008-04-28 17:47 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\Application Data\X-Chat 2
2008-04-14 22:30 . 2008-04-14 22:57 <DIR> d-------- C:\HideWindowPlus
2008-04-14 18:06 . 2008-04-14 18:15 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2008-04-02 10:17 . 2008-04-02 10:17 <DIR> d-------- C:\Documents and Settings\Lee Lok Hin\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 15:47 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Orbit
2008-05-02 09:03 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\DNA
2008-05-02 09:00 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\VMware
2008-05-02 06:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-02 06:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-29 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 07:24 --------- d-----w C:\Program Files\LucasArts
2008-04-23 22:51 --------- d-----w C:\Program Files\SCAR 3.15
2008-04-22 13:48 --------- d-----w C:\Program Files\Covey Inc
2008-04-17 09:06 --------- d-----w C:\Program Files\Cheat Engine
2008-04-13 11:59 --------- d-----w C:\Program Files\Animated GIF producer 4.0
2008-04-04 08:35 --------- d-----w C:\Program Files\mfk
2008-04-01 01:57 --------- d-----w C:\Program Files\CamStudio
2008-03-31 07:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 02:54 --------- d-----w C:\Program Files\TechSmith
2008-03-31 02:54 --------- d-----w C:\Program Files\Common Files\TechSmith Shared
2008-03-31 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-30 06:14 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Thinstall
2008-03-28 09:46 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\ACASystems
2008-03-28 09:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACASystems
2008-03-28 09:45 --------- d-----w C:\Program Files\ACASystems
2008-03-27 02:05 --------- d-----w C:\Program Files\Orbitdownloader
2008-03-26 05:37 49,744 ----a-w C:\Documents and Settings\Lee Lok Hin\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 08:41 --------- d-----w C:\Program Files\Microsoft Games
2008-03-20 07:58 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-20 07:00 --------- d-----w C:\Program Files\Website Downloader
2008-03-18 13:09 --------- d-----w C:\Program Files\BitLord
2008-03-18 13:04 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-18 13:04 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\SystemRequirementsLab
2008-03-16 13:57 --------- d-----w C:\Program Files\BitComet
2008-03-16 13:13 --------- d-----w C:\Program Files\Smallvideosoft
2008-03-14 15:14 --------- d-----w C:\Program Files\Accessdiver
2008-03-14 12:51 --------- d-----w C:\Program Files\CCleaner
2008-03-14 12:45 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Microsoft Games
2008-03-12 14:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 12:34 --------- d-----w C:\Documents and Settings\Lee Lok Hin\Application Data\Sierra
.

((((((((((((((((((((((((((((( snapshot@2008-05-01_13.49.48.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 05:45:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 15:46:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-01 05:45:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2e4.dat
+ 2008-05-02 15:46:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2e4.dat
+ 2008-05-02 15:48:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b54.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 22:16 171464]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 14:39 288576]
"HideWindowPlus"="C:\HideWindowPlus\HWinPlus.exe" [2006-03-19 01:05 714752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48 455168]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-07-11 02:33 176128 C:\WINDOWS\system32\VTTrayp.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 11:12 16062464 C:\WINDOWS\RTHDCPL.EXE]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 19:25 507904]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-04-30 18:46 49152]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-09-26 23:16 2339840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47 15360]

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2007-11-25 16:59:51 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2007-08-07 15:43:42 1678536]
Reboot.exe [2006-12-29 18:35:16 409088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\LittleFighter2\\LF2_v1.9c_Non_transformed\\lf2.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\xchat\\xchat.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"25331:TCP"= 25331:TCP:BitComet 25331 TCP
"25331:UDP"= 25331:UDP:BitComet 25331 UDP

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 02:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-09-22 17:34]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 02:35]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2007-12-27 05:45]
S3 Sex1;Sex1;C:\Documents and Settings\Lee Lok Hin\桌面\Guess\SexEngine\Sex.sys [2007-10-05 22:25]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service []
S3 WLUX96;3Com 3CRSHEW696 Wireless LAN USB Adapter;C:\WINDOWS\system32\DRIVERS\WLUX96F.SYS [2002-09-06 12:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{9fe4d3d6-8b8a-11dc-9078-000475bb572b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 23:47:16
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...


folder error: C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\
folder error: C:\Documents and Settings\Lee Lok Hin\「開始」功能表\程式集\啟動\

掃描完成
隱藏檔案?: 15

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SM_clp300_FUService]
"ImagePath"="\"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間?: 2008-05-02 23:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 15:51:13
ComboFix2.txt 2008-05-01 05:50:02

14 個目錄 88,505,503,744 位元組可用
17 個目錄 88,496,824,320 位元組可用

233 --- E O F --- 2008-04-13 14:49:43


HJTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52:32, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\HideWindowPlus\HWinPlus.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [HideWindowPlus] C:\HideWindowPlus\HWinPlus.exe -background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: ACA Capture: Capture all Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: ACA Capture: Capture all images... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: ACA Capture: Capture current image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O8 - Extra context menu item: ACA Capture: Capture webpage contents to image... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 超級屏捕: 將網頁內容擷取存為圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-webpage-to-image.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有 Flash... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取所有圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image-all.htm
O8 - Extra context menu item: 超級屏捕: 擷取當前圖像... - C:\Program Files\ACASystems\ACACapturePro\add-ons\ie-image.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.44/uploader2.cab
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printe.../DrPrinter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1186315696984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186316532500
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O