1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Not Sure if Winfixer Trojan has been Removed

Discussion in 'Virus & Other Malware Removal' started by rickronn, Oct 26, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello,

    I have been hit by Winfixer Trojan couple days ago. I used VundoFix and VirtumundoBeGone to clean it. However, when I checked my system with SUPERAntiSpyware, it still found infections of Winfixer and cleaned it. When I ran SUPERAntiSpyware again, it found same infections again.

    Please find below my HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 下午 10:51:17, on 2007/10/26
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\mqrgsh.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [Microsoft] mqrgsh.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\eqecngwi.dll",b
    O4 - HKLM\..\RunServices: [Microsoft] mqrgsh.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
    O20 - AppInit_DLLs: at.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 8011 bytes

    And below is the log generated by VirtumundoBeGone:

    [10/26/2007, 2:14:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
    [10/26/2007, 2:15:09] - Detected System Information:
    [10/26/2007, 2:15:09] - Windows Version: 5.1.2600, Service Pack 2
    [10/26/2007, 2:15:09] - Current Username: RICKYLEE (Admin)
    [10/26/2007, 2:15:09] - Windows is in SAFE mode with Networking.
    [10/26/2007, 2:15:09] - Searching for Browser Helper Objects:
    [10/26/2007, 2:15:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [10/26/2007, 2:15:09] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [10/26/2007, 2:15:09] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
    [10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\ssttt
    [10/26/2007, 2:15:09] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
    [10/26/2007, 2:15:09] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [10/26/2007, 2:15:09] - BHO 5: {F6B1F430-52B5-4478-9FC6-A94F79D423C3} ()
    [10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\yayyxyx
    [10/26/2007, 2:15:09] - Found: HKLM\...\Winlogon\Notify\yayyxyx - This is probably Virtumundo.
    [10/26/2007, 2:15:09] - Assigning {F6B1F430-52B5-4478-9FC6-A94F79D423C3} MSEvents Object
    [10/26/2007, 2:15:09] - BHO list has been changed! Starting over...
    [10/26/2007, 2:15:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [10/26/2007, 2:15:09] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [10/26/2007, 2:15:09] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
    [10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\ssttt
    [10/26/2007, 2:15:09] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
    [10/26/2007, 2:15:09] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [10/26/2007, 2:15:09] - BHO 5: {F6B1F430-52B5-4478-9FC6-A94F79D423C3} (MSEvents Object)
    [10/26/2007, 2:15:09] - ALERT: Found MSEvents Object!
    [10/26/2007, 2:15:09] - Finished Searching Browser Helper Objects
    [10/26/2007, 2:15:09] - *** Detected MSEvents Object
    [10/26/2007, 2:15:09] - Trying to remove MSEvents Object...
    [10/26/2007, 2:15:10] - Terminating Process: IEXPLORE.EXE
    [10/26/2007, 2:15:10] - Terminating Process: RUNDLL32.EXE
    [10/26/2007, 2:15:10] - Disabling Automatic Shell Restart
    [10/26/2007, 2:15:10] - Terminating Process: EXPLORER.EXE
    [10/26/2007, 2:15:10] - Suspending the NT Session Manager System Service
    [10/26/2007, 2:15:10] - Terminating Windows NT Logon/Logoff Manager
    [10/26/2007, 2:15:11] - Re-enabling Automatic Shell Restart
    [10/26/2007, 2:15:11] - File to disable: C:\WINDOWS\system32\yayyxyx.dll
    [10/26/2007, 2:15:11] - Renaming C:\WINDOWS\system32\yayyxyx.dll -> C:\WINDOWS\system32\yayyxyx.dll.vir
    [10/26/2007, 2:15:11] - File successfully renamed!
    [10/26/2007, 2:15:11] - Removing HKLM\...\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}
    [10/26/2007, 2:15:11] - Removing HKCR\CLSID\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}
    [10/26/2007, 2:15:11] - Adding Kill Bit for ActiveX for GUID: {F6B1F430-52B5-4478-9FC6-A94F79D423C3}
    [10/26/2007, 2:15:11] - Deleting ATLEvents/MSEvents Registry entries
    [10/26/2007, 2:15:11] - Removing HKLM\...\Winlogon\Notify\yayyxyx
    [10/26/2007, 2:15:11] - Searching for Browser Helper Objects:
    [10/26/2007, 2:15:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [10/26/2007, 2:15:11] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [10/26/2007, 2:15:11] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
    [10/26/2007, 2:15:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [10/26/2007, 2:15:11] - Checking for HKLM\...\Winlogon\Notify\ssttt
    [10/26/2007, 2:15:11] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
    [10/26/2007, 2:15:11] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [10/26/2007, 2:15:11] - Finished Searching Browser Helper Objects
    [10/26/2007, 2:15:11] - Finishing up...
    [10/26/2007, 2:15:11] - A restart is needed.
    [10/26/2007, 2:15:20] - Attempting to Restart via STOP error (Blue Screen!)

    [10/26/2007, 22:39:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
    [10/26/2007, 22:39:42] - Detected System Information:
    [10/26/2007, 22:39:42] - Windows Version: 5.1.2600, Service Pack 2
    [10/26/2007, 22:39:42] - Current Username: RICKYLEE (Admin)
    [10/26/2007, 22:39:42] - Windows is in SAFE mode with Networking.
    [10/26/2007, 22:39:42] - Searching for Browser Helper Objects:
    [10/26/2007, 22:39:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [10/26/2007, 22:39:42] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [10/26/2007, 22:39:42] - BHO 3: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [10/26/2007, 22:39:42] - Finished Searching Browser Helper Objects
    [10/26/2007, 22:39:42] - Finishing up...
    [10/26/2007, 22:39:42] - Nothing found! Exiting...

    [10/26/2007, 22:47:34] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
    [10/26/2007, 22:47:36] - Detected System Information:
    [10/26/2007, 22:47:36] - Windows Version: 5.1.2600, Service Pack 2
    [10/26/2007, 22:47:36] - Current Username: RICKYLEE (Admin)
    [10/26/2007, 22:47:36] - Windows is in SAFE mode with Networking.
    [10/26/2007, 22:47:36] - Searching for Browser Helper Objects:
    [10/26/2007, 22:47:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [10/26/2007, 22:47:36] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [10/26/2007, 22:47:36] - BHO 3: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [10/26/2007, 22:47:36] - Finished Searching Browser Helper Objects
    [10/26/2007, 22:47:36] - Finishing up...
    [10/26/2007, 22:47:36] - Nothing found! Exiting...

    I would appreciate if someone can advise me if I have removed the Trojan.

    Thanks in advance for your help.

    Best regards,
    Rickronn
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download ComboFix to your Desktop.

    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
     
  3. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    Thanks for your advice. I have used ComboFix to clean my system and please find below log from it.

    ComboFix 07-10-26.4 - RICKYLEE 2007-10-27 16:20:45.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1562 [GMT 8:00]
    執行位置?: C:\Documents and Settings\RICKYLEE\桌面\ComboFix.exe
    * 已建立新的還原點
    .

    (((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\1234.exe
    C:\WINDOWS\system32\ccbeg.bak1
    C:\WINDOWS\system32\ccbeg.ini
    C:\WINDOWS\system32\gebcc.dll
    C:\WINDOWS\system32\tttss.bak1
    C:\WINDOWS\system32\tttss.bak2
    C:\WINDOWS\system32\tttss.ini
    C:\WINDOWS\system32\tttss.ini2
    C:\WINDOWS\system32\tttss.tmp

    .
    (((((((((((((((((((((((((((( 2007-09-27 - 2007-10-27 之間建立的檔案 )))))))))))))))))))))))))))))))))
    .

    2007-10-27 16:23 284,876 --a------ C:\Documents and Settings\RICKYLEE\catchme.zip
    2007-10-27 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-26 23:38 9,216 --a------ C:\12load.exe
    2007-10-26 23:32 58,368 --------- C:\12luxe.exe
    2007-10-26 23:32 34,304 --a------ C:\WINDOWS\system32\vturqnl.dll
    2007-10-26 22:51 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-26 01:16 <DIR> d-------- C:\VundoFix Backups
    2007-10-26 01:11 84,544 --a------ C:\WINDOWS\system32\eqecngwi.dll
    2007-10-25 00:05 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2007-10-25 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2007-10-24 23:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-10-24 04:06 34,304 --a------ C:\WINDOWS\system32\yayyxyx.dll.vir
    2007-10-24 00:46 <DIR> d-------- C:\Program Files\Alcohol Soft
    2007-10-24 00:43 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2007-10-23 20:12 <DIR> d-------- C:\Program Files\PowerQuest
    2007-10-23 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
    2007-10-23 00:16 <DIR> d-------- C:\Program Files\SlySoft
    2007-10-23 00:08 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\ImgBurn
    2007-10-23 00:07 <DIR> d-------- C:\Program Files\ImgBurn
    2007-10-22 09:46 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Apple Computer
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\QuickTime
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\iTunes
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\iPod
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-10-22 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-10-22 09:44 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-10-22 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-10-21 16:30 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Program Files\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    2007-10-21 16:28 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
    2007-10-21 16:28 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
    2007-10-21 16:05 <DIR> d-------- C:\Program Files\MagicISO
    2007-10-19 12:49 <DIR> d-------- C:\Program Files\DVD Shrink
    2007-10-19 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2007-10-18 22:49 <DIR> d-------- C:\Program Files\Xvid
    2007-10-18 22:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
    2007-10-18 22:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
    2007-10-18 22:47 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2007-10-18 22:31 <DIR> d--h----- C:\WINDOWS\PIF
    2007-10-18 00:34 <DIR> d-------- C:\Program Files\Custom Technology
    2007-10-17 21:26 <DIR> d-------- C:\Program Files\Avi2Dvd
    2007-10-16 20:47 <DIR> d-------- C:\Program Files\Tiburon_by_Hyundai
    2007-10-16 20:46 208,953 -ra------ C:\HYInstLib.dll
    2007-10-16 20:46 32,768 -ra------ C:\JWUsbChk.dll
    2007-10-16 20:46 29,256 -ra------ C:\WINDOWS\system32\drivers\hwpad.SYS
    2007-10-16 20:46 29,256 -ra------ C:\hwpad.sys
    2007-10-15 20:47 <DIR> d-------- C:\Documents and Settings\RICKYLEE\WINDOWS
    2007-10-15 20:47 299,520 --a------ C:\WINDOWS\IsUn0804.exe
    2007-10-15 20:24 20,704 --a------ C:\WINDOWS\system32\drivers\PPMOUCLS.SYS
    2007-10-15 19:53 <DIR> d-------- C:\Program Files\MSXML 4.0
    2007-10-14 16:16 <DIR> d-------- C:\Program Files\Common Files\Nero
    2007-10-14 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2007-10-14 15:24 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
    2007-10-14 15:24 <DIR> d-------- C:\Documents and Settings\All Users\&#12300;&#38283;&#22987;&#12301;&#21151;
    2007-10-14 15:24 737,280 --a------ C:\WINDOWS\iun6002.exe
    2007-10-14 15:16 <DIR> d-------- C:\Program Files\XP Codec Pack
    2007-10-14 15:00 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Nero
    2007-10-14 14:58 <DIR> d-------- C:\Program Files\Nero
    2007-10-14 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
    2007-10-14 14:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2007-10-14 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-10-14 14:11 <DIR> dr-h----- C:\MSOCache
    2007-10-14 01:03 <DIR> d-------- C:\Program Files\WinAVI Video Converter
    2007-10-14 01:00 <DIR> d-------- C:\Program Files\WinAVI DVD Copy
    2007-10-13 00:01 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\CyberLink
    2007-10-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2007-10-12 23:59 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2007-10-12 23:58 <DIR> d-------- C:\Program Files\CyberLink
    2007-10-12 23:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-10-12 23:58 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-10-12 22:33 <DIR> d-------- C:\Program Files\Webshots
    2007-10-12 22:33 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Webshots
    2007-10-12 22:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-10-12 09:30 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2007-10-12 03:23 977,920 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
    2007-10-12 03:23 246,784 -----c--- C:\WINDOWS\system32\dllcache\tapisrv.dll
    2007-10-12 00:57 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-10-12 00:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
    2007-10-11 01:17 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
    2007-10-11 01:17 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
    2007-10-11 01:17 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Real
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\Real
    2007-10-11 00:34 <DIR> d-------- C:\&#25105;&#30340;&#19979;&#36617;
    2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Azureus
    2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2007-10-11 00:03 <DIR> d-------- C:\Program Files\Azureus
    2007-10-10 23:59 <DIR> d-------- C:\WINDOWS\Sun
    2007-10-10 23:57 <DIR> d-------- C:\Program Files\Java
    2007-10-10 23:54 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-10-10 23:50 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
    2007-10-10 20:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-10-10 20:07 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
    2007-10-10 20:06 <DIR> d-------- C:\Intel
    2007-10-10 20:05 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

    .
    (((((((((((((((((((((((((((((((((((( &#36817;&#19977;&#20491;&#26376;&#20839;&#26356;&#21205;&#30340;&#27284;&#26696; )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-27 08:24 229,376 ---ha-w C:\Documents and Settings\LocalService\NTUSER.DAT
    2007-10-23 12:09 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-10-21 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-14 07:02 229,376 ---h--w C:\Documents and Settings\Default User\NTUSER.DAT
    2007-10-07 15:39 --------- d-----w C:\Program Files\Intel
    2007-10-07 15:23 --------- d-----w C:\Program Files\microsoft frontpage
    2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
    2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
    2007-09-16 17:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
    2007-09-16 17:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
    2007-09-16 17:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
    2007-09-16 17:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
    2007-09-16 17:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
    2007-09-16 17:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
    2007-09-16 17:07 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
    2007-09-16 17:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
    2007-09-16 17:07 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
    2007-09-16 17:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
    2007-09-16 17:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
    2007-09-16 17:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
    2007-09-16 17:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
    2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
    2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
    2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
    2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
    2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
    2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
    2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
    2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
    2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
    2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
    2007-09-16 17:07 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
    2007-09-16 17:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
    2007-09-16 17:07 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
    2007-09-16 17:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
    2007-09-16 17:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
    2007-09-16 17:07 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
    2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
    2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
    2007-09-16 17:07 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
    2007-09-16 17:07 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
    2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
    2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
    2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
    2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
    2007-09-16 17:07 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
    2007-09-16 17:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
    2007-09-16 17:07 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
    2007-09-16 17:07 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
    2007-09-16 17:07 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
    2007-09-16 17:07 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
    2007-09-16 17:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
    2007-09-16 17:07 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
    2007-09-16 17:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
    2007-09-16 17:07 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
    2007-09-16 17:07 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
    2007-09-16 17:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
    2007-09-16 17:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
    2007-09-16 17:07 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll
    2007-09-16 17:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
    2007-09-16 17:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
    2007-09-16 17:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
    2007-09-16 17:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
    2007-09-16 17:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
    2007-09-16 17:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
    2007-09-16 17:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
    2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-06-18 11:39:41 152,576 --sha-r C:\WINDOWS\system32\mqrgsh.exe
    .

    (((((((((((((((((((((((((((((((((((((((((( &#37325;&#35201;&#30331;&#37636;&#27284; )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *&#27880;&#24847;* &#31354;&#30333;&#25110;&#21512;&#27861;&#30340;&#30331;&#37636;&#20540;&#23559;&#19981;&#26371;&#39023;&#31034;

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA6CC4C8-D1B2-4174-9D42-2A5D6F06812A}]
    C:\WINDOWS\system32\gebcc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
    2007-10-26 23:32 34304 --a------ C:\WINDOWS\system32\vturqnl.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft"="mqrgsh.exe" [2007-06-18 19:39 C:\WINDOWS\system32\mqrgsh.exe]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-05 13:59 C:\WINDOWS\SOUNDMAN.EXE]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 01:07]
    "nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 01:07]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-10 23:50]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 01:11]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
    "Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
    "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
    "3c5fbd0f"="C:\WINDOWS\system32\eqecngwi.dll" [2007-10-26 01:11]
    "combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-12 09:16]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
    "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-23 00:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "Microsoft"=mqrgsh.exe

    C:\Documents and Settings\RICKYLEE\&#12300;&#38283;&#22987;&#12301;&#21151;&#33021;&#34920;\&#31243;&#24335;&#38598;\&#21855;&#21205;\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-10-12 22:33:03]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
    "{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\vturqnl.dll [2007-10-26 23:32 34304]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturqnl]
    vturqnl.dll 2007-10-26 23:32 34304 C:\WINDOWS\system32\vturqnl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=at.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll

    R3 hwmouser;Hanwang Technology CO.LTD HID Tablet Device;C:\WINDOWS\system32\DRIVERS\hwpad.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6456aab-7faf-11dc-b8bb-000740ca46f7}]
    1\Command - autorun.pif
    2\Command - autorun.pif
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

    .
    **************************************************************************

    catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-27 16:26:55
    Windows 5.1.2600 Service Pack 2 NTFS

    &#25475;&#25551;&#38577;&#34255;&#30340;&#31243;&#24207;...

    &#25475;&#25551;&#38577;&#34255;&#30340;&#36914;&#31243;...

    &#25475;&#25551;&#38577;&#34255;&#30340;&#27284;&#26696;...

    &#25475;&#25551;&#23436;&#25104;
    &#38577;&#34255;&#27284;&#26696;?: 0

    **************************************************************************
    .
    &#23436;&#25104;&#26178;&#38291;?: 2007-10-27 16:28:00 - machine was rebooted
    .
    --- E O F ---

    And below is new HJT log after swept by ComboFix.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at &#19979;&#21320; 04:36:31, on 2007/10/27
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\mqrgsh.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\eqecngwi.dll",b
    O4 - HKLM\..\Run: [Microsoft] mqrgsh.exe
    O4 - HKLM\..\RunServices: [Microsoft] mqrgsh.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B52056F4-DDEB-4A51-B71A-F7B4666D006A}: NameServer = 205.252.144.28 218.102.23.77
    O20 - AppInit_DLLs: at.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod &#26381;&#21209; (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 7577 bytes

    Thanks again for your help.

    Best regards,
    Rickronn
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download and install AVG Anti-Spyware v7.5
    • After download, double click on the file to launch the install process.
    • Choose a language, click "OK" and then click "Next".
    • Read the "License Agreement" and click "I Agree".
    • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
    • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    • The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them.
    • Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update".
      Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.
    • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
    Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

    Scan with AVG Anti-Spyware as follows:
    • Click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan? ", "Possibly unwanted software", and What to Scan?" leave all the default settings.
    • Under "Reports" select "Do not automatically generate reports".
    • Click the "Scan" tab to return to scanning options.
    • Click "Complete System Scan" to start.
    • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
    • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
    IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
    • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    • Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period.


    Please go HERE to run Panda's ActiveScan
    • You need to use IE to run this scan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  5. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    I have followed your advises and please find below logs after scan by AVG Anti-Spyware and Panda Activescan.

    Below is the log from AVG Anti-Spyware:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: &#19979;&#21320; 04:25:08 2007/10/28

    + Scan result:



    E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP30\A0014539.exe/is67433.exe -> Adware.Virtumonde : Cleaned.
    C:\Program Files\Nero\Nero8\nero 8 ultra keygen.exe -> Dropper.Agent.ccs : Cleaned.
    E:\Misc. Download 1\AHEAD\Nero v.8 ultra\copy2\nero 8 ultra keygen.exe -> Dropper.Agent.ccs : Cleaned.
    E:\Misc. Download 1\TMPGEnc\TMPGEnc 4.0 Express\TMPGEnc 4.0 XPress + DVD Author 3 with DivX Authoring (English Retail)\TMPGEnc DVD Author 3 with DivX Authoring\TDA3_Retail_3.0.5.149_install_EN.exe/Win.exe -> Logger.Delf.wh : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end


    And this is the scan log from Panda Activescan:


    Incident Status Location

    Virus:Bck/Delf.AGQ Disinfected Operating system
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\RICKYLEE\catchme.zip[gebcc.dll]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\RICKYLEE\&#26700;&#38754;\ComboFix.exe[nircmd.exe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\RICKYLEE\&#26700;&#38754;\ComboFix.exe[nircmd.cfexe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\RICKYLEE\&#26700;&#38754;\VirtumundoBeGone.exe
    Virus:Generic Malware Disinfected C:\Program Files\WinRAR\WinRAR_v34_buildAll_crk.exe
    Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\1234.exe.vir
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
    Virus:Trj/Downloader.QOW Disinfected C:\WINDOWS\system32\mqrgsh.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vturqnl.dll.vir
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayyxyx.dll.vir
    Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.50.41.WinNT2kXP.READ.NFO-AGAiN\run.exe
    Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.50.41.WinNT2kXP.READ.NFO-AGAiN.ZIP[run.exe]
    Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.51.30.WinNT2K2K3XP.Cracked.REPACK-BRD\run.exe
    Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.51.30.WinNT2K2K3XP.Cracked.REPACK-BRD.rar[run.exe]
    Adware:Adware/SecurityError Not disinfected D:\Eset_NOD32_Antivirus_Administrator_Edition_v2.50.25_Win2KXP_Cracked_by_ARN\start.exe
    Adware:Adware/SecurityError Not disinfected D:\Eset_NOD32_Antivirus_Administrator_Edition_v2.50.25_Win2KXP_Cracked_by_ARN.zip[start.exe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\Misc. Download 1\VirusFix\ComboFix.exe[nircmd.exe]
    Virus:Generic Malware Disinfected E:\Misc. Download 1\WinRaR\Crack\winrar2345612323_crack\WinRAR_v34_buildAll_crk.exe
    Virus:Generic Malware Not disinfected E:\Misc. Download 1\WinRaR\winrar2345612323_crack.rar[winrar2345612323_crack\WinRAR_v34_buildAll_crk.exe]
    Virus:Bck/Hupigon.AZG Disinfected E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP1\A0000011.exe
    Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP3\A0000174.exe[nircmd.exe]

    Best regards,
    Rickronn
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please download VundoFix.exe to your desktop.



    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


    Then rerun ComboFix and post the results.
     
  7. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    Thanks for your advises. I have scanned with VundoFix and it did not find any problem, so no cleanup was needed.

    The VundoFix log is as follow:

    VundoFix V6.5.10

    Checking Java version...

    Scan started at &#19979;&#21320; 08:20:30 2007/10/29

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...



    Below is the scan log from HJT as per your advise:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at &#19979;&#21320; 08:21:41, on 2007/10/29
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\dmtthi.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\fmxefgvk.dll",b
    O4 - HKLM\..\Run: [Microsoft] dmtthi.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\RunServices: [Microsoft] dmtthi.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B52056F4-DDEB-4A51-B71A-F7B4666D006A}: NameServer = 205.252.144.28 218.102.23.77
    O20 - AppInit_DLLs: at.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod &#26381;&#21209; (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 8505 bytes

    By the way, I have not had any problem for two days now. Think I may have won this time with your valuable advises.

    Best regards,
    Rickronn
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger&#8217;s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

    O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\fmxefgvk.dll",b

    O4 - HKLM\..\Run: [Microsoft] dmtthi.exe

    O4 - HKLM\..\RunServices: [Microsoft] dmtthi.exe

    O20 - AppInit_DLLs: at.dll


    Reboot and post another Hijack This log please.
     
  9. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    Have followed your instructions. Please find below content of Avenger.txt:

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\ecrrekfs

    *******************

    Script file located at: \??\C:\WINDOWS\system32\dbnqcogq.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\system32\fmxefgvk.dll deleted successfully.
    File C:\WINDOWS\system32\dmtthi.exe deleted successfully.


    File C:\WINDOWS\system32\at.dll not found!
    Deletion of file C:\WINDOWS\system32\at.dll failed!

    Could not process line:
    C:\WINDOWS\system32\at.dll
    Status: 0xc0000034



    File C:\WINDOWS\system32\mqrgsh.exe not found!
    Deletion of file C:\WINDOWS\system32\mqrgsh.exe failed!

    Could not process line:
    C:\WINDOWS\system32\mqrgsh.exe
    Status: 0xc0000034

    File C:\WINDOWS\system32\vturqnl.dll.vir deleted successfully.
    File C:\WINDOWS\system32\yayyxyx.dll.vir deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    And this is the scan log from HJT.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at &#19979;&#21320; 08:22:12, on 2007/10/31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod &#26381;&#21209; (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 7549 bytes

    By the way, I have posted another thread to seek your help to remove trojan generic6.MCT on my friend's system. Would appreciate if you would advice me.

    Best regards,
    Rickronn
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Do you have a link? I don't know how around I will be tomorrow.

    How are things with this machine?
     
  11. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Chesseball81,

    My system ran fine last night. However, there were several occasions that NOD32 blocked infections of adwares. I am wondering if there is still somethings in my system that trigger them.
    Let me run couple more days and I will post a "Problem Solved" if everything check out.

    As for my other post, please find the link as follow.
    http://forums.techguy.org/showthread.php?t=645770

    Best regards,
    Rickronn
     
  12. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    Regret to say that my system is still infected. Another IE window would open to other site but I can close it and go back to my original IE window.

    NOD32 still blocks infections from time to time. I have attched NOD32 virus details as follow.


    2007/11/2 00:12:26 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\phhdsbqs.dll a variant of Win32/Adware.SecToolbar - deleted C:\WINDOWS\Explorer.EXE. - quarantined&#12290;
    2007/11/2 00:12:24 AMON C:\Documents and Settings\RICKYLEE\Local Settings\Temporary Internet Files\Content.IE5\KXEJCLIN\upd32_v13[1] a variant of Win32/Adware.SecToolbar - deleted C:\WINDOWS\Explorer.EXE. - quarantined&#12290;
    2007/11/2 00:12:19 IMON http://82.98.235.78/test/notepad/up...9EFFFFF&guid=97287BE4EA78454B855497EEB7A4560A a variant of Win32/Adware.SecToolbar
    2007/11/2 00:10:32 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\wckyduwe.exe Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. - quarantined&#12290;
    2007/11/2 00:10:30 AMON C:\Documents and Settings\RICKYLEE\Local Settings\Temporary Internet Files\Content.IE5\ZZPBVX8O\vasya[1] Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. = quarantined&#12290;
    2007/11/2 00:10:24 IMON http://82.98.235.78/netob/vasya.exe...9EFFFFF&guid=97287BE4EA78454B855497EEB7A4560A Win32/Agent.BCK trojan
    2007/11/1 00:09:42 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\jfmhnpys.exe Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. quarantined&#12290;
    -------------------------------------------------------------------------------------------------------

    I am questioning below entries from my HJT log. Would like to learn your comments.

    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    Best regards,
    Rickronn
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    They seem to all be in the Temp location.

    * Click here to download ATF Cleaner by Atribune and save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
      • If you use Firefox:
        • Click Firefox at the top and choose: Select All
        • Click the Empty Selected button.
        • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • If you use Opera:
        • Click Opera at the top and choose: Select All
        • Click the Empty Selected button.



          [*]NOTE:
          If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.

    Those 2 entries are legit.
     
  14. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    Have followed your advice to use ATF-Cleaner to clean my system. Then I ran SUPER-AntiSpyware to check it and still found some infections. IE still opened up window to other web-site as I was using it.

    PLesae find below log from SUPER-AntiSpyware.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/03/2007 at 11:03 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3330
    Trace Rules Database Version: 1331

    Scan type : Complete Scan
    Total Scan Time : 00:04:05

    Memory items scanned : 441
    Memory threats detected : 2
    Registry items scanned : 5679
    Registry threats detected : 11
    File items scanned : 686
    File threats detected : 3

    Trojan.WinFixer
    C:\WINDOWS\SYSTEM32\GEEDC.DLL
    C:\WINDOWS\SYSTEM32\GEEDC.DLL
    HKLM\Software\Classes\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}
    HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}
    HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}\InprocServer32
    HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}

    Trojan.Downloader-NewJuan/VM
    C:\WINDOWS\SYSTEM32\PTTXSDVN.DLL
    C:\WINDOWS\SYSTEM32\PTTXSDVN.DLL

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{89AD4D75-2429-462e-BD4E-443F233F6033}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}
    HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}

    Adware.Tracking Cookie
    C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt

    ________________________________________________

    By the way, did you manage to find my other post as I attached the link in my last reply to this thread?



    Best regards,
    Rickronn
     
  15. rickronn

    rickronn Thread Starter

    Joined:
    May 19, 2007
    Messages:
    107
    Hello, Cheeseball81,

    I ran ComboFix again and this is the log from it.

    ComboFix 07-10-26.4 - RICKYLEE 2007-11-03 11:30:55.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1525 [GMT 8:00]
    &#22519;&#34892;&#20301;&#32622;?: C:\Documents and Settings\RICKYLEE\&#26700;&#38754;\ComboFix.exe
    .

    (((((((((((((((((((((((((((((((((((((( &#20854;&#20182;&#36973;&#21034;&#38500;&#30340;&#27284;&#26696; ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\cdeeg.bak1
    C:\WINDOWS\system32\cdeeg.bak2
    C:\WINDOWS\system32\cdeeg.ini
    C:\WINDOWS\system32\dcbeg.bak1
    C:\WINDOWS\system32\dcbeg.ini
    C:\WINDOWS\system32\gebcd.dll
    C:\WINDOWS\system32\jjkmp.bak1
    C:\WINDOWS\system32\jjkmp.ini2
    C:\WINDOWS\system32\jjkmp.tmp

    .
    (((((((((((((((((((((((((((( 2007-10-03 - 2007-11-03 &#20043;&#38291;&#24314;&#31435;&#30340;&#27284;&#26696; )))))))))))))))))))))))))))))))))
    .

    2007-11-03 10:39 86,080 --a------ C:\WINDOWS\system32\skdpmmsu.dll
    2007-11-03 09:29 <DIR> d-------- C:\Program Files\WinAVI Video Converter
    2007-11-02 00:14 85,056 --a------ C:\WINDOWS\system32\krdbpxqs.dll
    2007-10-31 12:02 52,224 --------- C:\tmp11.exe
    2007-10-31 12:02 33,280 --a------ C:\WINDOWS\system32\hgghfef.dll
    2007-10-28 16:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-10-28 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-27 16:23 284,876 --a------ C:\Documents and Settings\RICKYLEE\catchme.zip
    2007-10-27 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-26 23:38 9,216 --a------ C:\12load.exe
    2007-10-26 23:32 58,368 --------- C:\12luxe.exe
    2007-10-26 22:51 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-26 01:16 <DIR> d-------- C:\VundoFix Backups
    2007-10-25 00:05 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2007-10-25 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2007-10-24 23:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-10-24 00:46 <DIR> d-------- C:\Program Files\Alcohol Soft
    2007-10-24 00:43 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2007-10-23 20:12 <DIR> d-------- C:\Program Files\PowerQuest
    2007-10-23 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
    2007-10-23 00:16 <DIR> d-------- C:\Program Files\SlySoft
    2007-10-23 00:08 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\ImgBurn
    2007-10-23 00:07 <DIR> d-------- C:\Program Files\ImgBurn
    2007-10-22 09:46 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Apple Computer
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\QuickTime
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\iTunes
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\iPod
    2007-10-22 09:45 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-10-22 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-10-22 09:44 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-10-22 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-10-21 16:30 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Program Files\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
    2007-10-21 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
    2007-10-21 16:28 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
    2007-10-21 16:28 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
    2007-10-21 16:05 <DIR> d-------- C:\Program Files\MagicISO
    2007-10-19 12:49 <DIR> d-------- C:\Program Files\DVD Shrink
    2007-10-19 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2007-10-18 22:49 <DIR> d-------- C:\Program Files\Xvid
    2007-10-18 22:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
    2007-10-18 22:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
    2007-10-18 22:47 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2007-10-18 22:31 <DIR> d--h----- C:\WINDOWS\PIF
    2007-10-18 00:34 <DIR> d-------- C:\Program Files\Custom Technology
    2007-10-17 21:26 <DIR> d-------- C:\Program Files\Avi2Dvd
    2007-10-16 20:47 <DIR> d-------- C:\Program Files\Tiburon_by_Hyundai
    2007-10-16 20:46 208,953 -ra------ C:\HYInstLib.dll
    2007-10-16 20:46 32,768 -ra------ C:\JWUsbChk.dll
    2007-10-16 20:46 29,256 -ra------ C:\WINDOWS\system32\drivers\hwpad.SYS
    2007-10-16 20:46 29,256 -ra------ C:\hwpad.sys
    2007-10-15 20:47 <DIR> d-------- C:\Documents and Settings\RICKYLEE\WINDOWS
    2007-10-15 20:47 299,520 --a------ C:\WINDOWS\IsUn0804.exe
    2007-10-15 20:24 20,704 --a------ C:\WINDOWS\system32\drivers\PPMOUCLS.SYS
    2007-10-15 19:53 <DIR> d-------- C:\Program Files\MSXML 4.0
    2007-10-14 16:16 <DIR> d-------- C:\Program Files\Common Files\Nero
    2007-10-14 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2007-10-14 15:24 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
    2007-10-14 15:24 <DIR> d-------- C:\Documents and Settings\All Users\&#12300;&#38283;&#22987;&#12301;&#21151;
    2007-10-14 15:24 737,280 --a------ C:\WINDOWS\iun6002.exe
    2007-10-14 15:16 <DIR> d-------- C:\Program Files\XP Codec Pack
    2007-10-14 15:00 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Nero
    2007-10-14 14:58 <DIR> d-------- C:\Program Files\Nero
    2007-10-14 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
    2007-10-14 14:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
    2007-10-14 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-10-14 14:11 <DIR> dr-h----- C:\MSOCache
    2007-10-13 00:01 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\CyberLink
    2007-10-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
    2007-10-12 23:59 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2007-10-12 23:58 <DIR> d-------- C:\Program Files\CyberLink
    2007-10-12 23:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-10-12 23:58 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-10-12 22:33 <DIR> d-------- C:\Program Files\Webshots
    2007-10-12 22:33 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Webshots
    2007-10-12 22:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-10-12 09:30 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2007-10-12 03:23 977,920 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
    2007-10-12 03:23 246,784 -----c--- C:\WINDOWS\system32\dllcache\tapisrv.dll
    2007-10-12 00:57 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-10-12 00:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
    2007-10-11 01:17 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
    2007-10-11 01:17 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
    2007-10-11 01:17 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Real
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\Real
    2007-10-11 00:34 <DIR> d-------- C:\&#25105;&#30340;&#19979;&#36617;
    2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Azureus
    2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
    2007-10-11 00:03 <DIR> d-------- C:\Program Files\Azureus
    2007-10-10 23:59 <DIR> d-------- C:\WINDOWS\Sun
    2007-10-10 23:57 <DIR> d-------- C:\Program Files\Java
    2007-10-10 23:54 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-10-10 23:50 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
    2007-10-10 20:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-10-10 20:07 53,248 --a------ C:\WINDOWS\system32\CSVer.dll

    .
    (((((((((((((((((((((((((((((((((((( &#36817;&#19977;&#20491;&#26376;&#20839;&#26356;&#21205;&#30340;&#27284;&#26696; )))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-03 03:34 229,376 ---ha-w C:\Documents and Settings\LocalService\NTUSER.DAT
    2007-10-29 17:20 462,336 --sh--w C:\Program Files\Common Files\msdp.dll
    2007-10-23 12:09 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-10-21 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-14 07:02 229,376 ---h--w C:\Documents and Settings\Default User\NTUSER.DAT
    2007-10-07 15:39 --------- d-----w C:\Program Files\Intel
    2007-10-07 15:23 --------- d-----w C:\Program Files\microsoft frontpage
    2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
    2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
    2007-09-16 17:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
    2007-09-16 17:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
    2007-09-16 17:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
    2007-09-16 17:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
    2007-09-16 17:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
    2007-09-16 17:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
    2007-09-16 17:07 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
    2007-09-16 17:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
    2007-09-16 17:07 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
    2007-09-16 17:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
    2007-09-16 17:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
    2007-09-16 17:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
    2007-09-16 17:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
    2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
    2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
    2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
    2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
    2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
    2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
    2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
    2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
    2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
    2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
    2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
    2007-09-16 17:07 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
    2007-09-16 17:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
    2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
    2007-09-16 17:07 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
    2007-09-16 17:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
    2007-09-16 17:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
    2007-09-16 17:07 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
    2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
    2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
    2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
    2007-09-16 17:07 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
    2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
    2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
    2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
    2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
    2007-09-16 17:07 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
    2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
    2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
    2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
    2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
    2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
    2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
    2007-09-16 17:07 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
    2007-09-16 17:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
    2007-09-16 17:07 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
    2007-09-16 17:07 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
    2007-09-16 17:07 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
    2007-09-16 17:07 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
    2007-09-16 17:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
    2007-09-16 17:07 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
    2007-09-16 17:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
    2007-09-16 17:07 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
    2007-09-16 17:07 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
    2007-09-16 17:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
    2007-09-16 17:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
    2007-09-16 17:07 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll
    2007-09-16 17:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
    2007-09-16 17:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
    2007-09-16 17:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
    2007-09-16 17:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
    2007-09-16 17:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
    2007-09-16 17:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
    2007-09-16 17:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
    .

    (((((((((((((((((((((((((((((((((((((((((( &#37325;&#35201;&#30331;&#37636;&#27284; )))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *&#27880;&#24847;* &#31354;&#30333;&#25110;&#21512;&#27861;&#30340;&#30331;&#37636;&#20540;&#23559;&#19981;&#26371;&#39023;&#31034;

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50666B8E-6CBD-4471-9E85-96B41D9BBCD3}]
    2007-10-31 12:02 33280 --a------ C:\WINDOWS\system32\hgghfef.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6921AED2-4A35-4266-814A-2B413496B250}]
    C:\WINDOWS\system32\gebcd.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-05 13:59 C:\WINDOWS\SOUNDMAN.EXE]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 01:07]
    "nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 01:07]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-10 23:50]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 01:11]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
    "Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
    "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-28 15:31]
    "3c5fbd0f"="C:\WINDOWS\system32\skdpmmsu.dll" [2007-11-03 10:39]
    "combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-12 09:16]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
    "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-23 00:20]

    C:\Documents and Settings\RICKYLEE\&#12300;&#38283;&#22987;&#12301;&#21151;&#33021;&#34920;\&#31243;&#24335;&#38598;\&#21855;&#21205;\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-10-12 22:33:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
    "{50666B8E-6CBD-4471-9E85-96B41D9BBCD3}"= C:\WINDOWS\system32\hgghfef.dll [2007-10-31 12:02 33280]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfef]
    hgghfef.dll 2007-10-31 12:02 33280 C:\WINDOWS\system32\hgghfef.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcd.dll

    R3 hwmouser;Hanwang Technology CO.LTD HID Tablet Device;C:\WINDOWS\system32\DRIVERS\hwpad.sys
    S0 pjcxrird;pjcxrird;C:\WINDOWS\system32\drivers\mgowdcnf.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6456aab-7faf-11dc-b8bb-000740ca46f7}]
    1\Command - autorun.pif
    2\Command - autorun.pif
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
    C:\Program Files\Common Files\mscd.exe
    .
    **************************************************************************

    catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 11:36:37
    Windows 5.1.2600 Service Pack 2 NTFS

    &#25475;&#25551;&#38577;&#34255;&#30340;&#31243;&#24207;...

    &#25475;&#25551;&#38577;&#34255;&#30340;&#36914;&#31243;...

    &#25475;&#25551;&#38577;&#34255;&#30340;&#27284;&#26696;...

    &#25475;&#25551;&#23436;&#25104;
    &#38577;&#34255;&#27284;&#26696;?: 0

    **************************************************************************
    .
    &#23436;&#25104;&#26178;&#38291;?: 2007-11-03 11:38:28 - machine was rebooted
    C:\ComboFix2.txt ... 2007-10-30 01:21
    C:\ComboFix3.txt ... 2007-10-28 14:40
    .
    --- E O F ---

    ______________________________________________

    And this is the new HJT log after I ran ComboFix.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at &#19978;&#21320; 11:45:52, on 2007/11/3
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {50666B8E-6CBD-4471-9E85-96B41D9BBCD3} - C:\WINDOWS\system32\hgghfef.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: &#21295;&#20986;&#33267; Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java &#20027;&#25511;&#21488; - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: hgghfef - C:\WINDOWS\SYSTEM32\hgghfef.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod &#26381;&#21209; (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 8216 bytes

    __________________________________

    Best regards,
    Rickronn
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Sure Winfixer Trojan
  1. Oxobius
    Replies:
    0
    Views:
    315
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/643778

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice