Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Vundo Trojan problem on XP, HJT log included (New)

Page 1 of 2 1 2
Reply  
Thread Tools
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
09-Jul-2008, 08:26 AM #1
Vundo Trojan problem on XP, HJT log included
Hi all, I'm running a Dell Vostro 1500 laptop with Windows XP Media Center Edition 2005. A week or so ago I downloaded something I shouldn't have and contracted what seems to be a case of the Vundo Trojan. I went through a round of trying to manually rid my computer of the virus, knowing anti-virus programs will probably do little good. I deleted a number of .exe and .dll files (tried to be as thorough as I could, with information from anti-virus programs and HJT), but the virus was more resilient, and has been growing for the past couple of days, to the point where I can barely use my computer anymore. Symptoms include:
Explorer loads very slowly (or not at all) at startup
System generally slower than usual, especially after some use
Popups claiming my computer is infected and urging me to buy some bogus software
IE is almost unusable; Firefox is prone to freeze up
McAfee On-Access Scan repeatedly attempts to delete files, to no avail

At the moment I am aware of the few randomly-named .dll files present in the windows/system32 folder, and I have tried to delete them in a number of ways, just short of booting up into pure DOS (because I don't have a DOS boot disk right now), and all have failed. Seems like the .dll's are attached to explorer.exe and/or winlogon.exe. I also think that deleting the .dll's may not completely solve the problem.

HJT log follows. Any help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:21 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TXPlatform.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27825B77-2E5A-44D3-9225-F75AADDF219a} - C:\WINDOWS\system32\gngspckc.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {4E3E60F5-F691-475F-AFBA-CF9FCAB47C15} - C:\WINDOWS\system32\byXQHyxy.dll
O2 - BHO: (no name) - {6C85430B-AEE5-4001-A533-8C407B14B011} - C:\WINDOWS\system32\rqRLbcDW.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7F0D62DB-A553-4A00-B9F9-9C242034E423} - C:\Documents and Settings\Yao\Local Settings\Temporary Internet Files\Content.IE5\0UE1H6EB\3077ahntdksr[1].dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [7427decd] rundll32.exe "C:\WINDOWS\system32\bshrivol.dll",b
O4 - HKLM\..\Run: [BM7714ed51] Rundll32.exe "C:\WINDOWS\system32\ndnipwom.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B74142-5485-4308-A220-FBA6733B0328}: NameServer = 218.30.19.40,61.134.1.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: byXQHyxy - C:\WINDOWS\SYSTEM32\byXQHyxy.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13199 bytes
Register for free to hide this ad!
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
12-Jul-2008, 11:02 AM #2
Hi and welcome to TSG,

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
12-Jul-2008, 03:38 PM #3
Hi,

Thanks for the reply. I downloaded and ran ComboFix, installing the Recovery Console along the way. Here's the ComboFix log:
______________________________________________________________
ComboFix 08-07-07.3 - Yao 2008-07-13 2:01:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1399 [GMT 8:00]
Running from: C:\Documents and Settings\Yao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yao\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\biipeens.dll
C:\WINDOWS\system32\byXQHyxy.dll
C:\WINDOWS\system32\cfsqyjnv.ini
C:\WINDOWS\system32\gaxptfko.dll
C:\WINDOWS\system32\gngspckc.dll
C:\WINDOWS\system32\gqypkmyg.ini
C:\WINDOWS\system32\gymkpyqg.dll
C:\WINDOWS\system32\hawuueco.dll
C:\WINDOWS\system32\hqvdidnx.dll
C:\WINDOWS\system32\ljJARijJ.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdrifbgq.ini
C:\WINDOWS\system32\mnvgioso.dll
C:\WINDOWS\system32\ndnipwom.dll
C:\WINDOWS\system32\opnlJcdc.dll
C:\WINDOWS\system32\osoigvnm.ini
C:\WINDOWS\system32\qgbfirdm.dll
C:\WINDOWS\system32\qogkhuqy.dll
C:\WINDOWS\system32\rqRLbcDW.dll
C:\WINDOWS\system32\sjodeofk.dll
C:\WINDOWS\system32\sneepiib.ini
C:\WINDOWS\system32\snpnoyrc.dll
C:\WINDOWS\system32\tuvTMFVp.dll
C:\WINDOWS\system32\ubpjjejm.dll
C:\WINDOWS\system32\vnjyqsfc.dll
C:\WINDOWS\system32\WDcbLRqr.ini
C:\WINDOWS\system32\WDcbLRqr.ini2
C:\WINDOWS\Web\def.htm

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-09 15:52 . 2008-07-10 19:29 1,852,784 --ahs---- C:\WINDOWS\system32\lovirhsb.ini
2008-07-08 13:18 . 2008-07-12 19:08 110,438 --a------ C:\WINDOWS\BM7714ed51.xml
2008-07-04 02:17 . 2008-03-19 11:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-04 02:17 . 2008-07-04 02:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-03 22:34 . 2008-07-03 22:34 1,702,166 --ahs---- C:\WINDOWS\system32\nplhbjmr.ini
2008-07-03 21:50 . 2008-07-03 22:29 <DIR> d-------- C:\TDDOWNLOAD
2008-07-03 21:42 . 2008-07-03 22:29 763 --a------ C:\WINDOWS\system32\cid_store.dat
2008-07-03 21:42 . 2008-07-03 21:42 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-07-03 21:42 . 2008-07-03 21:42 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Program Files\Thunder Network
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2008-07-03 14:42 . 2008-07-03 14:42 <DIR> d-------- C:\Program Files\Bonjour
2008-07-03 09:38 . 2008-07-03 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 09:29 . 2008-07-03 10:30 1,718,640 --ahs---- C:\WINDOWS\system32\hbhddbcf.ini
2008-07-03 03:20 . 2008-06-21 11:35 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-07-03 03:16 . 2008-07-03 09:27 90,838 --a------ C:\WINDOWS\system32\phc77fj0ee3r.bmp
2008-07-03 03:16 . 2008-06-21 11:35 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-06-30 14:38 . 2008-06-30 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY.users
2008-06-30 14:38 . 2008-07-10 19:30 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY
2008-06-30 00:38 . 2008-06-30 00:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY.users
2008-06-30 00:38 . 2008-07-13 02:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY
2008-06-29 22:11 . 2008-06-29 22:16 <DIR> d-------- C:\Program Files\SogouInput
2008-06-29 22:11 . 2008-06-29 22:11 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\SogouPY.users
2008-06-29 22:11 . 2008-07-13 02:22 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\SogouPY
2008-06-29 22:00 . 2008-06-29 22:00 <DIR> d-------- C:\Program Files\TTOD
2008-06-29 01:24 . 2008-06-29 01:25 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\rockbox.org
2008-06-28 23:48 . 2008-06-28 23:48 <DIR> d-------- C:\Program Files\SanDisk
2008-06-20 19:22 . 2008-06-20 19:22 1,238,320 --a------ C:\WINDOWS\system32\SogouPy.ime
2008-06-19 19:24 . 2008-06-19 19:24 <DIR> d-------- C:\Program Files\ADV
2008-06-19 00:27 . 2008-06-19 00:27 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\My Games
2008-06-19 00:23 . 2008-06-19 00:23 <DIR> d---s---- C:\Program Files\Xfire
2008-06-19 00:23 . 2008-06-19 00:23 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\Xfire
2008-06-18 23:59 . 2008-06-18 23:59 <DIR> d-------- C:\Program Files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 06:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 02:19 --------- d-----w C:\Documents and Settings\Yao\Application Data\U3
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 06:31 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-02 02:15 --------- d-----w C:\Program Files\HP
2008-06-02 02:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-02 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-02 02:12 --------- d-----w C:\Documents and Settings\Yao\Application Data\HP
2008-05-30 21:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-05-28 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-28 07:13 --------- d-----w C:\Documents and Settings\Yao\Application Data\CyberLink
2008-05-28 07:11 --------- d-----w C:\Program Files\CyberLink
2008-05-28 07:10 --------- d-----w C:\Program Files\SmartSound Software
2008-05-28 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-28 05:13 --------- d-----w C:\Program Files\FlashGet
2008-05-27 04:20 --------- d-----w C:\Program Files\Lexmark X5100 Series
2008-05-14 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
.

------- Sigcheck -------

2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 19:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-31 01:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 19:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-02-14 07:09 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 19:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 19:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 19:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 02:56 64512]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 14:00 36864]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 05:10 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-17 16:03 8495104]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-10 08:17 2183168]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 09:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-20 00:27 136768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 16:25 144784]
"KONICA MINOLTA magicolor 2400W STD"="C:\WINDOWS\system32\MSTMON_S.EXE" [2005-06-23 05:38 184320]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 11:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 11:24 620152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-29 11:37 413696]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 11:12 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-19 08:22 185896]
"nwiz"="nwiz.exe" [2007-11-17 16:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-11-17 16:03 86016 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-11-17 16:03 81920 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.divxa32"= msaud32_divx.acm
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 07:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-16 06:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 13:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 15:49 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 12:52 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-19 08:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\Counter-Strike\\cstrike.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQMusic.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\cygwin\\home\\ocaml-3.10.2\\config\\auto-aux\\tst.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\InstantRails-2.0-win\\apache\\Apache.exe"=
"C:\\InstantRails-2.0-win\\ruby\\bin\\ruby.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"18655:TCP"= 18655:TCP:BitComet 18655 TCP
"18655:UDP"= 18655:UDP:BitComet 18655 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 BCMWLNPF;Broadcom Netgroup Packet Filter;C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-10 08:17]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 15:49]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 14:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-06 07:45]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe [2008-03-18 18:28]

.
- - - - ORPHANS REMOVED - - - -

BHO-{7F0D62DB-A553-4A00-B9F9-9C242034E423} - C:\Documents and Settings\Yao\Local Settings\Temporary Internet Files\Content.IE5\0UE1H6EB\3077ahntdksr[1].dll
HKLM-Run-7427decd - C:\WINDOWS\system32\vnjyqsfc.dll
HKLM-Run-BM7714ed51 - C:\WINDOWS\system32\gaxptfko.dll
MSConfigStartUp-7427decd - C:\WINDOWS\system32\rmjbhlpn.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 02:21:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-07-13 2:32:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 18:32:20

Pre-Run: 14,326,317,056 bytes free
Post-Run: 14,696,771,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

251 --- E O F --- 2008-06-20 19:01:17

______________________________________________________________

and the new HJT log:
______________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:59 AM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\MSTMON_S.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FD4E30B-7A86-4330-AC82-E0226100A4B4}: NameServer = 61.134.1.4 218.30.19.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B74142-5485-4308-A220-FBA6733B0328}: NameServer = 218.30.19.40,61.134.1.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12655 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
13-Jul-2008, 07:04 PM #4
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\lovirhsb.ini
C:\WINDOWS\BM7714ed51.xml
C:\WINDOWS\system32\nplhbjmr.ini
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\phc77fj0ee3r.bmp
C:\WINDOWS\system32\sex1.ico

DirLook::
C:\TDDOWNLOAD

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Also do this please.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.
__________________
Microsoft MVP - Consumer Security
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
16-Jul-2008, 01:48 PM #5
New ComboFix log:


ComboFix 08-07-07.3 - Yao 2008-07-17 0:33:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.1219 [GMT 8:00]
Running from: C:\Documents and Settings\Yao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yao\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM7714ed51.xml
C:\WINDOWS\system32\lovirhsb.ini
C:\WINDOWS\system32\nplhbjmr.ini
C:\WINDOWS\system32\phc77fj0ee3r.bmp
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7714ed51.xml
C:\WINDOWS\system32\lovirhsb.ini
C:\WINDOWS\system32\nplhbjmr.ini
C:\WINDOWS\system32\phc77fj0ee3r.bmp
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-04 02:17 . 2008-03-19 11:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-04 02:17 . 2008-07-04 02:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-03 21:50 . 2008-07-03 22:29 <DIR> d-------- C:\TDDOWNLOAD
2008-07-03 21:42 . 2008-07-03 22:29 763 --a------ C:\WINDOWS\system32\cid_store.dat
2008-07-03 21:42 . 2008-07-03 21:42 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-07-03 21:42 . 2008-07-03 21:42 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Program Files\Thunder Network
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2008-07-03 14:42 . 2008-07-03 14:42 <DIR> d-------- C:\Program Files\Bonjour
2008-07-03 09:38 . 2008-07-03 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 09:29 . 2008-07-03 10:30 1,718,640 --ahs---- C:\WINDOWS\system32\hbhddbcf.ini
2008-06-30 14:38 . 2008-06-30 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY.users
2008-06-30 14:38 . 2008-07-13 23:57 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\SogouPY
2008-06-30 00:38 . 2008-06-30 00:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY.users
2008-06-30 00:38 . 2008-07-17 00:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SogouPY
2008-06-29 22:11 . 2008-06-29 22:16 <DIR> d-------- C:\Program Files\SogouInput
2008-06-29 22:11 . 2008-06-29 22:11 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\SogouPY.users
2008-06-29 22:11 . 2008-07-17 00:34 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\SogouPY
2008-06-29 22:00 . 2008-06-29 22:00 <DIR> d-------- C:\Program Files\TTOD
2008-06-29 01:24 . 2008-06-29 01:25 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\rockbox.org
2008-06-28 23:48 . 2008-06-28 23:48 <DIR> d-------- C:\Program Files\SanDisk
2008-06-20 19:22 . 2008-06-20 19:22 1,238,320 --a------ C:\WINDOWS\system32\SogouPy.ime
2008-06-19 19:24 . 2008-06-19 19:24 <DIR> d-------- C:\Program Files\ADV
2008-06-19 00:27 . 2008-06-19 00:27 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\My Games
2008-06-19 00:23 . 2008-06-19 00:23 <DIR> d---s---- C:\Program Files\Xfire
2008-06-19 00:23 . 2008-06-19 00:23 <DIR> d-------- C:\Documents and Settings\Yao\Application Data\Xfire
2008-06-18 23:59 . 2008-06-18 23:59 <DIR> d-------- C:\Program Files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 06:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-29 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 02:19 --------- d-----w C:\Documents and Settings\Yao\Application Data\U3
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 06:31 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-02 02:15 --------- d-----w C:\Program Files\HP
2008-06-02 02:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-02 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-06-02 02:12 --------- d-----w C:\Documents and Settings\Yao\Application Data\HP
2008-05-30 21:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-05-28 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-28 07:13 --------- d-----w C:\Documents and Settings\Yao\Application Data\CyberLink
2008-05-28 07:11 --------- d-----w C:\Program Files\CyberLink
2008-05-28 07:10 --------- d-----w C:\Program Files\SmartSound Software
2008-05-28 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-28 05:13 --------- d-----w C:\Program Files\FlashGet
2008-05-27 04:20 --------- d-----w C:\Program Files\Lexmark X5100 Series
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2001-08-22 18:15 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 18:13 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 18:13 32,768 ----a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2001-07-10 14:59 15,716 ----a-w C:\WINDOWS\inf\i386\Pmxscan.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\TDDOWNLOAD ----

2008-07-03 22:29 2758892 --a------ C:\TDDOWNLOAD\msHKJ.rar
2008-07-03 21:51 3111793 --a------ C:\TDDOWNLOAD\msDSSF.rar
2004-10-07 04:07 4052 -ra------ C:\TDDOWNLOAD\msHKJ\www_sj00_com.txt
2004-10-07 04:07 4052 -ra------ C:\TDDOWNLOAD\msDSSF\www_sj00_com.txt
2000-02-01 07:40 5410976 -ra------ C:\TDDOWNLOAD\msDSSF\MSDSSF.TTF
2000-02-01 07:40 4543828 -ra------ C:\TDDOWNLOAD\msHKJ\MSHKJ.TTF


------- Sigcheck -------

2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 19:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-31 01:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-13_ 2.32.05.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 01:42:36 8,423,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OARTCONV.DLL
- 2008-05-14 07:02:35 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-14 14:59:48 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-05-14 07:02:35 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-14 14:59:48 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-14 07:02:35 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-07-14 14:59:48 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-05-14 07:02:35 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-07-14 14:59:48 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-05-14 07:02:35 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-14 14:59:48 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-05-14 07:02:35 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-14 14:59:48 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-14 07:02:36 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-14 14:59:49 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-14 07:02:35 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-14 14:59:48 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-05-14 07:02:35 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-14 14:59:48 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-14 07:02:35 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-14 14:59:48 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-05-14 07:02:36 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-14 14:59:49 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-05-14 07:02:35 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-14 14:59:48 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-07-12 05:35:57 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-12 18:24:54 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-12 05:35:57 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-12 18:24:54 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 19:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-02-14 07:09 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 19:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 19:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 19:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 02:56 64512]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-02-02 14:00 36864]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 05:10 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-17 16:03 8495104]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-10 08:17 2183168]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 09:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-20 00:27 136768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 16:25 144784]
"KONICA MINOLTA magicolor 2400W STD"="C:\WINDOWS\system32\MSTMON_S.EXE" [2005-06-23 05:38 184320]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 11:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 11:24 620152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-29 11:37 413696]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 11:12 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-19 08:22 185896]
"nwiz"="nwiz.exe" [2007-11-17 16:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-11-17 16:03 86016 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-11-17 16:03 81920 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.divxa32"= msaud32_divx.acm
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 07:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-16 06:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 13:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 15:49 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 12:52 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-19 08:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\Counter-Strike\\cstrike.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQMusic.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\cygwin\\home\\ocaml-3.10.2\\config\\auto-aux\\tst.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\InstantRails-2.0-win\\apache\\Apache.exe"=
"C:\\InstantRails-2.0-win\\ruby\\bin\\ruby.exe"=
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"18655:TCP"= 18655:TCP:BitComet 18655 TCP
"18655:UDP"= 18655:UDP:BitComet 18655 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 BCMWLNPF;Broadcom Netgroup Packet Filter;C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-10-10 08:17]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 15:49]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-03-20 14:00]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-06 07:45]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe [2008-03-18 18:28]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 00:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [21464]
? [24856]
? [25496]
? [24892]
? [24676]
? [24176]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-17 0:46:42
ComboFix-quarantined-files.txt 2008-07-16 16:46:39
ComboFix2.txt 2008-07-12 18:32:25

Pre-Run: 14,531,031,040 bytes free
Post-Run: 14,521,290,752 bytes free

242 --- E O F --- 2008-07-14 14:59:51
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
16-Jul-2008, 01:51 PM #6
And the new HJT log. I've noticed that the various .dll files have been successfully deleted and the winlogon link removed. Whooray for your professional help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:20 AM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\MSTMON_S.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FD4E30B-7A86-4330-AC82-E0226100A4B4}: NameServer = 61.134.1.4 218.30.19.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B74142-5485-4308-A220-FBA6733B0328}: NameServer = 218.30.19.40,61.134.1.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12592 bytes
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
16-Jul-2008, 01:55 PM #7
Here's the list from HJT's Uninstall Manager:


??1·?′ň?ę?č?·¨ 3.5°???°?
??ŕ×5
?§?§?2ěy 5.1.0
Adobe Acrobat 8 Professional - English, Fran?ais, Deutsch
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ADVMonitor
Ahead Nero Burning ROM
Apple Software Update
BitComet 0.99
Broadcom 440x 10/100 Integrated Controller
CAJViewer 5.5
Calculator Powertoy for Windows XP
Camelia
Combined Community Codec Pack 2007-07-22
Counter-Strike 1.6 seventeen???óě?±e°? by′óú?
CyberLink PhotoNow
CyberLink PowerDirector
Dell Touchpad
Dell Wireless WLAN Card
Drivers Install For Linksys Easylink Advisor
ESPNMotion
FlashGet 1.9.6.1073
F-Secure SSH Client Trial
GemMaster Mystic
GOM Player
Gunbound Revolution
Hamachi 0.9.9.9
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Deskjet 5900 series
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
ijji Auto Installer
Java(TM) 6 Update 3
Java(TM) 6 Update 5
KONICA MINOLTA magicolor 2400W
Laptop Integrated Webcam Driver (1.00.10.0320)
Linksys EasyLink Advisor 1.6 (0032)
LIVE gaming on Windows Runtime Version 1.0.6027
MagicDisc 2.5.77
MathPlayer
MATLAB R2007a
McAfee VirusScan Enterprise
Messenger Plus! Live
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft AppLocale
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
Mozilla Firefox (2.0.0.15)
Norton PartitionMagic 8.0
NVIDIA Drivers
Objective Caml 3.10.0
Otto
PDF Settings
Picasa 2
Post-it? Software Notes Lite
PowerISO
PrimaScan 2400U
QQ¨°?¨¤?7.2Beta02
QQ2008 Beta1?í?£°?
QuickTime
RealPlayer
Resident Evil 4 1.10
Rhapsody Player Engine
Ruby-186-26
Sansa Updater
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Warlords
SigmaTel Audio
SmartSound Quicktracks Plugin
Sonic Encoders
Starcraft
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb953463)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update Rollup 2 for Windows XP Media Center Edition 2005
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB908250
WinRAR archiver
WinZip
Xerox Phaser 6110
Xfire (remove only)
XP Codec Pack
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
17-Jul-2008, 07:27 PM #8
Do you recognize these programs?


??1•?′ň?ę?č?•¨ 3.5°???°?
??ŕ×5
?§?§?2ěy 5.1.0

If these are Tencent QQ then you should remove them via the Control Panel:

QQ¨°?¨¤?7.2Beta02
QQ2008 Beta1?í?£°?
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
18-Jul-2008, 02:42 PM #9
Yes, I do recognize them. They're programs I installed and use on a regular basis (Tencent QQ is as well). I'm pretty sure they're not direct causes or results of the Vundo Trojan infection.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
19-Jul-2008, 01:07 PM #10
Tencent is adware based but mostly a nuisance. It often gets bundled with malware without the users knowledge. But if you installed it yourself and use it then leave it.

Please download Malwarebytes Anti-Malware form Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.





***

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest vesion.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u6-windows-i586-p.exe and select "Run as an Administrator.")

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications (the fifth one in the list).
  • Click the "Download" button to the right. A new page will open.
  • Select your platform and check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click Continue.
  • Click on the link under Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
  • Go to Start - Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
__________________
Microsoft MVP - Consumer Security
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
22-Jul-2008, 01:39 PM #11
Hi, sorry for the delayed reply. I was away a couple of days. Anyway, here's the MBAM log:


Malwarebytes' Anti-Malware 1.22
Database version: 978
Windows 5.1.2600 Service Pack 2

12:14:56 AM 7/23/2008
mbam-log-7-23-2008 (00-14-56).txt

Scan type: Quick Scan
Objects scanned: 46239
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\shc17fj0ee3r (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7714ed51.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yao\Local Settings\Temp\CmdLineExt02.dll (Trojan.Agent) -> Delete on reboot.

_____________________________________________________________________


and the new HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:37 AM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TXPlatform.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??ŕ×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FD4E30B-7A86-4330-AC82-E0226100A4B4}: NameServer = 61.134.1.4 218.30.19.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B74142-5485-4308-A220-FBA6733B0328}: NameServer = 218.30.19.40,61.134.1.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12695 bytes
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
22-Jul-2008, 06:59 PM #12
Did you do the Kaspersky scan?
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
23-Jul-2008, 07:57 AM #13
Sorry... the scan was taking very long, so I had it running overnight. When I woke up, my idiot of a brother had closed the scan window, so I had to redo the scan. Here's the report:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 23, 2008 02:31:27
Records in database: 1000105
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 580378
Threat name: 15
Infected objects: 69
Suspicious objects: 0
Duration of the scan: 04:32:40


File name / Threat name / Threats count
C:\Documents and Settings\Yao\Desktop\My Documents\Yao\DL\programs\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 3
C:\Documents and Settings\Yao\Desktop\My Documents\Yao\DL\programs\areslite181.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
C:\Documents and Settings\Yao\Desktop\My Documents\Yao\fgf140.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe Infected: Trojan-Downloader.Win32.Agent.hym 3
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Shopper.am 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Shopper.k 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bt 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bn 2
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe Infected: Trojan-Downloader.Win32.Agent.hym 3
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Shopper.am 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Shopper.k 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bt 1
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bn 2
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080703-094442-119.dll Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080703-094442-347.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080703-094442-439.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080703-102948-205.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080703-102948-465.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080704-012954-273.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080704-012954-796.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080704-012954-849.dll Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\biipeens.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\byXQHyxy.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gaxptfko.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gngspckc.dll.vir Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gymkpyqg.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hawuueco.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hqvdidnx.dll.vir Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJARijJ.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mnvgioso.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ndnipwom.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\opnlJcdc.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qgbfirdm.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qogkhuqy.dll.vir Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRLbcDW.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sjodeofk.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\snpnoyrc.dll.vir Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvTMFVp.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ubpjjejm.dll.vir Infected: Trojan-Downloader.Win32.Delf.jvh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vnjyqsfc.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c 1
D:\BitComet\Data.Doctor.Recovery.NTFS.v3.0.1.5-YAG\DataDoctorRecoveryNtfs.exe Infected: Trojan.Win32.AntiAV.t 1
D:\BitComet\Disk Doctor Recovery Product ( 9 in 1 ).exe Infected: Trojan-Dropper.Win32.KGen.rs 1
D:\BitComet\Smart Data Recovery 3.9+Key+Serial\Smart Data Recovery 3.9+Key+Serial.rar Infected: Trojan.Win32.Pakes.cgn 1
D:\BitComet\Smart Data Recovery 3.9+Key+Serial\Smart Data Recovery 3.9+Key+Serial.rar Infected: Trojan-Downloader.Win32.Small.sth 1
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe Infected: Trojan-Downloader.Win32.Agent.hym 3
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Shopper.am 1
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Shopper.k 1
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bt 1
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bn 2
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe Infected: Trojan-Downloader.Win32.Agent.hym 3
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Shopper.am 1
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Shopper.k 1
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bt 1
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe Infected: not-a-virus:AdWare.Win32.Mostofate.bn 2

The selected area was scanned.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 79,286 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
23-Jul-2008, 04:10 PM #14
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\Documents and Settings\Yao\Desktop\My Documents\Yao\DL\programs\areslite181.exe
C:\Documents and Settings\Yao\Desktop\My Documents\Yao\fgf140.exe
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe
D:\BitComet\Data.Doctor.Recovery.NTFS.v3.0.1.5-YAG\DataDoctorRecoveryNtfs.exe
D:\BitComet\Disk Doctor Recovery Product ( 9 in 1 ).exe
D:\BitComet\Smart Data Recovery 3.9+Key+Serial\Smart Data Recovery 3.9+Key+Serial.rar
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe
  • Return to OTMoveIt2, right click in the Paste Custom List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security
tianwang_ice's Avatar
Junior Member with 11 posts.
  
Join Date: Jul 2008
Experience: Intermediate
25-Jul-2008, 12:26 AM #15
One file was "not found" possibly because of a slight file name mismatch. I manually deleted that file. Here are the results:


C:\Documents and Settings\Yao\Desktop\My Documents\Yao\DL\programs\areslite181.exe moved successfully.
C:\Documents and Settings\Yao\Desktop\My Documents\Yao\fgf140.exe moved successfully.
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\adorableawp3free.exe moved successfully.
C:\Documents and Settings\Yao\My Documents\My Pictures\wallpapers\marine2awfree.exe moved successfully.
D:\BitComet\Data.Doctor.Recovery.NTFS.v3.0.1.5-YAG\DataDoctorRecoveryNtfs.exe moved successfully.
File/Folder D:\BitComet\Disk Doctor Recovery Product ( 9 in 1 ).exe not found.
D:\BitComet\Smart Data Recovery 3.9+Key+Serial\Smart Data Recovery 3.9+Key+Serial.rar moved successfully.
D:\Users\Yao\Pictures\wallpapers\adorableawp3free.exe moved successfully.
D:\Users\Yao\Pictures\wallpapers\marine2awfree.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_112047
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

Tags
trojan, virtumonde, virus, vundo, winxp

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:01 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.