Not Sure if Winfixer Trojan has been Removed

rickronn · Oct 26, 2007

Hello,

I have been hit by Winfixer Trojan couple days ago. I used VundoFix and VirtumundoBeGone to clean it. However, when I checked my system with SUPERAntiSpyware, it still found infections of Winfixer and cleaned it. When I ran SUPERAntiSpyware again, it found same infections again.

Please find below my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:51:17, on 2007/10/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\mqrgsh.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Microsoft] mqrgsh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\eqecngwi.dll",b
O4 - HKLM\..\RunServices: [Microsoft] mqrgsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
O20 - AppInit_DLLs: at.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8011 bytes

And below is the log generated by VirtumundoBeGone:

[10/26/2007, 2:14:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
[10/26/2007, 2:15:09] - Detected System Information:
[10/26/2007, 2:15:09] - Windows Version: 5.1.2600, Service Pack 2
[10/26/2007, 2:15:09] - Current Username: RICKYLEE (Admin)
[10/26/2007, 2:15:09] - Windows is in SAFE mode with Networking.
[10/26/2007, 2:15:09] - Searching for Browser Helper Objects:
[10/26/2007, 2:15:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/26/2007, 2:15:09] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/26/2007, 2:15:09] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
[10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\ssttt
[10/26/2007, 2:15:09] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
[10/26/2007, 2:15:09] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[10/26/2007, 2:15:09] - BHO 5: {F6B1F430-52B5-4478-9FC6-A94F79D423C3} ()
[10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\yayyxyx
[10/26/2007, 2:15:09] - Found: HKLM\...\Winlogon\Notify\yayyxyx - This is probably Virtumundo.
[10/26/2007, 2:15:09] - Assigning {F6B1F430-52B5-4478-9FC6-A94F79D423C3} MSEvents Object
[10/26/2007, 2:15:09] - BHO list has been changed! Starting over...
[10/26/2007, 2:15:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/26/2007, 2:15:09] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/26/2007, 2:15:09] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
[10/26/2007, 2:15:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/26/2007, 2:15:09] - Checking for HKLM\...\Winlogon\Notify\ssttt
[10/26/2007, 2:15:09] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
[10/26/2007, 2:15:09] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[10/26/2007, 2:15:09] - BHO 5: {F6B1F430-52B5-4478-9FC6-A94F79D423C3} (MSEvents Object)
[10/26/2007, 2:15:09] - ALERT: Found MSEvents Object!
[10/26/2007, 2:15:09] - Finished Searching Browser Helper Objects
[10/26/2007, 2:15:09] - *** Detected MSEvents Object
[10/26/2007, 2:15:09] - Trying to remove MSEvents Object...
[10/26/2007, 2:15:10] - Terminating Process: IEXPLORE.EXE
[10/26/2007, 2:15:10] - Terminating Process: RUNDLL32.EXE
[10/26/2007, 2:15:10] - Disabling Automatic Shell Restart
[10/26/2007, 2:15:10] - Terminating Process: EXPLORER.EXE
[10/26/2007, 2:15:10] - Suspending the NT Session Manager System Service
[10/26/2007, 2:15:10] - Terminating Windows NT Logon/Logoff Manager
[10/26/2007, 2:15:11] - Re-enabling Automatic Shell Restart
[10/26/2007, 2:15:11] - File to disable: C:\WINDOWS\system32\yayyxyx.dll
[10/26/2007, 2:15:11] - Renaming C:\WINDOWS\system32\yayyxyx.dll -> C:\WINDOWS\system32\yayyxyx.dll.vir
[10/26/2007, 2:15:11] - File successfully renamed!
[10/26/2007, 2:15:11] - Removing HKLM\...\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}
[10/26/2007, 2:15:11] - Removing HKCR\CLSID\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}
[10/26/2007, 2:15:11] - Adding Kill Bit for ActiveX for GUID: {F6B1F430-52B5-4478-9FC6-A94F79D423C3}
[10/26/2007, 2:15:11] - Deleting ATLEvents/MSEvents Registry entries
[10/26/2007, 2:15:11] - Removing HKLM\...\Winlogon\Notify\yayyxyx
[10/26/2007, 2:15:11] - Searching for Browser Helper Objects:
[10/26/2007, 2:15:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/26/2007, 2:15:11] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/26/2007, 2:15:11] - BHO 3: {9E506E70-80C2-4266-961C-AB51B8C933D6} ()
[10/26/2007, 2:15:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/26/2007, 2:15:11] - Checking for HKLM\...\Winlogon\Notify\ssttt
[10/26/2007, 2:15:11] - Key not found: HKLM\...\Winlogon\Notify\ssttt, continuing.
[10/26/2007, 2:15:11] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[10/26/2007, 2:15:11] - Finished Searching Browser Helper Objects
[10/26/2007, 2:15:11] - Finishing up...
[10/26/2007, 2:15:11] - A restart is needed.
[10/26/2007, 2:15:20] - Attempting to Restart via STOP error (Blue Screen!)

[10/26/2007, 22:39:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
[10/26/2007, 22:39:42] - Detected System Information:
[10/26/2007, 22:39:42] - Windows Version: 5.1.2600, Service Pack 2
[10/26/2007, 22:39:42] - Current Username: RICKYLEE (Admin)
[10/26/2007, 22:39:42] - Windows is in SAFE mode with Networking.
[10/26/2007, 22:39:42] - Searching for Browser Helper Objects:
[10/26/2007, 22:39:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/26/2007, 22:39:42] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/26/2007, 22:39:42] - BHO 3: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[10/26/2007, 22:39:42] - Finished Searching Browser Helper Objects
[10/26/2007, 22:39:42] - Finishing up...
[10/26/2007, 22:39:42] - Nothing found! Exiting...

[10/26/2007, 22:47:34] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe" )
[10/26/2007, 22:47:36] - Detected System Information:
[10/26/2007, 22:47:36] - Windows Version: 5.1.2600, Service Pack 2
[10/26/2007, 22:47:36] - Current Username: RICKYLEE (Admin)
[10/26/2007, 22:47:36] - Windows is in SAFE mode with Networking.
[10/26/2007, 22:47:36] - Searching for Browser Helper Objects:
[10/26/2007, 22:47:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/26/2007, 22:47:36] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/26/2007, 22:47:36] - BHO 3: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[10/26/2007, 22:47:36] - Finished Searching Browser Helper Objects
[10/26/2007, 22:47:36] - Finishing up...
[10/26/2007, 22:47:36] - Nothing found! Exiting...

I would appreciate if someone can advise me if I have removed the Trojan.

Thanks in advance for your help.

Best regards,
Rickronn

Cheeseball81 · Oct 26, 2007

Download ComboFix to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply

Note: Do not mouseclick combofix's window while it's running as that may cause it to stall

rickronn · Oct 27, 2007

Hello, Cheeseball81,

Thanks for your advice. I have used ComboFix to clean my system and please find below log from it.

ComboFix 07-10-26.4 - RICKYLEE 2007-10-27 16:20:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1562 [GMT 8:00]
執行位置?: C:\Documents and Settings\RICKYLEE\桌面\ComboFix.exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1234.exe
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.tmp

.
(((((((((((((((((((((((((((( 2007-09-27 - 2007-10-27 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-10-27 16:23 284,876 --a------ C:\Documents and Settings\RICKYLEE\catchme.zip
2007-10-27 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 23:38 9,216 --a------ C:\12load.exe
2007-10-26 23:32 58,368 --------- C:\12luxe.exe
2007-10-26 23:32 34,304 --a------ C:\WINDOWS\system32\vturqnl.dll
2007-10-26 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 01:16 <DIR> d-------- C:\VundoFix Backups
2007-10-26 01:11 84,544 --a------ C:\WINDOWS\system32\eqecngwi.dll
2007-10-25 00:05 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-24 23:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-24 04:06 34,304 --a------ C:\WINDOWS\system32\yayyxyx.dll.vir
2007-10-24 00:46 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-24 00:43 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-23 20:12 <DIR> d-------- C:\Program Files\PowerQuest
2007-10-23 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-10-23 00:16 <DIR> d-------- C:\Program Files\SlySoft
2007-10-23 00:08 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\ImgBurn
2007-10-23 00:07 <DIR> d-------- C:\Program Files\ImgBurn
2007-10-22 09:46 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Apple Computer
2007-10-22 09:45 <DIR> d-------- C:\Program Files\QuickTime
2007-10-22 09:45 <DIR> d-------- C:\Program Files\iTunes
2007-10-22 09:45 <DIR> d-------- C:\Program Files\iPod
2007-10-22 09:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-22 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-22 09:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-22 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-21 16:30 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Program Files\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-21 16:28 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-21 16:28 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-10-21 16:05 <DIR> d-------- C:\Program Files\MagicISO
2007-10-19 12:49 <DIR> d-------- C:\Program Files\DVD Shrink
2007-10-19 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-18 22:49 <DIR> d-------- C:\Program Files\Xvid
2007-10-18 22:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-18 22:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-10-18 22:47 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-18 22:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-18 00:34 <DIR> d-------- C:\Program Files\Custom Technology
2007-10-17 21:26 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-10-16 20:47 <DIR> d-------- C:\Program Files\Tiburon_by_Hyundai
2007-10-16 20:46 208,953 -ra------ C:\HYInstLib.dll
2007-10-16 20:46 32,768 -ra------ C:\JWUsbChk.dll
2007-10-16 20:46 29,256 -ra------ C:\WINDOWS\system32\drivers\hwpad.SYS
2007-10-16 20:46 29,256 -ra------ C:\hwpad.sys
2007-10-15 20:47 <DIR> d-------- C:\Documents and Settings\RICKYLEE\WINDOWS
2007-10-15 20:47 299,520 --a------ C:\WINDOWS\IsUn0804.exe
2007-10-15 20:24 20,704 --a------ C:\WINDOWS\system32\drivers\PPMOUCLS.SYS
2007-10-15 19:53 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-14 16:16 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-14 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-14 15:24 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-10-14 15:24 <DIR> d-------- C:\Documents and Settings\All Users\「開始」功
2007-10-14 15:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-14 15:16 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-14 15:00 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Nero
2007-10-14 14:58 <DIR> d-------- C:\Program Files\Nero
2007-10-14 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-14 14:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-14 14:11 <DIR> dr-h----- C:\MSOCache
2007-10-14 01:03 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-10-14 01:00 <DIR> d-------- C:\Program Files\WinAVI DVD Copy
2007-10-13 00:01 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\CyberLink
2007-10-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-12 23:59 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-12 23:58 <DIR> d-------- C:\Program Files\CyberLink
2007-10-12 23:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-12 23:58 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-12 22:33 <DIR> d-------- C:\Program Files\Webshots
2007-10-12 22:33 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Webshots
2007-10-12 22:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-12 09:30 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-12 03:23 977,920 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-10-12 03:23 246,784 -----c--- C:\WINDOWS\system32\dllcache\tapisrv.dll
2007-10-12 00:57 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-12 00:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-11 01:17 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-11 01:17 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-11 01:17 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Real
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-11 00:34 <DIR> d-------- C:\我的下載
2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Azureus
2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-10-11 00:03 <DIR> d-------- C:\Program Files\Azureus
2007-10-10 23:59 <DIR> d-------- C:\WINDOWS\Sun
2007-10-10 23:57 <DIR> d-------- C:\Program Files\Java
2007-10-10 23:54 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-10 23:50 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-10 20:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-10 20:07 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2007-10-10 20:06 <DIR> d-------- C:\Intel
2007-10-10 20:05 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 08:24 229,376 ---ha-w C:\Documents and Settings\LocalService\NTUSER.DAT
2007-10-23 12:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-21 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 07:02 229,376 ---h--w C:\Documents and Settings\Default User\NTUSER.DAT
2007-10-07 15:39 --------- d-----w C:\Program Files\Intel
2007-10-07 15:23 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-16 17:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-16 17:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-16 17:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-16 17:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-16 17:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-16 17:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-16 17:07 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-09-16 17:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-16 17:07 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-09-16 17:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-16 17:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-16 17:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-16 17:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-09-16 17:07 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-09-16 17:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-09-16 17:07 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-09-16 17:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-16 17:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-16 17:07 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-09-16 17:07 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-09-16 17:07 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-09-16 17:07 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-09-16 17:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-16 17:07 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-09-16 17:07 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-09-16 17:07 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-09-16 17:07 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-09-16 17:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-16 17:07 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-09-16 17:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-16 17:07 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-09-16 17:07 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
2007-09-16 17:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-16 17:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-16 17:07 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll
2007-09-16 17:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-16 17:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-16 17:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-16 17:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-16 17:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-16 17:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-09-16 17:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-06-18 11:39:41 152,576 --sha-r C:\WINDOWS\system32\mqrgsh.exe
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA6CC4C8-D1B2-4174-9D42-2A5D6F06812A}]
C:\WINDOWS\system32\gebcc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-10-26 23:32 34304 --a------ C:\WINDOWS\system32\vturqnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft"="mqrgsh.exe" [2007-06-18 19:39 C:\WINDOWS\system32\mqrgsh.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 13:59 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 01:07]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 01:07]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-10 23:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 01:11]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"3c5fbd0f"="C:\WINDOWS\system32\eqecngwi.dll" [2007-10-26 01:11]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-12 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-23 00:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft"=mqrgsh.exe

C:\Documents and Settings\RICKYLEE\「開始」功能表\程式集\啟動\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-10-12 22:33:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\vturqnl.dll [2007-10-26 23:32 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturqnl]
vturqnl.dll 2007-10-26 23:32 34304 C:\WINDOWS\system32\vturqnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=at.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll

R3 hwmouser;Hanwang Technology CO.LTD HID Tablet Device;C:\WINDOWS\system32\DRIVERS\hwpad.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6456aab-7faf-11dc-b8bb-000740ca46f7}]
1\Command - autorun.pif
2\Command - autorun.pif
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 16:26:55
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-10-27 16:28:00 - machine was rebooted
.
--- E O F ---

And below is new HJT log after swept by ComboFix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 04:36:31, on 2007/10/27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\mqrgsh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\eqecngwi.dll",b
O4 - HKLM\..\Run: [Microsoft] mqrgsh.exe
O4 - HKLM\..\RunServices: [Microsoft] mqrgsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
O17 - HKLM\System\CCS\Services\Tcpip\..\{B52056F4-DDEB-4A51-B71A-F7B4666D006A}: NameServer = 205.252.144.28 218.102.23.77
O20 - AppInit_DLLs: at.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7577 bytes

Thanks again for your help.

Best regards,
Rickronn

Cheeseball81 · Oct 27, 2007

Download and install AVG Anti-Spyware v7.5

After download, double click on the file to launch the install process.

Choose a language, click "OK" and then click "Next".

Read the "License Agreement" and click "I Agree".

Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".

After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.

The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them.

Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update".
Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.

Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:

Click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan? ", "Possibly unwanted software", and What to Scan?" leave all the default settings.

Under "Reports" select "Do not automatically generate reports".

Click the "Scan" tab to return to scanning options.

Click "Complete System Scan" to start.

When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.

You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\

Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period.

Please go HERE to run Panda's ActiveScan

You need to use IE to run this scan

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Click the big Scan Now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.

rickronn · Oct 28, 2007

Hello, Cheeseball81,

I have followed your advises and please find below logs after scan by AVG Anti-Spyware and Panda Activescan.

Below is the log from AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 下午 04:25:08 2007/10/28

+ Scan result:

E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP30\A0014539.exe/is67433.exe -> Adware.Virtumonde : Cleaned.
C:\Program Files\Nero\Nero8\nero 8 ultra keygen.exe -> Dropper.Agent.ccs : Cleaned.
E:\Misc. Download 1\AHEAD\Nero v.8 ultra\copy2\nero 8 ultra keygen.exe -> Dropper.Agent.ccs : Cleaned.
E:\Misc. Download 1\TMPGEnc\TMPGEnc 4.0 Express\TMPGEnc 4.0 XPress + DVD Author 3 with DivX Authoring (English Retail)\TMPGEnc DVD Author 3 with DivX Authoring\TDA3_Retail_3.0.5.149_install_EN.exe/Win.exe -> Logger.Delf.wh : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

And this is the scan log from Panda Activescan:

Incident Status Location

Virus:Bck/Delf.AGQ Disinfected Operating system
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\RICKYLEE\catchme.zip[gebcc.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\RICKYLEE\桌面\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\RICKYLEE\桌面\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\RICKYLEE\桌面\VirtumundoBeGone.exe
Virus:Generic Malware Disinfected C:\Program Files\WinRAR\WinRAR_v34_buildAll_crk.exe
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\1234.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Downloader.QOW Disinfected C:\WINDOWS\system32\mqrgsh.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vturqnl.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayyxyx.dll.vir
Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.50.41.WinNT2kXP.READ.NFO-AGAiN\run.exe
Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.50.41.WinNT2kXP.READ.NFO-AGAiN.ZIP[run.exe]
Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.51.30.WinNT2K2K3XP.Cracked.REPACK-BRD\run.exe
Adware:Adware/BrianCodec Not disinfected D:\ESET[1].NOD32.v2.51.30.WinNT2K2K3XP.Cracked.REPACK-BRD.rar[run.exe]
Adware:Adware/SecurityError Not disinfected D:\Eset_NOD32_Antivirus_Administrator_Edition_v2.50.25_Win2KXP_Cracked_by_ARN\start.exe
Adware:Adware/SecurityError Not disinfected D:\Eset_NOD32_Antivirus_Administrator_Edition_v2.50.25_Win2KXP_Cracked_by_ARN.zip[start.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\Misc. Download 1\VirusFix\ComboFix.exe[nircmd.exe]
Virus:Generic Malware Disinfected E:\Misc. Download 1\WinRaR\Crack\winrar2345612323_crack\WinRAR_v34_buildAll_crk.exe
Virus:Generic Malware Not disinfected E:\Misc. Download 1\WinRaR\winrar2345612323_crack.rar[winrar2345612323_crack\WinRAR_v34_buildAll_crk.exe]
Virus:Bck/Hupigon.AZG Disinfected E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP1\A0000011.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\System Volume Information\_restore{292D538F-B1FC-4212-B44C-329C937E8B74}\RP3\A0000174.exe[nircmd.exe]

Best regards,
Rickronn

Cheeseball81 · Oct 28, 2007

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then rerun ComboFix and post the results.

rickronn · Oct 29, 2007

Hello, Cheeseball81,

Thanks for your advises. I have scanned with VundoFix and it did not find any problem, so no cleanup was needed.

The VundoFix log is as follow:

VundoFix V6.5.10

Checking Java version...

Scan started at 下午 08:20:30 2007/10/29

Listing files found while scanning....

No infected files were found.

Beginning removal...

Below is the scan log from HJT as per your advise:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:21:41, on 2007/10/29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dmtthi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\fmxefgvk.dll",b
O4 - HKLM\..\Run: [Microsoft] dmtthi.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft] dmtthi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B52056F4-DDEB-4A51-B71A-F7B4666D006A}: NameServer = 205.252.144.28 218.102.23.77
O20 - AppInit_DLLs: at.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8505 bytes

By the way, I have not had any problem for two days now. Think I may have won this time with your valuable advises.

Best regards,
Rickronn

Cheeseball81 · Oct 29, 2007

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file

Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\fmxefgvk.dll
C:\WINDOWS\system32\dmtthi.exe
C:\WINDOWS\system32\at.dll
C:\WINDOWS\system32\mqrgsh.exe
C:\WINDOWS\system32\vturqnl.dll.vir
C:\WINDOWS\system32\yayyxyx.dll.vir

Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".

Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"

Paste the text copied to clipboard into this window by pressing (Ctrl+V).

Click Done

Now click on the Green Light to begin execution of the script

Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O4 - HKLM\..\Run: [3c5fbd0f] rundll32.exe "C:\WINDOWS\system32\fmxefgvk.dll",b

O4 - HKLM\..\Run: [Microsoft] dmtthi.exe

O4 - HKLM\..\RunServices: [Microsoft] dmtthi.exe

O20 - AppInit_DLLs: at.dll

Reboot and post another Hijack This log please.

rickronn · Oct 31, 2007

Hello, Cheeseball81,

Have followed your instructions. Please find below content of Avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ecrrekfs

*******************

Script file located at: \??\C:\WINDOWS\system32\dbnqcogq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\fmxefgvk.dll deleted successfully.
File C:\WINDOWS\system32\dmtthi.exe deleted successfully.

File C:\WINDOWS\system32\at.dll not found!
Deletion of file C:\WINDOWS\system32\at.dll failed!

Could not process line:
C:\WINDOWS\system32\at.dll
Status: 0xc0000034

File C:\WINDOWS\system32\mqrgsh.exe not found!
Deletion of file C:\WINDOWS\system32\mqrgsh.exe failed!

Could not process line:
C:\WINDOWS\system32\mqrgsh.exe
Status: 0xc0000034

File C:\WINDOWS\system32\vturqnl.dll.vir deleted successfully.
File C:\WINDOWS\system32\yayyxyx.dll.vir deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And this is the scan log from HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:22:12, on 2007/10/31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7549 bytes

By the way, I have posted another thread to seek your help to remove trojan generic6.MCT on my friend's system. Would appreciate if you would advice me.

Best regards,
Rickronn

Cheeseball81 · Oct 31, 2007

Do you have a link? I don't know how around I will be tomorrow.

How are things with this machine?

rickronn · Nov 1, 2007

Hello, Chesseball81,

My system ran fine last night. However, there were several occasions that NOD32 blocked infections of adwares. I am wondering if there is still somethings in my system that trigger them.
Let me run couple more days and I will post a "Problem Solved" if everything check out.

As for my other post, please find the link as follow.
http://forums.techguy.org/showthread.php?t=645770

Best regards,
Rickronn

rickronn · Nov 1, 2007

Hello, Cheeseball81,

Regret to say that my system is still infected. Another IE window would open to other site but I can close it and go back to my original IE window.

NOD32 still blocks infections from time to time. I have attched NOD32 virus details as follow.

2007/11/2 00:12:26 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\phhdsbqs.dll a variant of Win32/Adware.SecToolbar - deleted C:\WINDOWS\Explorer.EXE. - quarantined。
2007/11/2 00:12:24 AMON C:\Documents and Settings\RICKYLEE\Local Settings\Temporary Internet Files\Content.IE5\KXEJCLIN\upd32_v13[1] a variant of Win32/Adware.SecToolbar - deleted C:\WINDOWS\Explorer.EXE. - quarantined。
2007/11/2 00:12:19 IMON http://82.98.235.78/test/notepad/up...9EFFFFF&guid=97287BE4EA78454B855497EEB7A4560A a variant of Win32/Adware.SecToolbar
2007/11/2 00:10:32 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\wckyduwe.exe Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. - quarantined。
2007/11/2 00:10:30 AMON C:\Documents and Settings\RICKYLEE\Local Settings\Temporary Internet Files\Content.IE5\ZZPBVX8O\vasya[1] Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. = quarantined。
2007/11/2 00:10:24 IMON http://82.98.235.78/netob/vasya.exe...9EFFFFF&guid=97287BE4EA78454B855497EEB7A4560A Win32/Agent.BCK trojan
2007/11/1 00:09:42 AMON C:\DOCUME~1\RICKYLEE\LOCALS~1\Temp\jfmhnpys.exe Win32/Agent.BCK trojan - deleted C:\WINDOWS\Explorer.EXE. quarantined。
-------------------------------------------------------------------------------------------------------

I am questioning below entries from my HJT log. Would like to learn your comments.

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Best regards,
Rickronn

Cheeseball81 · Nov 2, 2007

They seem to all be in the Temp location.

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

[*]NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Those 2 entries are legit.

rickronn · Nov 2, 2007

Hello, Cheeseball81,

Have followed your advice to use ATF-Cleaner to clean my system. Then I ran SUPER-AntiSpyware to check it and still found some infections. IE still opened up window to other web-site as I was using it.

PLesae find below log from SUPER-AntiSpyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/03/2007 at 11:03 AM

Application Version : 3.9.1008

Core Rules Database Version : 3330
Trace Rules Database Version: 1331

Scan type : Complete Scan
Total Scan Time : 00:04:05

Memory items scanned : 441
Memory threats detected : 2
Registry items scanned : 5679
Registry threats detected : 11
File items scanned : 686
File threats detected : 3

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEEDC.DLL
C:\WINDOWS\SYSTEM32\GEEDC.DLL
HKLM\Software\Classes\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}
HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}
HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}\InprocServer32
HKCR\CLSID\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3649853B-2690-4EE6-B2CB-0DEDE5F18100}

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\PTTXSDVN.DLL
C:\WINDOWS\SYSTEM32\PTTXSDVN.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{89AD4D75-2429-462e-BD4E-443F233F6033}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}

Adware.Tracking Cookie
C:\Documents and Settings\RICKYLEE\Cookies\[email protected][2].txt

________________________________________________

By the way, did you manage to find my other post as I attached the link in my last reply to this thread?

Best regards,
Rickronn

rickronn · Nov 2, 2007

Hello, Cheeseball81,

I ran ComboFix again and this is the log from it.

ComboFix 07-10-26.4 - RICKYLEE 2007-11-03 11:30:55.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1028.18.1525 [GMT 8:00]
執行位置?: C:\Documents and Settings\RICKYLEE\桌面\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\jjkmp.tmp

.
(((((((((((((((((((((((((((( 2007-10-03 - 2007-11-03 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-11-03 10:39 86,080 --a------ C:\WINDOWS\system32\skdpmmsu.dll
2007-11-03 09:29 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-11-02 00:14 85,056 --a------ C:\WINDOWS\system32\krdbpxqs.dll
2007-10-31 12:02 52,224 --------- C:\tmp11.exe
2007-10-31 12:02 33,280 --a------ C:\WINDOWS\system32\hgghfef.dll
2007-10-28 16:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-28 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-27 16:23 284,876 --a------ C:\Documents and Settings\RICKYLEE\catchme.zip
2007-10-27 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 23:38 9,216 --a------ C:\12load.exe
2007-10-26 23:32 58,368 --------- C:\12luxe.exe
2007-10-26 22:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 01:16 <DIR> d-------- C:\VundoFix Backups
2007-10-25 00:05 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-24 23:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-24 00:46 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-24 00:43 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-23 20:12 <DIR> d-------- C:\Program Files\PowerQuest
2007-10-23 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-10-23 00:16 <DIR> d-------- C:\Program Files\SlySoft
2007-10-23 00:08 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\ImgBurn
2007-10-23 00:07 <DIR> d-------- C:\Program Files\ImgBurn
2007-10-22 09:46 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Apple Computer
2007-10-22 09:45 <DIR> d-------- C:\Program Files\QuickTime
2007-10-22 09:45 <DIR> d-------- C:\Program Files\iTunes
2007-10-22 09:45 <DIR> d-------- C:\Program Files\iPod
2007-10-22 09:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-22 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-22 09:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-22 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-21 16:30 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Program Files\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-10-21 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-21 16:28 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-21 16:28 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-10-21 16:05 <DIR> d-------- C:\Program Files\MagicISO
2007-10-19 12:49 <DIR> d-------- C:\Program Files\DVD Shrink
2007-10-19 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-18 22:49 <DIR> d-------- C:\Program Files\Xvid
2007-10-18 22:49 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-18 22:49 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-10-18 22:47 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-18 22:31 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-18 00:34 <DIR> d-------- C:\Program Files\Custom Technology
2007-10-17 21:26 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-10-16 20:47 <DIR> d-------- C:\Program Files\Tiburon_by_Hyundai
2007-10-16 20:46 208,953 -ra------ C:\HYInstLib.dll
2007-10-16 20:46 32,768 -ra------ C:\JWUsbChk.dll
2007-10-16 20:46 29,256 -ra------ C:\WINDOWS\system32\drivers\hwpad.SYS
2007-10-16 20:46 29,256 -ra------ C:\hwpad.sys
2007-10-15 20:47 <DIR> d-------- C:\Documents and Settings\RICKYLEE\WINDOWS
2007-10-15 20:47 299,520 --a------ C:\WINDOWS\IsUn0804.exe
2007-10-15 20:24 20,704 --a------ C:\WINDOWS\system32\drivers\PPMOUCLS.SYS
2007-10-15 19:53 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-14 16:16 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-14 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-14 15:24 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-10-14 15:24 <DIR> d-------- C:\Documents and Settings\All Users\「開始」功
2007-10-14 15:24 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-10-14 15:16 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-14 15:00 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Nero
2007-10-14 14:58 <DIR> d-------- C:\Program Files\Nero
2007-10-14 14:14 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-14 14:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-14 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-14 14:11 <DIR> dr-h----- C:\MSOCache
2007-10-13 00:01 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\CyberLink
2007-10-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-12 23:59 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-12 23:58 <DIR> d-------- C:\Program Files\CyberLink
2007-10-12 23:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-12 23:58 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-12 22:33 <DIR> d-------- C:\Program Files\Webshots
2007-10-12 22:33 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Webshots
2007-10-12 22:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-12 22:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-12 09:30 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-12 03:23 977,920 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-10-12 03:23 246,784 -----c--- C:\WINDOWS\system32\dllcache\tapisrv.dll
2007-10-12 00:57 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-12 00:27 96,832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-11 01:17 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-11 01:17 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-11 01:17 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Real
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-11 01:11 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-11 00:34 <DIR> d-------- C:\我的下載
2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\RICKYLEE\Application Data\Azureus
2007-10-11 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-10-11 00:03 <DIR> d-------- C:\Program Files\Azureus
2007-10-10 23:59 <DIR> d-------- C:\WINDOWS\Sun
2007-10-10 23:57 <DIR> d-------- C:\Program Files\Java
2007-10-10 23:54 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-10 23:50 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-10 20:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-10 20:07 53,248 --a------ C:\WINDOWS\system32\CSVer.dll

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 03:34 229,376 ---ha-w C:\Documents and Settings\LocalService\NTUSER.DAT
2007-10-29 17:20 462,336 --sh--w C:\Program Files\Common Files\msdp.dll
2007-10-23 12:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-21 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 07:02 229,376 ---h--w C:\Documents and Settings\Default User\NTUSER.DAT
2007-10-07 15:39 --------- d-----w C:\Program Files\Intel
2007-10-07 15:23 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-16 17:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-16 17:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-16 17:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-16 17:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-16 17:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-16 17:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-16 17:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-16 17:07 5,509,120 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-09-16 17:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-16 17:07 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-09-16 17:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-16 17:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-16 17:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-16 17:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-16 17:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-09-16 17:07 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-09-16 17:07 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-09-16 17:07 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-09-16 17:07 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-09-16 17:07 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-09-16 17:07 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-09-16 17:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-09-16 17:07 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-09-16 17:07 3,629,056 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-09-16 17:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-16 17:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-16 17:07 3,166,208 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-09-16 17:07 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-09-16 17:07 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-09-16 17:07 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-09-16 17:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-09-16 17:07 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-09-16 17:07 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-09-16 17:07 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-09-16 17:07 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-09-16 17:07 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-09-16 17:07 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-09-16 17:07 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-09-16 17:07 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-09-16 17:07 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-09-16 17:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-16 17:07 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-09-16 17:07 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-09-16 17:07 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-09-16 17:07 2,441,216 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-09-16 17:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-16 17:07 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-09-16 17:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-16 17:07 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-09-16 17:07 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
2007-09-16 17:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-16 17:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-16 17:07 126,976 ----a-w C:\WINDOWS\system32\nvrszht.dll
2007-09-16 17:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-16 17:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-16 17:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-16 17:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-16 17:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-16 17:07 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-09-16 17:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50666B8E-6CBD-4471-9E85-96B41D9BBCD3}]
2007-10-31 12:02 33280 --a------ C:\WINDOWS\system32\hgghfef.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6921AED2-4A35-4266-814A-2B413496B250}]
C:\WINDOWS\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 13:59 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 01:07]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 01:07]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-10 23:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 01:11]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-28 15:31]
"3c5fbd0f"="C:\WINDOWS\system32\skdpmmsu.dll" [2007-11-03 10:39]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-12 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-23 00:20]

C:\Documents and Settings\RICKYLEE\「開始」功能表\程式集\啟動\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-10-12 22:33:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{50666B8E-6CBD-4471-9E85-96B41D9BBCD3}"= C:\WINDOWS\system32\hgghfef.dll [2007-10-31 12:02 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfef]
hgghfef.dll 2007-10-31 12:02 33280 C:\WINDOWS\system32\hgghfef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcd.dll

R3 hwmouser;Hanwang Technology CO.LTD HID Tablet Device;C:\WINDOWS\system32\DRIVERS\hwpad.sys
S0 pjcxrird;pjcxrird;C:\WINDOWS\system32\drivers\mgowdcnf.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6456aab-7faf-11dc-b8bb-000740ca46f7}]
1\Command - autorun.pif
2\Command - autorun.pif
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 11:36:37
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-11-03 11:38:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-30 01:21
C:\ComboFix3.txt ... 2007-10-28 14:40
.
--- E O F ---

______________________________________________

And this is the new HJT log after I ran ComboFix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 11:45:52, on 2007/11/3
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {50666B8E-6CBD-4471-9E85-96B41D9BBCD3} - C:\WINDOWS\system32\hgghfef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191931315218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hgghfef - C:\WINDOWS\SYSTEM32\hgghfef.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8216 bytes

__________________________________

Best regards,
Rickronn

Log in or Sign up

Not Sure if Winfixer Trojan has been Removed

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

rickronn Thread Starter

Sponsor

Welcome to Tech Support Guy!

New Hacked, unsure if i am safe

Log in or Sign up

Not Sure if Winfixer Trojan has been Removed

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

rickronn Thread Starter

Cheeseball81 Retired Moderator

rickronn Thread Starter

rickronn Thread Starter

Sponsor

Welcome to Tech Support Guy!

New Hacked, unsure if i am safe

Useful Searches