Possibly the beginning of an infected computer

vanishinghopes · 05-11-2009, 08:10 PM

Hello you kind people,

I'm not so certain how this problem began because I generally don't download anything and mostly use the computer for my homework and some leisurely activities like listening to music. However, I've noticed the change in performance of my system when startup became extremely slow (takes like half an hour or more to load the icons on my taskbar). Sometimes, the startup would freeze and I have to shut down the computer manually.

Just last night Avast found two viruses in a row (without scanning). The first time was when I was on a Chinese forum about mother's day, the second time was when I plugged in my flashdrive (everything lagged for a while and then Avast popped up with it's siren noise). In general, my computer isn't very fast and occasionally a real bad lag would take place at random times. I've become more worried about this issue when, once again, Avast popped up today during startup and said it found a malware in my computer. I didn't really see what the malware was, but I remember seeing the word 'rootkit' somewhere in there. My taskbar icons weren't even done loading yet and Avast showed up!

I'm getting real worried since I have so many important documents on this computer, and I can't back it up with a storage device just yet (I plan to buy one this weekend).

Help is GREATLY APPRECIATED! Thank you so much in advance!!!

Here's the text:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 16:47:16.00 on 05/11/2009 Mon
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.446.85 [GMT -7:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090511-0] *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: ZoneAlarm Firewall *enabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HandWrite\MyNewRecog.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\HandWrite\InsTalk\InsTalk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=&LANG=EN
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn5\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn5\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn5\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn5\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [cdoosoft] c:\windows\system32\olhrwef.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SnoopFreeUI] SnoopFreeUI.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NewRecog] c:\program files\handwrite\MyNewRecog.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153603618218
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153603605453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\ku6vomdl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\ku6vomdl.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SnoopFree;SnoopFree Driver;c:\windows\system32\drivers\SnopFree.sys [2006-10-29 9472]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 114768]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-12-2 3968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-21 353672]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-6-22 419448]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-7 138680]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-7 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-7 352920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]

=============== Created Last 30 ================

2009-05-10 19:41 107,947 ---shr-- c:\windows\system32\olhrwef.exe
2009-04-30 19:08 <DIR> --d----- c:\program files\iPod
2009-04-30 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-30 18:57 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-30 18:34 <DIR> --d----- c:\program files\Bonjour
2009-04-16 19:38 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:38 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:38 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:38 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:38 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:38 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 19:38 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:38 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 19:38 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:32 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 19:32 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 19:32 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-30 11:13 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2006-08-26 10:33 302 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2006-02-24 09:50 217 a------- c:\program files\setup.ini
2006-02-08 04:01 266,240 a------- c:\program files\setup.exe
2002-03-11 02:06 1,822,520 a------- c:\program files\instmsiw.exe
2002-03-11 01:45 1,708,856 a------- c:\program files\instmsia.exe
2005-05-13 18:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 12:13 66,560 a--shr-- c:\windows\MOTA113.exe
2006-11-10 22:56 22 a--sh--- c:\windows\sminst\HPCD.sys
2005-07-14 13:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 16:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 23:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2005-02-28 14:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-08-29 21:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat
2008-08-29 21:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 16:49:04.39 ===============

sjb007 · 05-12-2009, 01:27 AM

Hi there

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

It appears that you have two antivirus programs installed and running, Norton AntiVirus and Avast. While I understand the frustrations of malware this may seem like a good idea to improve protection, but they can actually have the opposite effect and conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

You have evidence of an infostealer onboard.

Infostealers, Backdoor Trojans and IRCBots are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.
* Double-click ResetTeaTimer.zip
* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

vanishinghopes · 05-14-2009, 06:56 PM

Hi Steve!

Sorry, it took a bit for me to get the .txt for the combofix scan results.
Also,I want to let you know that there are some Chinese in the file because I remember changing some setting a while back to give me the option to type Chinese. I'm not sure how to adjust the options to permit me to only view English and type Chinese. I hope that doesn't cause any inconvenience for you!

Thanks a lot for helping me out

sjb007 · 05-15-2009, 04:42 PM

Hi there

Appologies for any delays...

Please download Flash Disinfector by sUBs.
Hold down the Shift key and insert your thumbdrive.
Double click on Flash_Disinfector.exe to run it. Once done, you will be prompted. Click OK.
Repeat this step if you have more than one thumbdrives.

Next....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b7315-3c5f-11de-9467-001731474b5e}]

Regnull::
[HKEY_USERS\S-1-5-21-37633785-2617644191-4288392163-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FB56050-605A-5ED8-75EE-A84151C62B62}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

==============================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "JRE 6 Update 13."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

==============================

Once done....

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

I want you to run an online scan at kaspersky. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click IE/Firefox icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Please post back with:
The new combofix log
The log from Kaspersky

Please copy and paste the results in your reply rather than add as attachments as this makes it easier for analysis - Thanks

vanishinghopes · 05-16-2009, 06:56 PM

Hello!

I have the results (The scanning really did take quite a bit of time.)

For Combofix:

ComboFix 09-05-13.02 - Compaq_Owner 5/2009 Fri 19:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.446.97 [GMT -7:00]
执行位置: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090513-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( 2009-04-16 至 2009-05-16 的新的档案 )))))))))))))))))))))))))))))))
.

2009-05-01 02:08 . 2009-05-02 19:33 -------- d-----w c:\program files\iPod
2009-05-01 02:08 . 2009-05-01 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 02:03 . 2009-05-01 02:04 -------- d-----w c:\program files\QuickTime
2009-05-01 01:57 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-05-01 01:34 . 2009-05-01 01:34 -------- d-----w c:\program files\Bonjour
2009-04-19 07:48 . 2009-04-19 07:48 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express
2009-04-17 02:38 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:38 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:38 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 02:38 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:38 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:38 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:38 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 02:38 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:38 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 02:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 01:57 . 2007-06-07 00:03 -------- d-----w c:\program files\Trillian
2009-05-07 05:34 . 2009-05-08 00:08 287744 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-05-05 01:27 . 2006-07-27 19:10 -------- d-----w c:\program files\Yahoo!
2009-05-01 02:09 . 2007-08-14 20:24 -------- d-----w c:\program files\iTunes
2009-05-01 02:08 . 2007-08-14 20:22 -------- d-----w c:\program files\Common Files\Apple
2009-04-24 05:24 . 2009-04-25 03:20 41984 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-23 05:28 . 2009-04-23 22:51 109056 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-19 16:18 . 2006-07-26 16:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 06:56 . 2009-04-18 18:15 169472 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-09 16:35 . 2008-02-11 23:47 24466898 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-08 08:49 . 2009-04-08 16:39 489472 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:13 . 2007-08-07 20:03 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-26 22:23 . 2007-12-27 18:58 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:49 . 2008-07-31 16:22 -------- d-----w c:\program files\McAfee
2009-03-17 22:48 . 2009-03-17 22:48 90590 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_16_21_52_23_small.dmp.zip
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 05:26 . 2009-03-05 23:49 2718208 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-03-03 00:18 . 2004-08-04 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-21 05:36 . 2009-02-21 05:36 85923 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_20_58_19_small.dmp.zip
2009-02-20 18:09 . 2004-08-04 04:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 07:10 . 2009-01-30 01:17 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-15 09:28 . 2009-02-15 17:06 2620416 ----a-w c:\windows\Internet Logs\xDB8.tmp
2006-02-24 16:50 . 2006-02-24 16:50 217 ----a-w c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w c:\program files\instmsia.exe
2005-05-14 01:12 . 2005-05-14 01:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 19:13 . 2005-10-24 19:13 66560 --sha-r c:\windows\MOTA113.exe
2006-11-11 05:56 . 2006-11-11 05:56 22 --sha-w c:\windows\SMINST\HPCD.sys
2005-07-14 20:31 . 2005-07-14 20:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 23:32 . 2005-06-26 23:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 06:37 . 2005-06-22 06:37 45568 --sha-r c:\windows\system32\cygz.dll
2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2005-02-28 21:16 . 2005-02-28 21:16 240128 --sha-r c:\windows\system32\x.264.exe
2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_23.21.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 02:09 . 2009-05-16 02:09 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-10 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NewRecog"="c:\program files\HandWrite\MyNewRecog.exe" [2006-09-11 676352]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2006-10-30 221184]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 6:24 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 6:24 PM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 9:23 AM 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2007 12:16 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1268bdfb-e22d-11dc-8a5d-001731474b5e}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b7314-3c5f-11de-9467-001731474b5e}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
‘计划任务’ 文件夹里的内容

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-02 c:\windows\Tasks\Avast! Quickscan.job
- c:\program files\Alwil Software\Avast4\ashQuick.exe [2007-08-07 21:04]

2009-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=&LANG=EN
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- 火狐配置文件 ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 19:53
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(2836)
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\catchme.dll
c:\windows\SnoopFreeDll.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
完成时间: 2009-05-16 19:57
ComboFix-quarantined-files.txt 2009-05-16 02:56
ComboFix2.txt 2009-05-14 23:58
ComboFix3.txt 2009-05-14 23:26

Pre-Run: 157,035,810,816 bytes free
Post-Run: 157,019,193,344 bytes free

196 --- E O F --- 2009-05-13 03:06

For the Kaspersky scan results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 16, 2009 07:08:25
Records in database: 2184586
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 129569
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:24:09

File name / Threat name / Threats count
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1139\A0148994.exe Infected: Trojan-GameThief.Win32.Magania.bbhh 1
D:\I386\APPS\APP12927\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP12927\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
J:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Infected: Net-Worm.Win32.Kido.ih 1

The selected area was scanned.

I hope it's something fixable.
I'm so glad there are people out there who volunteers to help folks like me. Thanks a lot!

sjb007 · 05-17-2009, 01:28 AM

Hi there

From what what Kaspersky picked up on, I see a file in the recycle bin on your J: drive which needs deleteing, this can be done by simply emptying the recycle bin on that drive. It also picked up on an entry in the system restore but we will flush this out at the end of the fix so this is not a priority to us at the minute.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

DDS::
uRun: [cdoosoft] c:\windows\system32\olhrwef.exe

File::
c:\windows\system32\olhrwef.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Once done post back with both logs, please also update me on how things are now.

vanishinghopes · 05-17-2009, 12:22 PM

Hiya,

Things seems to be functioning and fine (though I did get a few error messages at startup after restarting the computer to remove the malware with MBAM.) I supposed there is some sort of improvement, but there's no significant difference in performance from what I'm seeing.

Edit:
When I opened My Computer, I don't see a J drive. That maybe have been a flash drive that was plugged in a while back.
Also, I'm not sure if this is related but I remember plugging in my friend's flash drive a while back (a month ago?) and since then, Avast has been picking up viruses and trojans. Most recently, I plugged in a flash drive and Avast soon quarantined a couple of trojans about 5 minutes later. I don't have this drive anymore since it wasn't mine in the first place but maybe that may have contributed to my computer's situation?

Here's the combofix results:

ComboFix 09-05-13.02 - Compaq_Owner 7/2009 Sun 10:12.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.446.107 [GMT -7:00]
执行位置: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090516-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
c:\windows\system32\olhrwef.exe
.

((((((((((((((((((((((((( 2009-04-17 至 2009-05-17 的新的档案 )))))))))))))))))))))))))))))))
.

2009-05-16 04:19 . 2009-05-16 04:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-01 02:08 . 2009-05-02 19:33 -------- d-----w c:\program files\iPod
2009-05-01 02:08 . 2009-05-01 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 02:03 . 2009-05-01 02:04 -------- d-----w c:\program files\QuickTime
2009-05-01 01:57 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-05-01 01:34 . 2009-05-01 01:34 -------- d-----w c:\program files\Bonjour
2009-04-19 07:48 . 2009-04-19 07:48 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 04:18 . 2005-05-10 17:28 -------- d-----w c:\program files\Java
2009-05-16 04:02 . 2008-02-11 23:47 26364694 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-05-16 04:01 . 2009-05-16 04:02 140800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-05-10 01:57 . 2007-06-07 00:03 -------- d-----w c:\program files\Trillian
2009-05-07 05:34 . 2009-05-08 00:08 287744 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-05-05 01:27 . 2006-07-27 19:10 -------- d-----w c:\program files\Yahoo!
2009-05-01 02:09 . 2007-08-14 20:24 -------- d-----w c:\program files\iTunes
2009-05-01 02:08 . 2007-08-14 20:22 -------- d-----w c:\program files\Common Files\Apple
2009-04-24 05:24 . 2009-04-25 03:20 41984 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-23 05:28 . 2009-04-23 22:51 109056 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-19 16:18 . 2006-07-26 16:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 06:56 . 2009-04-18 18:15 169472 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-08 08:49 . 2009-04-08 16:39 489472 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:13 . 2007-08-07 20:03 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-26 22:23 . 2007-12-27 18:58 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 22:49 . 2008-07-31 16:22 -------- d-----w c:\program files\McAfee
2009-03-17 22:48 . 2009-03-17 22:48 90590 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_16_21_52_23_small.dmp.zip
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 05:26 . 2009-03-05 23:49 2718208 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-03-03 00:18 . 2004-08-04 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-21 05:36 . 2009-02-21 05:36 85923 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_20_58_19_small.dmp.zip
2009-02-20 18:09 . 2004-08-04 04:00 78336 ----a-w c:\windows\system32\ieencode.dll
2006-02-24 16:50 . 2006-02-24 16:50 217 ----a-w c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w c:\program files\instmsia.exe
2005-05-14 01:12 . 2005-05-14 01:12 217073 --sha-r c:\windows\meta4.exe
2005-10-24 19:13 . 2005-10-24 19:13 66560 --sha-r c:\windows\MOTA113.exe
2006-11-11 05:56 . 2006-11-11 05:56 22 --sha-w c:\windows\SMINST\HPCD.sys
2005-07-14 20:31 . 2005-07-14 20:31 27648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 23:32 . 2005-06-26 23:32 616448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-22 06:37 . 2005-06-22 06:37 45568 --sha-r c:\windows\system32\cygz.dll
2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\i420vfw.dll
2005-02-28 21:16 . 2005-02-28 21:16 240128 --sha-r c:\windows\system32\x.264.exe
2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-14_23.21.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 00:32 . 2009-05-17 00:32 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2009-05-17 15:59 . 2009-05-17 15:59 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
+ 2009-05-16 04:19 . 2009-05-16 04:18 148888 c:\windows\system32\javaws.exe
+ 2009-05-16 04:19 . 2009-05-16 04:18 144792 c:\windows\system32\javaw.exe
+ 2009-05-16 04:19 . 2009-05-16 04:18 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-10 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NewRecog"="c:\program files\HandWrite\MyNewRecog.exe" [2006-09-11 676352]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2006-10-30 221184]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 6:24 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 6:24 PM 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 9:23 AM 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2007 12:16 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1268bdfb-e22d-11dc-8a5d-001731474b5e}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b7314-3c5f-11de-9467-001731474b5e}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
‘计划任务’ 文件夹里的内容

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-02 c:\windows\Tasks\Avast! Quickscan.job
- c:\program files\Alwil Software\Avast4\ashQuick.exe [2007-08-07 21:04]

2009-05-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=&LANG=EN
uInternet Settings,ProxyServer = <local>
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- 火狐配置文件 ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 10:16
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(3684)
c:\windows\SnoopFreeDll.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
完成时间: 2009-05-17 10:22
ComboFix-quarantined-files.txt 2009-05-17 17:21
ComboFix2.txt 2009-05-16 02:57
ComboFix3.txt 2009-05-14 23:58
ComboFix4.txt 2009-05-14 23:26

Pre-Run: 157,155,565,568 bytes free
Post-Run: 157,205,966,848 bytes free

199 --- E O F --- 2009-05-16 04:32

And here's the MBAM scan results before restarting the computer to remove the malware:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3

5/17/2009 10:33:32 AM
mbam-log-2009-05-17 (10-33-32).txt

Scan type: Quick Scan
Objects scanned: 81863
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Explorer1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.

sjb007 · 05-17-2009, 01:37 PM

Hi there

I am not seeing anything immediate in your logs, in this next log I want you to run an extra scanner tool. I do notice that you appear to have had Norton installed at one time. I would recommend that you run the norton removal tool to uninstall it fully. The norton removal tool can be found here - Norton Removal Tool

I also notice that you have McAfee site advisor installed. Although there is nothing malicious about this application, from my own experience I know it may slow your web browsing down. An alternative to Siteadvisor that you may wish to try is Web Of Trust (WOT). This can be found here - Web Of Trust

I see you have Viewpoint installed. Please read this article: http://www.clickz.com/news/article.php/3561546
Unless you are using AOL as an ISP I would recommend removing it. You can download the Viewpoint killer from the link below and follow the prompts.
http://www.prprogramsstudios.us.tc//

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe and then click Start
* An information notice will appear, click OK.
* This starts a short scan that will scan the files currently running in memory.
* If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
* If or when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Settings > Change Settings
* Under the Scanning tab UNcheck Heuristic analysis and click OK
* Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
* Click Yes to all if it asks if you want to cure/move any file(s).
* When the scan is done.
* In the Dr.Web CureIt menu on top left, click File and choose Save report list.
* Save the DrWeb.csv report to your Desktop.
* Exit Dr.Web Cureit.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

Keep me updated on how things are

vanishinghopes · 05-17-2009, 10:07 PM

Hello!

I'm not so sure if it was because of the scan, but my computer suddenly lagged really badly and then it stopped after about 5 minutes. Other than that, everything seems normal and okay. I think even startup might be a bit faster now.

Now for the DrWeb log...

RegUBP2b-Compaq_Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH;Archive contains infected objects;Moved.;
A0147396.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1134;Trojan.StartPage.1505;Deleted.;
A0149096.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1141;Trojan.StartPage.1505;Deleted.;
A0151266.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151;Trojan.StartPage.1505;Deleted.;
A0151277.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151\A0151277.EXE;Adware.Gdown;;
A0151277.EXE;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151;Archive contains infected objects;Moved.;

I know I said this a few times already, but BOY, thanks a WHOLE lot for replying so quickly and helping me out!

sjb007 · 05-18-2009, 09:08 AM

Hi there

Good to hear that things are returning back to normal, from your latest logs all seems clear. What was picked up by DRWeb is already in restore which we will flush out later in the fix. From looking back on your previous logs I notice that you have Windows XP Home edition running on 512Mb of ram. From this your system is averaging between 85 to 107Mb free. One thing I would advise is to cut back on the number of applications that are running on start up which will help conserve memory. If you wish to do so then I can recommend some items for removal for you in my next post. I would also consider adding more memory to your system which should boost your system with noticable results. I would also read this article here on system slowdowns and work though it and see what results you get from following the advice placed there > Is your PC running slow...?

Just a little bit of updating still to do...

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

You may also want to update Syware blaster, the latest version is 4.2

Once done post back and keep me updated on how things are

vanishinghopes · 05-19-2009, 06:42 PM

Hello

I updated some programs I noticed were outdated along with those that you recommended. It would also be great if you can recommend something to remove some startup programs! It's really annoying to wait 15 minutes every time I turn on the computer or restart it.

Thanks a lot!

vanishinghopes · 05-19-2009, 06:52 PM

Hello

I updated some programs I noticed were outdated along with those that you recommended. It would also be great if you can recommend something to remove some startup programs! It's really annoying to wait 15 minutes every time I turn on the computer or restart it.

Thanks a lot!

sjb007 · 05-23-2009, 02:57 AM

Hi there

All Appologies for any delays here, I missed your initial reply.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Skipfix::

DDS::
mRun: [HP Software Update]
mRun: [ISUSPM Startup]
mRun: [ISUSScheduler]
mRun: [TkBellExe]
mRun: [Adobe Reader Speed Launcher]
mRun: [Sony Ericsson PC Suite]
mRun: [AppleSyncNotifier]
mRun: [QuickTime Task]
mRun: [iTunesHelper]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Let me know if things are running a little better now...

05-12-2009, 01:27 AM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,276 OS: Windows 7 Premium x64 My System	Re: Possibly the beginning of an infected computer Hi there I'm Steve and I will be helping you thoughout this fix. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. It appears that you have two antivirus programs installed and running, Norton AntiVirus and Avast. While I understand the frustrations of malware this may seem like a good idea to improve protection, but they can actually have the opposite effect and conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel. You have evidence of an infostealer onboard. Infostealers, Backdoor Trojans and IRCBots are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. We need to disable your TeaTimer as it may interfere with the fixes that we need to make. 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts 5) Restart your computer. Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. * Save it to your Desktop. * Double-click ResetTeaTimer.zip * Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer. After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so. A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

05-16-2009, 06:56 PM	#5 (permalink)
vanishinghopes Registered User Join Date: Oct 2006 Posts: 52 OS: WinXP	Re: Possibly the beginning of an infected computer Hello! I have the results (The scanning really did take quite a bit of time.) For Combofix: ComboFix 09-05-13.02 - Compaq_Owner 5/2009 Fri 19:50.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.446.97 [GMT -7:00] 执行位置: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090513-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Norton Internet Security 2006 On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security 2006 enabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( 2009-04-16 至 2009-05-16 的新的档案 ))))))))))))))))))))))))))))))) . 2009-05-01 02:08 . 2009-05-02 19:33 -------- d-----w c:\program files\iPod 2009-05-01 02:08 . 2009-05-01 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-05-01 02:03 . 2009-05-01 02:04 -------- d-----w c:\program files\QuickTime 2009-05-01 01:57 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-05-01 01:34 . 2009-05-01 01:34 -------- d-----w c:\program files\Bonjour 2009-04-19 07:48 . 2009-04-19 07:48 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express 2009-04-17 02:38 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-17 02:38 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-17 02:38 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-17 02:38 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-17 02:38 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-17 02:38 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-17 02:38 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-17 02:38 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-17 02:38 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-17 02:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-17 02:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-10 01:57 . 2007-06-07 00:03 -------- d-----w c:\program files\Trillian 2009-05-07 05:34 . 2009-05-08 00:08 287744 ----a-w c:\windows\Internet Logs\xDBE.tmp 2009-05-05 01:27 . 2006-07-27 19:10 -------- d-----w c:\program files\Yahoo! 2009-05-01 02:09 . 2007-08-14 20:24 -------- d-----w c:\program files\iTunes 2009-05-01 02:08 . 2007-08-14 20:22 -------- d-----w c:\program files\Common Files\Apple 2009-04-24 05:24 . 2009-04-25 03:20 41984 ----a-w c:\windows\Internet Logs\xDBD.tmp 2009-04-23 05:28 . 2009-04-23 22:51 109056 ----a-w c:\windows\Internet Logs\xDBC.tmp 2009-04-19 16:18 . 2006-07-26 16:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-18 06:56 . 2009-04-18 18:15 169472 ----a-w c:\windows\Internet Logs\xDBB.tmp 2009-04-09 16:35 . 2008-02-11 23:47 24466898 ----a-w c:\windows\Internet Logs\tvDebug.zip 2009-04-08 08:49 . 2009-04-08 16:39 489472 ----a-w c:\windows\Internet Logs\xDBA.tmp 2009-03-30 18:13 . 2007-08-07 20:03 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-03-26 22:23 . 2007-12-27 18:58 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 22:49 . 2008-07-31 16:22 -------- d-----w c:\program files\McAfee 2009-03-17 22:48 . 2009-03-17 22:48 90590 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_16_21_52_23_small.dmp.zip 2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-05 05:26 . 2009-03-05 23:49 2718208 ----a-w c:\windows\Internet Logs\xDB9.tmp 2009-03-03 00:18 . 2004-08-04 04:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-21 05:36 . 2009-02-21 05:36 85923 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_20_58_19_small.dmp.zip 2009-02-20 18:09 . 2004-08-04 04:00 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-16 07:10 . 2009-01-30 01:17 1221512 ----a-w c:\windows\system32\zpeng25.dll 2009-02-15 09:28 . 2009-02-15 17:06 2620416 ----a-w c:\windows\Internet Logs\xDB8.tmp 2006-02-24 16:50 . 2006-02-24 16:50 217 ----a-w c:\program files\setup.ini 2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w c:\program files\instmsiw.exe 2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w c:\program files\instmsia.exe 2005-05-14 01:12 . 2005-05-14 01:12 217073 --sha-r c:\windows\meta4.exe 2005-10-24 19:13 . 2005-10-24 19:13 66560 --sha-r c:\windows\MOTA113.exe 2006-11-11 05:56 . 2006-11-11 05:56 22 --sha-w c:\windows\SMINST\HPCD.sys 2005-07-14 20:31 . 2005-07-14 20:31 27648 --sha-r c:\windows\system32\AVSredirect.dll 2005-06-26 23:32 . 2005-06-26 23:32 616448 --sha-r c:\windows\system32\cygwin1.dll 2005-06-22 06:37 . 2005-06-22 06:37 45568 --sha-r c:\windows\system32\cygz.dll 2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\i420vfw.dll 2005-02-28 21:16 . 2005-02-28 21:16 240128 --sha-r c:\windows\system32\x.264.exe 2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\yv12vfw.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-14_23.21.05 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-16 02:09 . 2009-05-16 02:09 16384 c:\windows\Temp\Perflib_Perfdata_634.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-10 180269] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "NewRecog"="c:\program files\HandWrite\MyNewRecog.exe" [2006-09-11 676352] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240] "SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2006-10-30 221184] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 6:24 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 6:24 PM 20560] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 9:23 AM 210216] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2007 12:16 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1268bdfb-e22d-11dc-8a5d-001731474b5e}] \Shell\AutoRun\command - J:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b7314-3c5f-11de-9467-001731474b5e}] \Shell\AutoRun\command - J:\LaunchU3.exe -a . ‘计划任务’ 文件夹里的内容 2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-05-02 c:\windows\Tasks\Avast! Quickscan.job - c:\program files\Alwil Software\Avast4\ashQuick.exe [2007-08-07 21:04] 2009-05-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- 而外的扫描 ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=&LANG=EN uInternet Settings,ProxyServer = <local> uInternet Settings,ProxyOverride = <local>;.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- 火狐配置文件 ---- FF - user.js: yahoo.homepage.dontask - true. *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-15 19:53 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。扫描被隐藏的启动组。。。扫描被隐藏的文件。。。 ************************************************************************ . --------------------- 运行进程下的动态链接库 --------------------- - - - - - - - > 'explorer.exe'(2836) c:\docume~1\COMPAQ~1\LOCALS~1\Temp\catchme.dll c:\windows\SnoopFreeDll.dll c:\program files\McAfee\SiteAdvisor\saHook.dll . 完成时间: 2009-05-16 19:57 ComboFix-quarantined-files.txt 2009-05-16 02:56 ComboFix2.txt 2009-05-14 23:58 ComboFix3.txt 2009-05-14 23:26 Pre-Run: 157,035,810,816 bytes free Post-Run: 157,019,193,344 bytes free 196 --- E O F --- 2009-05-13 03:06 For the Kaspersky scan results: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Saturday, May 16, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Saturday, May 16, 2009 07:08:25 Records in database: 2184586 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Files scanned: 129569 Threat name: 3 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 03:24:09 File name / Threat name / Threats count C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1139\A0148994.exe Infected: Trojan-GameThief.Win32.Magania.bbhh 1 D:\I386\APPS\APP12927\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2 D:\I386\APPS\APP12927\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2 J:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Infected: Net-Worm.Win32.Kido.ih 1 The selected area was scanned. I hope it's something fixable. I'm so glad there are people out there who volunteers to help folks like me. Thanks a lot!

05-17-2009, 12:22 PM	#7 (permalink)
vanishinghopes Registered User Join Date: Oct 2006 Posts: 52 OS: WinXP	Re: Possibly the beginning of an infected computer Hiya, Things seems to be functioning and fine (though I did get a few error messages at startup after restarting the computer to remove the malware with MBAM.) I supposed there is some sort of improvement, but there's no significant difference in performance from what I'm seeing. Edit: When I opened My Computer, I don't see a J drive. That maybe have been a flash drive that was plugged in a while back. Also, I'm not sure if this is related but I remember plugging in my friend's flash drive a while back (a month ago?) and since then, Avast has been picking up viruses and trojans. Most recently, I plugged in a flash drive and Avast soon quarantined a couple of trojans about 5 minutes later. I don't have this drive anymore since it wasn't mine in the first place but maybe that may have contributed to my computer's situation? Here's the combofix results: ComboFix 09-05-13.02 - Compaq_Owner 7/2009 Sun 10:12.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.446.107 [GMT -7:00] 执行位置: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090516-0] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: Norton Internet Security 2006 On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security 2006 enabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: c:\windows\system32\olhrwef.exe . ((((((((((((((((((((((((( 2009-04-17 至 2009-05-17 的新的档案 ))))))))))))))))))))))))))))))) . 2009-05-16 04:19 . 2009-05-16 04:18 410984 ----a-w c:\windows\system32\deploytk.dll 2009-05-01 02:08 . 2009-05-02 19:33 -------- d-----w c:\program files\iPod 2009-05-01 02:08 . 2009-05-01 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-05-01 02:03 . 2009-05-01 02:04 -------- d-----w c:\program files\QuickTime 2009-05-01 01:57 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll 2009-05-01 01:34 . 2009-05-01 01:34 -------- d-----w c:\program files\Bonjour 2009-04-19 07:48 . 2009-04-19 07:48 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-16 04:18 . 2005-05-10 17:28 -------- d-----w c:\program files\Java 2009-05-16 04:02 . 2008-02-11 23:47 26364694 ----a-w c:\windows\Internet Logs\tvDebug.zip 2009-05-16 04:01 . 2009-05-16 04:02 140800 ----a-w c:\windows\Internet Logs\xDBF.tmp 2009-05-10 01:57 . 2007-06-07 00:03 -------- d-----w c:\program files\Trillian 2009-05-07 05:34 . 2009-05-08 00:08 287744 ----a-w c:\windows\Internet Logs\xDBE.tmp 2009-05-05 01:27 . 2006-07-27 19:10 -------- d-----w c:\program files\Yahoo! 2009-05-01 02:09 . 2007-08-14 20:24 -------- d-----w c:\program files\iTunes 2009-05-01 02:08 . 2007-08-14 20:22 -------- d-----w c:\program files\Common Files\Apple 2009-04-24 05:24 . 2009-04-25 03:20 41984 ----a-w c:\windows\Internet Logs\xDBD.tmp 2009-04-23 05:28 . 2009-04-23 22:51 109056 ----a-w c:\windows\Internet Logs\xDBC.tmp 2009-04-19 16:18 . 2006-07-26 16:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-18 06:56 . 2009-04-18 18:15 169472 ----a-w c:\windows\Internet Logs\xDBB.tmp 2009-04-08 08:49 . 2009-04-08 16:39 489472 ----a-w c:\windows\Internet Logs\xDBA.tmp 2009-03-30 18:13 . 2007-08-07 20:03 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-03-26 22:23 . 2007-12-27 18:58 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 22:49 . 2008-07-31 16:22 -------- d-----w c:\program files\McAfee 2009-03-17 22:48 . 2009-03-17 22:48 90590 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_03_16_21_52_23_small.dmp.zip 2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-05 05:26 . 2009-03-05 23:49 2718208 ----a-w c:\windows\Internet Logs\xDB9.tmp 2009-03-03 00:18 . 2004-08-04 04:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-21 05:36 . 2009-02-21 05:36 85923 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_20_58_19_small.dmp.zip 2009-02-20 18:09 . 2004-08-04 04:00 78336 ----a-w c:\windows\system32\ieencode.dll 2006-02-24 16:50 . 2006-02-24 16:50 217 ----a-w c:\program files\setup.ini 2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w c:\program files\instmsiw.exe 2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w c:\program files\instmsia.exe 2005-05-14 01:12 . 2005-05-14 01:12 217073 --sha-r c:\windows\meta4.exe 2005-10-24 19:13 . 2005-10-24 19:13 66560 --sha-r c:\windows\MOTA113.exe 2006-11-11 05:56 . 2006-11-11 05:56 22 --sha-w c:\windows\SMINST\HPCD.sys 2005-07-14 20:31 . 2005-07-14 20:31 27648 --sha-r c:\windows\system32\AVSredirect.dll 2005-06-26 23:32 . 2005-06-26 23:32 616448 --sha-r c:\windows\system32\cygwin1.dll 2005-06-22 06:37 . 2005-06-22 06:37 45568 --sha-r c:\windows\system32\cygz.dll 2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\i420vfw.dll 2005-02-28 21:16 . 2005-02-28 21:16 240128 --sha-r c:\windows\system32\x.264.exe 2004-01-25 08:00 . 2004-01-25 08:00 70656 --sha-r c:\windows\system32\yv12vfw.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-14_23.21.05 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-17 00:32 . 2009-05-17 00:32 16384 c:\windows\Temp\Perflib_Perfdata_708.dat + 2009-05-17 15:59 . 2009-05-17 15:59 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat + 2009-05-16 04:19 . 2009-05-16 04:18 148888 c:\windows\system32\javaws.exe + 2009-05-16 04:19 . 2009-05-16 04:18 144792 c:\windows\system32\javaw.exe + 2009-05-16 04:19 . 2009-05-16 04:18 144792 c:\windows\system32\java.exe . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-19 4363504] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-27 81920] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-10 180269] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "NewRecog"="c:\program files\HandWrite\MyNewRecog.exe" [2006-09-11 676352] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 148888] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240] "SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2006-10-30 221184] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 6:24 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2008 6:24 PM 20560] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 9:23 AM 210216] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2007 12:16 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1268bdfb-e22d-11dc-8a5d-001731474b5e}] \Shell\AutoRun\command - J:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b8b7314-3c5f-11de-9467-001731474b5e}] \Shell\AutoRun\command - J:\LaunchU3.exe -a . ‘计划任务’ 文件夹里的内容 2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-05-02 c:\windows\Tasks\Avast! Quickscan.job - c:\program files\Alwil Software\Avast4\ashQuick.exe [2007-08-07 21:04] 2009-05-17 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- 而外的扫描 ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=&LANG=EN uInternet Settings,ProxyServer = <local> uInternet Settings,ProxyOverride = <local>;.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ku6vomdl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- 火狐配置文件 ---- FF - user.js: yahoo.homepage.dontask - true. *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-17 10:16 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ************************************************************************ . --------------------- 运行进程下的动态链接库 --------------------- - - - - - - - > 'explorer.exe'(3684) c:\windows\SnoopFreeDll.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\progra~1\WINDOW~1\wmpband.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . 完成时间: 2009-05-17 10:22 ComboFix-quarantined-files.txt 2009-05-17 17:21 ComboFix2.txt 2009-05-16 02:57 ComboFix3.txt 2009-05-14 23:58 ComboFix4.txt 2009-05-14 23:26 Pre-Run: 157,155,565,568 bytes free Post-Run: 157,205,966,848 bytes free 199 --- E O F --- 2009-05-16 04:32 And here's the MBAM scan results before restarting the computer to remove the malware: Malwarebytes' Anti-Malware 1.36 Database version: 2145 Windows 5.1.2600 Service Pack 3 5/17/2009 10:33:32 AM mbam-log-2009-05-17 (10-33-32).txt Scan type: Quick Scan Objects scanned: 81863 Time elapsed: 5 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Explorer1.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\NetworkService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot. Last edited by vanishinghopes; 05-17-2009 at 12:28 PM.

05-17-2009, 01:37 PM	#8 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,276 OS: Windows 7 Premium x64 My System	Re: Possibly the beginning of an infected computer Hi there I am not seeing anything immediate in your logs, in this next log I want you to run an extra scanner tool. I do notice that you appear to have had Norton installed at one time. I would recommend that you run the norton removal tool to uninstall it fully. The norton removal tool can be found here - Norton Removal Tool I also notice that you have McAfee site advisor installed. Although there is nothing malicious about this application, from my own experience I know it may slow your web browsing down. An alternative to Siteadvisor that you may wish to try is Web Of Trust (WOT). This can be found here - Web Of Trust I see you have Viewpoint installed. Please read this article: http://www.clickz.com/news/article.php/3561546 Unless you are using AOL as an ISP I would recommend removing it. You can download the Viewpoint killer from the link below and follow the prompts. http://www.prprogramsstudios.us.tc// Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows: * Double-click on drweb-cureit.exe and then click Start * An information notice will appear, click OK. * This starts a short scan that will scan the files currently running in memory. * If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version * If or when something is found, click the Yes button when it asks you if you want to cure it. * Once the short scan has finished, Click Settings > Change Settings * Under the Scanning tab UNcheck Heuristic analysis and click OK * Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start. * Click Yes to all if it asks if you want to cure/move any file(s). * When the scan is done. * In the Dr.Web CureIt menu on top left, click File and choose Save report list. * Save the DrWeb.csv report to your Desktop. * Exit Dr.Web Cureit. * Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. * After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad * Copy and paste that log in the next reply Keep me updated on how things are __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

05-17-2009, 10:07 PM	#9 (permalink)
vanishinghopes Registered User Join Date: Oct 2006 Posts: 52 OS: WinXP	Re: Possibly the beginning of an infected computer Hello! I'm not so sure if it was because of the scan, but my computer suddenly lagged really badly and then it stopped after about 5 minutes. Other than that, everything seems normal and okay. I think even startup might be a bit faster now. Now for the DrWeb log... RegUBP2b-Compaq_Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.; AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;; AOLCINST.EXE;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH;Archive contains infected objects;Moved.; A0147396.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1134;Trojan.StartPage.1505;Deleted.; A0149096.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1141;Trojan.StartPage.1505;Deleted.; A0151266.reg;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151;Trojan.StartPage.1505;Deleted.; A0151277.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151\A0151277.EXE;Adware.Gdown;; A0151277.EXE;C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP1151;Archive contains infected objects;Moved.; I know I said this a few times already, but BOY, thanks a WHOLE lot for replying so quickly and helping me out!

05-18-2009, 09:08 AM	#10 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,276 OS: Windows 7 Premium x64 My System	Re: Possibly the beginning of an infected computer Hi there Good to hear that things are returning back to normal, from your latest logs all seems clear. What was picked up by DRWeb is already in restore which we will flush out later in the fix. From looking back on your previous logs I notice that you have Windows XP Home edition running on 512Mb of ram. From this your system is averaging between 85 to 107Mb free. One thing I would advise is to cut back on the number of applications that are running on start up which will help conserve memory. If you wish to do so then I can recommend some items for removal for you in my next post. I would also consider adding more memory to your system which should boost your system with noticable results. I would also read this article here on system slowdowns and work though it and see what results you get from following the advice placed there > Is your PC running slow...? Just a little bit of updating still to do... Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system. There is a newer version of Adobe Acrobat Reader available. Please go to this link Adobe Acrobat Reader Download Link Click Download On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation. Click the Continue button Click Run, and click Run again Next click the Install Now button and follow the on screen prompts When the installation is complete go to Add/Remove Programs and uninstall all previous versions. You may also want to update Syware blaster, the latest version is 4.2 Once done post back and keep me updated on how things are __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

05-19-2009, 06:42 PM	#11 (permalink)
vanishinghopes Registered User Join Date: Oct 2006 Posts: 52 OS: WinXP	Re: Possibly the beginning of an infected computer Hello I updated some programs I noticed were outdated along with those that you recommended. It would also be great if you can recommend something to remove some startup programs! It's really annoying to wait 15 minutes every time I turn on the computer or restart it. Thanks a lot!

05-19-2009, 06:52 PM	#12 (permalink)
vanishinghopes Registered User Join Date: Oct 2006 Posts: 52 OS: WinXP	Re: Possibly the beginning of an infected computer Hello I updated some programs I noticed were outdated along with those that you recommended. It would also be great if you can recommend something to remove some startup programs! It's really annoying to wait 15 minutes every time I turn on the computer or restart it. Thanks a lot!