Need spyware/virus/trojan removal help (AKM Antivirus 2010 pro spyware)

goukoy · May 8, 2010

Hello,

I need some helps. The problem I'm currently having is a suspicious software called AKM Antivirus 2010 pro is automatically installed on my computer somehow...it disables everything on the computer from start running...I tried add or remove programs and it pops up alert saying it's infected...I've tried Hijack this and try to produce a log, but it couldn't start. I've also tried ComboFix and it couldn't run either, I even tried save ComboFix and rename it to Combo-Fix and run from there and it still couldn't get going.

The only thing I got going is RSIT, which I run in the safe mode and produced the following log, please take a look on the two logs I pasted. I tried ComboFix in the safe mode, but it couldn't run...

I am kinda running out of options, so please help me and let me know what I need to do now...

Thanks much!!

Info:

info.txt logfile of random's system information tool 1.04 2010-05-08 14:51:25

======Uninstall list======

-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AFPL Ghostscript 8.54-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.54\uninstal.txt"
AFPL Ghostscript Fonts-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
AviSynth 2.5-->"C:\Program Files\Pure Codec\AviSynth 2.5\Uninstall.exe"
BroadJump Client Foundation-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Brother MFL-Pro Suite MFC-255CW-->"C:\Program Files\InstallShield Installation Information\{6BF66AED-3EA4-4106-B240-5CE96C9B76B0}\Setup.exe" -runfromtemp -l0x0009 UNINSTALL Reg=BH9e_C1 -removeonly
Codec Pack - All In 1 6.0.0.0-->C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
CopyToDVD 3.0.56-->"C:\Program Files\VSO\unins000.exe"
Dell Resource CD-->MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
EA?SPORTS? NBA?LIVE?08-->MsiExec.exe /X{39C8EFBA-042B-11DC-A860-0EE955D89593}
FlashGet(JetCar)-->C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
Foxit PDF Editor-->C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
Google Gmail Notifier-->"C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections 12.1.12.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JDownloader-->C:\JDownloader\uninstall.exe
LogMeIn-->MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Maxthon Browser (remove only)-->C:\Program Files\Maxthon\MaxthonUINST.exe
Mega Manager-->C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Megaupload Toolbar-->C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{20110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Backward compatibility-->MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Tools-->MsiExec.exe /I{4D2DFB70-AECB-47BF-A895-3B3AA544934F}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU-->MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setup.exe /uninstall ExtraUninstallID=""
PaperPort Image Printer-->MsiExec.exe /X{2BC2781A-F7F6-452E-95EB-018A522F1B2C}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
PowerISO 3.9-->"C:\Program Files\PowerISO\unins000.exe"
Pure Codec-->C:\Program Files\Pure Codec\uninst.exe
RaySource 2.1.10.8192-->C:\Program Files\RaySource\uninst.exe
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x804 -removeonly
ScanSoft PaperPort 11-->MsiExec.exe /I{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB979402)-->"C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
SopCast 3.0.1-->C:\Program Files\SopCast\uninst.exe
Sothink SWF Decompiler-->"C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
SQLXML4-->MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB980182)-->"C:\WINDOWS\ie7updates\KB980182-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
大智慧 Ver6.0版-->"C:\Documents and Settings\Phoenitiques\Desktop\dzh2\unins000.exe"
大智慧新一代 Ver3.1版-->c:\dzh2\unins000.exe
支付宝插件 1.2.0.2-->"C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
西南证券大智慧-->"C:\dzh\uninstall.exe"

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"lib"=C:\Program Files\SQLXML 4.0\bin\
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\90\DTS\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies;C:\Program Files\gs\gs8.54\bin;
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 22 Stepping 1, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1601
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"SAFEBOOT_OPTION"=MINIMAL

-----------------EOF-----------------

Log:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Phoenitiques at 2010-05-08 14:51:18
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (4%) free of 76 GB
Total RAM: 1013 MB (78% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}]
ThunderAtOnce Class - C:\Thunder5.7.6.426-Lite-Final\ComDlls\TDAtOnce_Now.dll [2007-12-10 366032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
Megaupload Toolbar - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2007-07-31 1933256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}]
ADC PlugIn - C:\Program Files\adc32.dll [2010-05-08 983040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]
Thunder Browser Helper - C:\Thunder5.7.6.426-Lite-Final\ComDlls\xunleiBHO_Now.dll [2007-12-17 169424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
IeCatch2 Class - C:\PROGRA~1\FlashGet\jccatch.dll [2002-01-16 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}]
FlashGetBHO - C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\FlashGetBHO3.dll [2009-06-04 353792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2002-03-18 86016]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - Megaupload Toolbar - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2007-07-31 1933256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-04-16 142104]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-04-16 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-04-16 138008]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2007-08-03 63048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 479232]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-04-26 16132608]
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe [2002-09-10 368706]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"Grid Service"=C:\Program Files\GridService\peer.exe [2008-07-13 3375104]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2008-07-10 29984]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2008-07-10 46368]
"PPort11reminder"=C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [2007-08-31 328992]
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2009-01-19 1150976]
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe [2009-01-09 114688]
"ncwowust"=C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe [2010-04-26 270848]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"Google Update"=C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 133104]
"ncwowust"=C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe [2010-04-26 270848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk - C:\Program Files\MSXP\Office10\OSA.EXE

C:\Documents and Settings\Phoenitiques\Start Menu\Programs\Startup
ntuser_mssec.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-04-16 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2009-10-20 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:|??¨??Torrent"
"C:\dzh\internet\hypwise.exe"="C:\dzh\internet\hypwise.exe:*:Enabled:Hypwise Microsoft ???¨????????¨???§?§??¨???§?§??¨??|??¨???3??¨??D??¨???"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Program Files\GridService\peer.exe"="C:\Program Files\GridService\peer.exe:*:Enabled:muse peer"
"C:\Thunder5.7.6.426-Lite-Final\Program\Thunder5.exe"="C:\Thunder5.7.6.426-Lite-Final\Program\Thunder5.exe:*:Enabled:Thunder"
"C:\Program Files\Maxthon\Maxthon.exe"="C:\Program Files\Maxthon\Maxthon.exe:*:Enabled:Maxthon Web Browser"
"C:\Program Files\Java\jre6\launch4j-tmp\frd.exe"="C:\Program Files\Java\jre6\launch4j-tmp\frd.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\QQ2009\Bin\QQ.exe"="C:\Program Files\QQ2009\Bin\QQ.exe:*:Enabled:QQ2009"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Documents and Settings\Phoenitiques\Desktop\dzh2\dzh2.exe"="C:\Documents and Settings\Phoenitiques\Desktop\dzh2\dzh2.exe:*:Enabled

ZH"
"C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\Flashget3.exe"="C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\Flashget3.exe:*:Enabled:FlashGet3"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Documents and Settings\Phoenitiques\Desktop\eMule_0.48a_VeryCD_Build_071128_Final_\eMule\emule.exe"="C:\Documents and Settings\Phoenitiques\Desktop\eMule_0.48a_VeryCD_Build_071128_Final_\eMule\emule.exe:*:Enabled:eMule"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{272884aa-a5c8-11dc-9018-001d097c4cf0}]
shell\AutoRun\command - E:\LaunchU3.exe -a

======File associations======

.exe - open - C:\Program Files\alggui.exe "%1" %*
.ini - open - C:\WINDOWS\System32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\notepad.exe %1

======List of files/folders created in the last 1 months======

2010-05-08 14:51:19 ----D---- C:\Program Files\trend micro
2010-05-08 14:51:18 ----D---- C:\rsit
2010-05-08 14:36:20 ----D---- C:\Program Files\scdata
2010-05-08 14:20:52 ----D---- C:\AKM Antivirus 2010 Pro
2010-05-08 14:20:45 ----A---- C:\Program Files\alggui.exe
2010-05-08 14:20:45 ----A---- C:\Program Files\adc32.dll
2010-05-08 14:20:37 ----A---- C:\Program Files\svchost.exe
2010-05-08 14:20:29 ----D---- C:\Program Files\AKM Antivirus 2010 Pro
2010-04-17 17:42:04 ----D---- C:\Documents and Settings\All Users\Application Data\Lingoes
2010-04-15 03:04:05 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-15 03:03:56 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-15 03:03:45 ----HDC---- C:\WINDOWS\$NtUninstallKB979402_WM9$
2010-04-15 03:01:21 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$
2010-04-15 03:01:14 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-15 03:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 03:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 03:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$

======List of files/folders modified in the last 1 months======

2010-05-08 14:51:19 ----RD---- C:\Program Files
2010-05-08 14:51:19 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-08 14:45:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-08 14:43:23 ----D---- C:\WINDOWS\temp
2010-05-08 14:36:20 ----D---- C:\WINDOWS\Prefetch
2010-05-08 14:33:26 ----D---- C:\WINDOWS\system32
2010-05-08 14:33:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-05-08 14:29:42 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-08 14:21:33 ----D---- C:\Program Files\Mozilla Firefox
2010-05-08 01:27:50 ----D---- C:\Program Files\LogMeIn
2010-05-07 15:04:41 ----D---- C:\MDT
2010-05-02 23:39:46 ----D---- C:\Documents and Settings\Phoenitiques\Application Data\uTorrent
2010-04-23 03:59:48 ----D---- C:\TDDOWNLOAD
2010-04-22 21:12:38 ----A---- C:\WINDOWS\NeroDigital.ini
2010-04-20 22:04:14 ----D---- C:\WINDOWS
2010-04-17 17:42:04 ----D---- C:\Documents and Settings\Phoenitiques\Application Data\Lingoes
2010-04-15 03:04:12 ----HD---- C:\WINDOWS\inf
2010-04-15 03:04:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-15 03:04:02 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-15 03:04:00 ----A---- C:\WINDOWS\imsins.BAK
2010-04-15 03:03:58 ----D---- C:\WINDOWS\system32\drivers
2010-04-13 22:45:22 ----D---- C:\Downloads

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R3 Alidevice;Alidevice; C:\WINDOWS\system32\drivers\Alidevice.sys [2008-07-13 6656]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-01-20 33292]
S2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
S2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
S3 aktb3phw;aktb3phw; C:\WINDOWS\system32\drivers\aktb3phw.sys []
S3 azpkl8in;azpkl8in; C:\WINDOWS\system32\drivers\azpkl8in.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-04-16 5760096]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-05-02 4403712]
S3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2007-08-03 10144]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2008-05-31 39488]
S3 PRISM_A02;D-Link Wireless 802.11b/g Driver (USB); C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2004-08-05 381312]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 AdbUpd;Adobe Update Service; C:\Program Files\svchost.exe [2010-05-08 28160]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
S2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2009-10-20 116032]
S2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-08-03 63040]
S2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

goukoy · May 9, 2010

Alright, somehow I got HijackThis to run in the safe mode and I pasted and attached the log. I still couldn't get comboFix to run...also tried to install Kasperskey Internet Security 2010 in the safe mode, but got denied and said Administrator set rules not to run this, I guess it's the malware doing the trick...

Someone please take a look on these logs and give me some helps...

Thanks!

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:10 PM, on 5/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Thunder5.7.6.426-Lite-Final\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: ADC PlugIn - {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - C:\Program Files\adc32.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Thunder5.7.6.426-Lite-Final\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\FlashGetBHO3.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ncwowust] C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ncwowust] C:\Documents and Settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe
O4 - Startup: ntuser_mssec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MSXP\Office10\OSA.EXE
O8 - Extra context menu item: &U使用纳米机器人下载并收藏 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\SmartGet1.45.3\dl_text.html
O8 - Extra context menu item: 使用S&martGet下載 - C:\SmartGet1.45.3\dl_link.htm
O8 - Extra context menu item: 使用快车3下载 - C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\GetUrl.htm
O8 - Extra context menu item: 使用快车3下载全部链接 - C:\Documents and Settings\Phoenitiques\Desktop\FlashGet 3\GetAllUrl.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Thunder5.7.6.426-Lite-Final\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Thunder5.7.6.426-Lite-Final\Program\getallurl.htm
O8 - Extra context menu item: 全部使用Smart&Get下載 - C:\SmartGet1.45.3\dl_all.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CS1\Services\Tcpip\..\{32F753B6-9D84-4220-BFAD-7D28259E6F1C}: NameServer = 8.8.8.8
O23 - Service: Adobe Update Service (AdbUpd) - Unknown owner - C:\Program Files\svchost.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7607 bytes

Ried · May 10, 2010

Hello goukoy,

Please tell me exactly what happens when you tried to run ComboFix.

Have you tried to run gmer.exe or dds.scr as outlined in our pre-posting topic New Instructions - Read This Before Posting for Malware Removal Help

If they don't run, again, to determine my course of action, I need to know exactly what happens when you try to run them.

Also -- please do not attempt to run ComboFix again. As explained in Post 2 of our pre-posting topic...

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

Please do not run it again until I advise you.

goukoy · May 10, 2010

Hello Reid,

Thanks for coming to rescue!

To answer your question on ComboFix, I was actually just trying to test if any application is blocked from running. I've never got it to run successfully in either standard or safe mode.

In standard mode, when you click ComboFix or drag that WindowsXP-KB310994-SP2-Pro-BootDisk-ENU file to ComboFix, there is message popped up on the bottom right corner from AKM Antivirus pro 2010 (This is the malware) and saying "Warning, Running of application is impossible. The file ComboFix.exe is infected and please activate your antivirus software". In safe mode, there is just nothing happens when try to run ComboFix, so ComboFix is never run in either mode on the computer. I am guessing the malware is blocking everything with .exe extension. Btw, I will not attempt to run ComboFix again without your advice.

I got dds.scr to run successfully in the standard mode, and the log is copy-pasted in the following. I couldn't get gmer.exe to run in standard mode, I think it's because the exe extension. I'm trying to run it in safe mode now...

I've also attached a screencap of my desktop, so you can see the malware on my desktop and how it pops up the denial on the bottom right corner if I'm trying to run something...

Hope this helps, and please let me know what to do next...

Thanks much!

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Phoenitiques at 17:24:35.10 on 05/10/2010 Mon
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1013.557 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
"C:\Program Files\svchost.exe"
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phoenitiques\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\thunder5.7.6.426-lite-final\comdlls\TDAtOnce_Now.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: ADC PlugIn: {77dc0baa-3235-4ba9-8be8-aa9eb678fa02} - c:\program files\adc32.dll
BHO: Thunder Browser Helper: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\thunder5.7.6.426-lite-final\comdlls\xunleiBHO_Now.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\phoenitiques\desktop\flashget 3\FlashGetBHO3.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\phoenitiques\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ncwowust] c:\documents and settings\phoenitiques\local settings\application data\kihmxhceu\cheotpmtssd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ncwowust] c:\documents and settings\phoenitiques\local settings\application data\kihmxhceu\cheotpmtssd.exe
StartupFolder: c:\documents and settings\phoenitiques\start menu\programs\startup\ntuser_mssec.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\msxp\office10\OSA.EXE
IE: &U使用纳米机器人下载并收藏 - c:\program files\namirobot\data\du.html
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: 下載編碼內容(S&martGet) - c:\smartget1.45.3\dl_text.html
IE: 使用S&martGet下載 - c:\smartget1.45.3\dl_link.htm
IE: 使用快车3下载 - c:\documents and settings\phoenitiques\desktop\flashget 3\GetUrl.htm
IE: 使用快车3下载全部链接 - c:\documents and settings\phoenitiques\desktop\flashget 3\GetAllUrl.htm
IE: 使用网际快车下载 - c:\program files\flashget\jc_link.htm
IE: 使用网际快车下载全部链接 - c:\program files\flashget\jc_all.htm
IE: 使用迅雷下载 - c:\thunder5.7.6.426-lite-final\program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\thunder5.7.6.426-lite-final\program\getallurl.htm
IE: 全部使用Smart&Get下載 - c:\smartget1.45.3\dl_all.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {F4230752-7565-4C75-9869-69580885D546} = 205.152.37.23 205.152.144.23
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phoeni~1\applic~1\mozilla\firefox\profiles\plx9ubg5.default\
FF - plugin: c:\documents and settings\phoenitiques\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 AdbUpd;Adobe Update Service;c:\program files\svchost.exe [2010-5-8 28160]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-12-11 47640]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2010-1-10 6656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

exefile=c:\program files\alggui.exe "%1" %*
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-05-10 17:06:38 0 ----a-w- c:\program files\extra2.dat
2010-05-09 04:03:20 98816 ----a-w- c:\windows\sed.exe
2010-05-09 04:03:20 77312 ----a-w- c:\windows\MBR.exe
2010-05-09 04:03:20 256512 ----a-w- c:\windows\PEV.exe
2010-05-09 04:03:20 161792 ----a-w- c:\windows\SWREG.exe
2010-05-09 04:03:13 0 d-s---w- C:\Combo-Fix13974C
2010-05-08 19:09:51 0 ----a-w- c:\program files\extra1.dat
2010-05-08 18:54:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 18:51:19 0 d-----w- c:\program files\trend micro
2010-05-08 18:36:20 0 d-----w- c:\program files\scdata
2010-05-08 18:27:40 268 ---ha-w- C:\sqmdata02.sqm
2010-05-08 18:27:40 244 ---ha-w- C:\sqmnoopt02.sqm
2010-05-08 18:20:52 1580 ----a-w- C:\AKM Antivirus 2010 Pro.lnk
2010-05-08 18:20:52 0 d-----w- C:\AKM Antivirus 2010 Pro
2010-05-08 18:20:45 983040 ----a-w- c:\program files\adc32.dll
2010-05-08 18:20:45 34304 ----a-w- c:\program files\alggui.exe
2010-05-08 18:20:37 66 ----a-w- c:\program files\wp4.dat
2010-05-08 18:20:37 4 ----a-w- c:\program files\wp3.dat
2010-05-08 18:20:37 36 ----a-w- c:\program files\skynet.dat
2010-05-08 18:20:37 28160 ----a-w- c:\program files\svchost.exe
2010-05-08 18:20:29 0 d-----w- c:\program files\AKM Antivirus 2010 Pro
2010-05-04 02:28:42 268 ---ha-w- C:\sqmdata01.sqm
2010-05-04 02:28:42 244 ---ha-w- C:\sqmnoopt01.sqm
2010-04-17 21:42:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Lingoes
2010-04-15 07:19:13 268 ---ha-w- C:\sqmdata00.sqm
2010-04-15 07:19:13 244 ---ha-w- C:\sqmnoopt00.sqm

==================== Find3M ====================

2010-05-08 18:20:38 9 ----a-w- c:\program files\nuar.old
2010-04-23 07:59:48 13407 ----a-w- c:\windows\system32\cid_store.dat
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 04:58:12 389120 ----a-w- c:\windows\system32\CF25496.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-08-28 18:32:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 17:26:09.84 ===============

goukoy · May 11, 2010

Reid,

Alright, I finally finished running gmer.exe in the safe mode...again, couldn't run it in the standard mode. I couldn't run both rar or zip in either standard or safe mode, so I can only attach the .txt files of both. I also copy pasted the attach.txt here, and both are attached. Hope this helps. Again, it seems like the malware is disabling all .exe file from running. I'm switching between standard and safe mode to do these procedures.

Reid, please read my previous two replies, I got the DDS.txt in the previous post. hope these help you figure out something...I'm crossing my fingers, this is killing me...:sigh:

Attached.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/7/2007 8:20:45 PM
System Uptime: 5/10/2010 4:05:54 PM (1 hours ago)

Motherboard: Dell Inc. | | 0CU409
Processor: Intel Pentium II processor | Socket 775 | 1596/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 3.018 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP677: 3/29/2010 11:14:03 AM - 卡巴斯基反病毒软件 2009已删除。
RP678: 3/29/2010 11:47:53 AM - System Checkpoint
RP679: 3/30/2010 1:19:48 PM - System Checkpoint
RP680: 3/31/2010 1:39:53 PM - System Checkpoint
RP681: 3/31/2010 9:45:32 PM - Software Distribution Service 3.0
RP682: 4/1/2010 10:55:38 PM - System Checkpoint
RP683: 4/2/2010 11:20:18 PM - System Checkpoint
RP684: 4/4/2010 12:41:41 AM - System Checkpoint
RP685: 4/5/2010 1:26:02 AM - System Checkpoint
RP686: 4/6/2010 2:24:58 AM - System Checkpoint
RP687: 4/7/2010 2:28:55 AM - System Checkpoint
RP688: 4/8/2010 2:29:04 AM - System Checkpoint
RP689: 4/9/2010 3:29:04 AM - System Checkpoint
RP690: 4/10/2010 3:39:10 AM - System Checkpoint
RP691: 4/11/2010 4:39:10 AM - System Checkpoint
RP692: 4/12/2010 12:12:39 PM - System Checkpoint
RP693: 4/13/2010 1:10:56 PM - System Checkpoint
RP694: 4/14/2010 3:00:17 AM - Software Distribution Service 3.0
RP695: 4/15/2010 3:00:17 AM - Software Distribution Service 3.0
RP696: 4/16/2010 3:24:23 AM - System Checkpoint
RP697: 4/17/2010 4:24:19 AM - System Checkpoint
RP698: 4/18/2010 4:33:22 AM - System Checkpoint
RP699: 4/19/2010 5:33:23 AM - System Checkpoint
RP700: 4/20/2010 6:33:24 AM - System Checkpoint
RP701: 4/21/2010 7:08:00 AM - System Checkpoint
RP702: 4/22/2010 8:08:01 AM - System Checkpoint
RP703: 4/23/2010 9:08:07 AM - System Checkpoint
RP704: 4/24/2010 10:08:07 AM - System Checkpoint
RP705: 4/25/2010 11:08:03 AM - System Checkpoint
RP706: 4/26/2010 12:09:21 PM - System Checkpoint
RP707: 4/27/2010 1:08:07 PM - System Checkpoint
RP708: 4/28/2010 1:08:16 PM - System Checkpoint
RP709: 4/29/2010 2:08:16 PM - System Checkpoint
RP710: 4/30/2010 7:47:18 PM - System Checkpoint
RP711: 5/1/2010 7:51:48 PM - System Checkpoint
RP712: 5/2/2010 8:09:25 PM - System Checkpoint
RP713: 5/3/2010 8:18:06 PM - System Checkpoint
RP714: 5/4/2010 8:35:15 PM - System Checkpoint
RP715: 5/5/2010 8:35:21 PM - System Checkpoint
RP716: 5/6/2010 11:17:08 PM - System Checkpoint
RP717: 5/8/2010 12:24:18 AM - System Checkpoint
RP718: 5/9/2010 12:30:27 AM - System Checkpoint
RP719: 5/10/2010 12:21:56 PM - System Checkpoint

==== Installed Programs ======================

7-Zip 4.65
AC3Filter (remove only)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Adobe Shockwave Player
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
AviSynth 2.5
BroadJump Client Foundation
Brother MFL-Pro Suite MFC-255CW
Codec Pack - All In 1 6.0.0.0
CopyToDVD 3.0.56
Dell Resource CD
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EA?SPORTS? NBA?LIVE?08
FlashGet(JetCar)
Foxit PDF Editor
Google Chrome
Google Gmail Notifier
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.12.0
IrfanView (remove only)
Java(TM) 6 Update 13
Java(TM) 6 Update 5
Java(TM) 6 Update 7
JDownloader
LogMeIn
Maxthon Browser (remove only)
Mega Manager
Megaupload Toolbar
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Nero Suite
NVIDIA Drivers
PaperPort Image Printer
PowerDVD
PowerISO 3.9
Pure Codec
RaySource 2.1.10.8192
Realtek High Definition Audio Driver
ScanSoft PaperPort 11
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SopCast 3.0.1
Sothink SWF Decompiler
SQLXML4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WinAVI MP4 Converter
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinRAR archiver
μTorrent
大智慧 Ver6.0版
大智慧新一代 Ver3.1版
支付宝插件 1.2.0.2
西南证券大智慧

==== Event Viewer Messages From Past Week ========

5/8/2010 2:52:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/8/2010 2:48:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/8/2010 2:48:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/8/2010 2:47:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
5/8/2010 2:47:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2010 2:47:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2010 2:47:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2010 2:47:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/8/2010 2:42:04 PM, error: Service Control Manager [7034] - The StarWind AE Service service terminated unexpectedly. It has done this 1 time(s).
5/8/2010 2:41:53 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/8/2010 2:41:46 PM, error: Service Control Manager [7034] - The LogMeIn Maintenance Service service terminated unexpectedly. It has done this 1 time(s).
5/8/2010 11:48:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SCDEmu sptd
5/8/2010 11:46:52 PM, error: sptd [4] - Driver detected an internal error in its data structures for .
5/10/2010 5:24:37 PM, error: Service Control Manager [7016] - The Adobe Update Service service has reported an invalid current state 0.
5/10/2010 2:04:53 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/10/2010 2:04:53 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

Ried · May 11, 2010

No worries, goukoy, I'll get you straightened out but it will take more than 1 round.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

1. Delete your existing renamed ComboFix.exe from your desktop, and delete this folder as well:

C:\Combo-Fix13974C

2. Download a fresh copy from here and save it to your desktop. Do not rename it yet.

3. Ensure file extensions are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
Uncheck Hide file extensions for known file types.
* Click OK.

4. Right click ComboFix.exe and rename it to ComboFix.com

5. Drag and drop the WindowsXP-KB310994-SP2-Pro-BootDisk-ENU into ComboFix.com and let it run.

If the fake AV stopped it from running, use Windows Explorer to navigate to the following folder:

c:\documents and settings\phoenitiques\local settings\application data\kihmxhceu

Drag that folder to the desktop. Do not reboot.

Now try again to drag and drop the WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe into ComboFix.com and let it run.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

goukoy · May 11, 2010

Thanks for the guide, Ried.

I followed all the procedures and deleted the stuff you said, and redownload the ComboFix to my desktop. I renamed it to ComboFix.com and drag the Winxp-KB file to it...It finally got going...However, I got stopped during the ComboFix run, it stopped when the blue window produced "combofix is preparing to run", and it then popped up a window saying "Were you trying to run CFScript? The name CFScript appears to be incorrectly spelt". I clicked OK and then ComboFix just seemed exited itself. I tried the other way to drag that kihmxhceu to desktop and run combofix again, and it stopped at the same place, once I clicked OK, it exited.

I don't know what happened after that but the fake AV window is gone now...I tried to run ComboFix again and it stopped and asked CFScript again and then exited itself once I clicked OK..so ComboFix really never finished and produced the log.

Do you know what do I need to do next, Ried? Do I need to turn something off regarding that CFScript stuff? Please advise...

Thanks much!

Ried · May 11, 2010

Try just double clicking ComboFix to run it.

goukoy · May 11, 2010

Alrighty, double click on ComboFix instead of dragging the file to it did the trick, and here is the ComboFix log. I've also attached it. Please take a look and let me know what's the next step, Ried.

Thanks much!

ComboFix log:

ComboFix 10-05-10.02 - Phoenitiques 05/11/2010 1:09.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.688 [GMT -4:00]
Running from: c:\documents and settings\Phoenitiques\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Phoenitiques\Start Menu\Programs\Startup\ntuser_mssec.exe
c:\program files\adC32.dll
c:\program files\AKM Antivirus 2010 Pro
c:\program files\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\skynet.dat
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\windows\system32\bnrvbioc.ini
c:\windows\system32\cnliijfc.ini
c:\windows\system32\eqcbxbrm.ini
c:\windows\system32\nfjjoehi.ini
c:\windows\system32\xbhamiee.ini

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-10 17:06 . 2010-05-10 17:06 0 ----a-w- c:\program files\extra2.dat
2010-05-08 19:09 . 2010-05-08 19:09 0 ----a-w- c:\program files\extra1.dat
2010-05-08 18:54 . 2010-05-08 18:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 18:51 . 2010-05-09 03:50 -------- d-----w- c:\program files\trend micro
2010-05-08 18:51 . 2010-05-08 18:51 -------- d-----w- C:\rsit
2010-05-08 18:36 . 2010-05-11 04:09 -------- d-----w- c:\program files\scdata
2010-05-08 18:20 . 2010-05-08 18:20 -------- d-----w- C:\AKM Antivirus 2010 Pro
2010-04-17 21:42 . 2010-04-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lingoes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 04:00 . 2007-12-11 16:05 -------- d-----w- c:\program files\LogMeIn
2010-05-03 03:39 . 2007-12-20 16:20 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\uTorrent
2010-04-23 07:59 . 2008-09-12 15:12 13407 ----a-w- c:\windows\system32\cid_store.dat
2010-04-17 21:42 . 2008-03-15 16:11 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\Lingoes
2010-03-29 02:22 . 2008-05-30 04:49 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\MegauploadToolbar
2010-03-28 20:04 . 2009-01-24 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-15 17:35 . 2008-06-18 00:01 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\CopyToDvd
2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-07-03 03:05 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 04:58 . 2010-03-04 04:58 389120 ----a-w- c:\windows\system32\CF25496.exe
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-30 01:23 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . CD00787894008369F56153B91FC28847 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 727723537C9BF6BAA1FB8799A6839CD4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-07-13 3375104]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
Microsoft Office.lnk - c:\program files\MSXP\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-20 05:23 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\dzh\\internet\\hypwise.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Thunder5.7.6.426-Lite-Final\\Program\\Thunder5.exe"=
"c:\\Program Files\\Maxthon\\Maxthon.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\dzh2\\dzh2.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\Flashget3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\eMule_0.48a_VeryCD_Build_071128_Final_\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8994:TCP"= 8994:TCP:Services
"8993:TCP"= 8993:TCP:Services

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [1/10/2010 1:32 AM 6656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/17/2008 2:35 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003Core.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003UA.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &U???????????? - c:\program files\NamiRobot\Data\du.html
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: ??????(S&martGet) - c:\smartget1.45.3\dl_text.html
IE: ??S&martGet?? - c:\smartget1.45.3\dl_link.htm
IE: ????3?? - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetUrl.htm
IE: ????3?????? - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetAllUrl.htm
IE: ???????? - c:\program files\FlashGet\jc_link.htm
IE: ???????????? - c:\program files\FlashGet\jc_all.htm
IE: ?????? - c:\thunder5.7.6.426-lite-final\Program\geturl.htm
IE: ?????????? - c:\thunder5.7.6.426-lite-final\Program\getallurl.htm
IE: ????Smart&Get?? - c:\smartget1.45.3\dl_all.htm
FF - ProfilePath - c:\documents and settings\Phoenitiques\Application Data\Mozilla\Firefox\Profiles\plx9ubg5.default\
FF - plugin: c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ncwowust - c:\documents and settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe
HKLM-Run-ncwowust - c:\documents and settings\Phoenitiques\Local Settings\Application Data\kihmxhceu\cheotpmtssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 01:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f�3*N}�]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetUrl.htm"
"contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f�3*N}�hQè�þ”¥c]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetAllUrl.htm"
"contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga2*]
"Order"=hex:08,00,00,00,02,00,00,00,66,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga°e*NãN4xã‰Hr]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_LOCAL_MACHINE\software\dzh\SUPERSTK\IndiGroups\”Ni_K*¿~]
"??"="KDJ0\09W&R0\09RSI\09QSZL\09RSI0\09W&R\09KDJ\09"
"1.K???"="K290\09K180\09K390\09K280\09K170\09K380\09K270\09K160\09K370\09K260\09K150\09K360\09K250\09K140\09K350\09K240\09K130\09K340\09K230\09K120\09K330\09K220\09K165\09K132\09K110\09K320\09K210\09K310\09K200\09K134\09K300\09K400\09K190\09"
"2.??K???"="U300\09U190\09U290\09U180\09U280\09U170\09U380\09U270\09U370\09U260\09U150\09U360\09U250\09U140\09U350\09U240\09U130\09U340\09U230\09U120\09U330\09U220\09U110\09U320\09U210\09U100\09U310\09U200\09"
"3.??K???"="D300\09D190\09D290\09D180\09D280\09D170\09D270\09D160\09D260\09D150\09D360\09D250\09D140\09D350\09D240\09D130\09D340\09D230\09D120\09D330\09D220\09D110\09D320\09D210\09D100\09D310\09D200\09"
"4.??K???"="R220\09R110\09R210\09R100\09R200\09R190\09R180\09R170\09R160\09R150\09R140\09R130\09R120\09"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
.
**************************************************************************
.
Completion time: 2010-05-11 01:32:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 05:32
ComboFix2.txt 2010-03-04 05:36
ComboFix3.txt 2008-12-12 22:49

Pre-Run: 3,176,996,864 bytes free
Post-Run: 3,231,854,592 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D6F288FB368E62E3E84808264DEBB7E9

Ried · May 12, 2010

Nicely done, goukoy.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/482004-need-spyware-virus-trojan-removal-help-akm-antivirus-2010-pro-spyware.html#post2721069

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Folder::
C:\AKM Antivirus 2010 Pro

Collect:: [28]
c:\Program Files\extra2.dat
c:\Program Files\extra1.dat

DirLook::
c:\program files\scdata

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"8994:TCP"=-
"8993:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post the C:\ComboFix.txt in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

===============================

Now please download and run HAMeb_check.exe

Post the contents of the resulting log along with the C:\ComboFix.txt

goukoy · May 12, 2010

Hey Ried. I can't do this without you

you the BEST! :4-cheers:

I followed the instruction and created CFScript.txt and dragged it to ComboFix. I also run HAMed_check.exe and it's a pretty quick scan. I copy pasted both resulting logs here and attached them as well just in case.

I think because my computer is set to some other language, so there may be some characters in ComboFix.txt log that's not English...Please let me know if you have trouble with that, I can either translate them or rerun the ComboFix if you do.

PS. I do see that AKM Antivirus 2010 is still on the start menu, is it OK? anyway to get rid of that? just want to make sure it doesn't hurt anything...Please let me know the next step, Ried. My computer is running much better with your help now.

Here are the logs:

ComboFix.txt:

ComboFix 10-05-10.02 - Phoenitiques 1/2010 Tue 23:38:08.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1013.511 [GMT -4:00]
执行位置: c:\documents and settings\Phoenitiques\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phoenitiques\Desktop\CFScript.txt

file zipped: c:\program files\extra1.dat
file zipped: c:\program files\extra2.dat
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\AKM Antivirus 2010 Pro
c:\akm antivirus 2010 pro\AKM Antivirus 2010 Pro.lnk
c:\program files\extra1.dat
c:\program files\extra2.dat

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( 2010-04-12 至 2010-05-12 的新的档案 )))))))))))))))))))))))))))))))
.

2010-05-08 18:54 . 2010-05-08 18:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 18:51 . 2010-05-09 03:50 -------- d-----w- c:\program files\trend micro
2010-05-08 18:51 . 2010-05-08 18:51 -------- d-----w- C:\rsit
2010-05-08 18:36 . 2010-05-11 04:09 -------- d-----w- c:\program files\scdata
2010-04-17 21:42 . 2010-04-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lingoes

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 15:24 . 2007-12-08 02:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-11 04:00 . 2007-12-11 16:05 -------- d-----w- c:\program files\LogMeIn
2010-05-03 03:39 . 2007-12-20 16:20 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\uTorrent
2010-04-23 07:59 . 2008-09-12 15:12 13407 ----a-w- c:\windows\system32\cid_store.dat
2010-04-17 21:42 . 2008-03-15 16:11 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\Lingoes
2010-03-28 20:04 . 2009-01-24 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-15 17:35 . 2008-06-18 00:01 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\CopyToDvd
2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-07-03 03:05 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 04:58 . 2010-03-04 04:58 389120 ----a-w- c:\windows\system32\CF25496.exe
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-30 01:23 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\scdata ----

2010-05-08 18:36 . 2008-11-21 18:57 119 ----a-w- c:\program files\scdata\images\wt3.gif
2010-05-08 18:36 . 2009-10-19 18:02 36864 --sha-w- c:\program files\scdata\images\Thumbs.db
2010-05-08 18:36 . 2008-11-21 18:28 5568 ----a-w- c:\program files\scdata\images\up1.gif
2010-05-08 18:36 . 2008-11-21 18:29 696 ----a-w- c:\program files\scdata\images\up2.gif
2010-05-08 18:36 . 2008-11-21 18:56 3028 ----a-w- c:\program files\scdata\images\w1.gif
2010-05-08 18:36 . 2008-11-21 19:08 3431 ----a-w- c:\program files\scdata\images\w11.gif
2010-05-08 18:36 . 2008-11-21 18:56 47 ----a-w- c:\program files\scdata\images\w2.gif
2010-05-08 18:36 . 2008-11-27 20:34 1912 ----a-w- c:\program files\scdata\images\w3.jpg
2010-05-08 18:36 . 2009-10-09 17:19 27136 ----a-w- c:\program files\scdata\images\word.doc
2010-05-08 18:36 . 2008-11-21 18:57 176 ----a-w- c:\program files\scdata\images\wt1.gif
2010-05-08 18:36 . 2008-11-21 18:57 51 ----a-w- c:\program files\scdata\images\wt2.gif
2010-05-08 18:36 . 2008-11-21 19:17 1015 ----a-w- c:\program files\scdata\images\t2.gif
2010-05-08 18:36 . 2008-11-21 19:17 1663 ----a-w- c:\program files\scdata\images\i2.gif
2010-05-08 18:36 . 2008-11-21 19:17 1689 ----a-w- c:\program files\scdata\images\i3.gif
2010-05-08 18:36 . 2008-11-21 19:12 3957 ----a-w- c:\program files\scdata\images\j1.gif
2010-05-08 18:36 . 2008-11-21 19:12 47 ----a-w- c:\program files\scdata\images\j2.gif
2010-05-08 18:36 . 2008-11-27 20:33 3857 ----a-w- c:\program files\scdata\images\j3.gif
2010-05-08 18:36 . 2008-11-21 19:14 114 ----a-w- c:\program files\scdata\images\jj1.gif
2010-05-08 18:36 . 2008-11-21 19:14 48 ----a-w- c:\program files\scdata\images\jj2.gif
2010-05-08 18:36 . 2008-11-21 19:40 105 ----a-w- c:\program files\scdata\images\jj3.gif
2010-05-08 18:36 . 2008-11-21 18:39 3749 ----a-w- c:\program files\scdata\images\l1.gif
2010-05-08 18:36 . 2008-11-21 18:39 92 ----a-w- c:\program files\scdata\images\l2.gif
2010-05-08 18:36 . 2008-11-21 18:40 468 ----a-w- c:\program files\scdata\images\l3.gif
2010-05-08 18:36 . 2008-11-21 19:44 70 ----a-w- c:\program files\scdata\images\pix.gif
2010-05-08 18:36 . 2008-11-21 18:47 621 ----a-w- c:\program files\scdata\images\t1.gif
2010-05-08 18:36 . 2008-11-21 19:17 1744 ----a-w- c:\program files\scdata\images\i1.gif
2010-05-08 18:36 . 2010-02-10 16:47 9340 ----a-w- c:\program files\scdata\wispex.html
2010-05-08 18:36 . 2010-05-11 04:09 150576 ----a-w- c:\program files\scdata\dbsinit.exe

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-07-13 3375104]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
Microsoft Office.lnk - c:\program files\MSXP\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-20 05:23 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\dzh\\internet\\hypwise.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Thunder5.7.6.426-Lite-Final\\Program\\Thunder5.exe"=
"c:\\Program Files\\Maxthon\\Maxthon.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\dzh2\\dzh2.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\Flashget3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\eMule_0.48a_VeryCD_Build_071128_Final_\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [1/10/2010 1:32 AM 6656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/17/2008 2:35 PM 717296]
.
‘计划任务’ 文件夹里的内容

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003Core.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003UA.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
IE: &U使用纳米机器人下载并收藏 - c:\program files\NamiRobot\Data\du.html
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: 下載編碼內容(S&martGet) - c:\smartget1.45.3\dl_text.html
IE: 使用S&martGet下載 - c:\smartget1.45.3\dl_link.htm
IE: 使用快车3下载 - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetUrl.htm
IE: 使用快车3下载全部链接 - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetAllUrl.htm
IE: 使用网际快车下载 - c:\program files\FlashGet\jc_link.htm
IE: 使用网际快车下载全部链接 - c:\program files\FlashGet\jc_all.htm
IE: 使用迅雷下载 - c:\thunder5.7.6.426-lite-final\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\thunder5.7.6.426-lite-final\Program\getallurl.htm
IE: 全部使用Smart&Get下載 - c:\smartget1.45.3\dl_all.htm
TCP: {F4230752-7565-4C75-9869-69580885D546} = 205.152.37.23 205.152.144.23
FF - ProfilePath - c:\documents and settings\Phoenitiques\Application Data\Mozilla\Firefox\Profiles\plx9ubg5.default\
FF - plugin: c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 23:47
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(u隷f?*N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetUrl.htm"
"contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(u隷f?*N}廻Q钀]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetAllUrl.htm"
"contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga2*]
"Order"=hex:08,00,00,00,02,00,00,00,66,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga癳*N鉔4x銐Hr]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_LOCAL_MACHINE\software\dzh\SUPERSTK\IndiGroups\擭i_K*縹]
"其它"="KDJ0\09W&R0\09RSI\09QSZL\09RSI0\09W&R\09KDJ\09"
"1.K线模式"="K290\09K180\09K390\09K280\09K170\09K380\09K270\09K160\09K370\09K260\09K150\09K360\09K250\09K140\09K350\09K240\09K130\09K340\09K230\09K120\09K330\09K220\09K165\09K132\09K110\09K320\09K210\09K310\09K200\09K134\09K300\09K400\09K190\09"
"2.上涨K线模式"="U300\09U190\09U290\09U180\09U280\09U170\09U380\09U270\09U370\09U260\09U150\09U360\09U250\09U140\09U350\09U240\09U130\09U340\09U230\09U120\09U330\09U220\09U110\09U320\09U210\09U100\09U310\09U200\09"
"3.下跌K线模式"="D300\09D190\09D290\09D180\09D280\09D170\09D270\09D160\09D260\09D150\09D360\09D250\09D140\09D350\09D240\09D130\09D340\09D230\09D120\09D330\09D220\09D110\09D320\09D210\09D100\09D310\09D200\09"
"4.反转K线模式"="R220\09R110\09R210\09R100\09R200\09R190\09R180\09R170\09R160\09R150\09R140\09R130\09R120\09"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
完成时间: 2010-05-11 23:50:03
ComboFix-quarantined-files.txt 2010-05-12 03:49
ComboFix2.txt 2010-05-11 05:32
ComboFix3.txt 2010-03-04 05:36
ComboFix4.txt 2008-12-12 22:49

Pre-Run: 3,240,202,240 bytes free
Post-Run: 3,202,813,952 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5D348DD82E7674875EB6F7F98CBBEDBF
成功上载文件

HAlog.txt:

C:\Documents and Settings\Phoenitiques\Desktop\HAMeb_check.exe
05/11/2010 Tue at 23:56:45.87

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-343818398-2049760794-839522115-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"8994:TCP"=8994:TCP:*:Enabled:Services
"8993:TCP"=8993:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

goukoy · May 12, 2010

this is a double post, not sure how to delete it...

Ried · May 12, 2010

We're almost there.

I do see that AKM Antivirus 2010 is still on the start menu, is it OK?

Right click it and select 'delete'.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

Close out all other open programs and windows.
Double click the file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt .

When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt.

When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

==============================

Open notepad and copy/paste the text in the code box below into it:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/482004-need-spyware-virus-trojan-removal-help-akm-antivirus-2010-pro-spyware.html#post2722029

Collect::
c:\program files\scdata\dbsinit.exe

Folder::
c:\program files\scdata

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Please post the C:\ComboFix.txt and the log produced by HelpAsst_mebroot_fix

goukoy · May 13, 2010

Alrighty, Ried. I followed the instructions, and run both HelpAsst_mebroot_fix.exe and ComboFix. HelpAsst didn't find anything by itself the first time, so I went with the manual procedure and produced the log. ComboFix finished fine with created CFScript file. I copy pasted both logs and attached them as well.

Please take a look and let me know what's the next step.

ComboFix.txt:

ComboFix 10-05-10.02 - Phoenitiques 05/12/2010 18:20:31.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.512 [GMT -4:00]
Running from: c:\documents and settings\Phoenitiques\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phoenitiques\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

file zipped: c:\program files\scdata\dbsinit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\scdata
c:\program files\scdata\dbsinit.exe
c:\program files\scdata\images\i1.gif
c:\program files\scdata\images\i2.gif
c:\program files\scdata\images\i3.gif
c:\program files\scdata\images\j1.gif
c:\program files\scdata\images\j2.gif
c:\program files\scdata\images\j3.gif
c:\program files\scdata\images\jj1.gif
c:\program files\scdata\images\jj2.gif
c:\program files\scdata\images\jj3.gif
c:\program files\scdata\images\l1.gif
c:\program files\scdata\images\l2.gif
c:\program files\scdata\images\l3.gif
c:\program files\scdata\images\pix.gif
c:\program files\scdata\images\t1.gif
c:\program files\scdata\images\t2.gif
c:\program files\scdata\images\Thumbs.db
c:\program files\scdata\images\up1.gif
c:\program files\scdata\images\up2.gif
c:\program files\scdata\images\w1.gif
c:\program files\scdata\images\w11.gif
c:\program files\scdata\images\w2.gif
c:\program files\scdata\images\w3.jpg
c:\program files\scdata\images\word.doc
c:\program files\scdata\images\wt1.gif
c:\program files\scdata\images\wt2.gif
c:\program files\scdata\images\wt3.gif
c:\program files\scdata\wispex.html

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 13:41 . 2010-05-12 13:41 -------- d-----w- C:\HelpAsst_backup
2010-05-12 13:20 . 2010-05-12 13:20 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-12 13:20 . 2010-05-12 13:20 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-08 18:54 . 2010-05-08 18:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 18:51 . 2010-05-09 03:50 -------- d-----w- c:\program files\trend micro
2010-05-08 18:51 . 2010-05-08 18:51 -------- d-----w- C:\rsit
2010-04-17 21:42 . 2010-04-17 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lingoes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 22:12 . 2009-01-24 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-12 04:14 . 2007-12-11 16:05 -------- d-----w- c:\program files\LogMeIn
2010-05-11 15:24 . 2007-12-08 02:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-03 03:39 . 2007-12-20 16:20 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\uTorrent
2010-04-23 07:59 . 2008-09-12 15:12 13407 ----a-w- c:\windows\system32\cid_store.dat
2010-04-17 21:42 . 2008-03-15 16:11 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\Lingoes
2010-03-15 17:35 . 2008-06-18 00:01 -------- d-----w- c:\documents and settings\Phoenitiques\Application Data\CopyToDvd
2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-07-03 03:05 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 04:58 . 2010-03-04 04:58 389120 ----a-w- c:\windows\system32\CF25496.exe
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2005-03-30 01:23 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

((((((((((((((((((((((((((((( [email protected]_03.47.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 22:09 . 2010-05-12 22:09 16384 c:\windows\temp\Perflib_Perfdata_6dc.dat
- 2004-08-04 10:00 . 2010-05-11 14:21 68744 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-05-12 22:13 68744 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-05-12 22:13 437040 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-05-11 14:21 437040 c:\windows\system32\perfh009.dat
- 2007-12-08 01:15 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2007-12-08 01:15 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
+ 2007-12-07 20:03 . 2010-05-12 13:23 251880 c:\windows\system32\FNTCACHE.DAT
- 2007-12-07 20:03 . 2010-05-11 14:17 251880 c:\windows\system32\FNTCACHE.DAT
- 2008-08-14 19:40 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-14 19:40 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-08-11 19:04 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2009-08-11 19:04 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2007-12-08 17:19 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-07-13 3375104]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
Microsoft Office.lnk - c:\program files\MSXP\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-20 05:23 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\dzh\\internet\\hypwise.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Thunder5.7.6.426-Lite-Final\\Program\\Thunder5.exe"=
"c:\\Program Files\\Maxthon\\Maxthon.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\QQ2009\\Bin\\QQ.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\dzh2\\dzh2.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\Flashget3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Phoenitiques\\Desktop\\eMule_0.48a_VeryCD_Build_071128_Final_\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [1/10/2010 1:32 AM 6656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/17/2008 2:35 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003Core.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-2049760794-839522115-1003UA.job
- c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &U???????????? - c:\program files\NamiRobot\Data\du.html
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: ??????(S&martGet) - c:\smartget1.45.3\dl_text.html
IE: ??S&martGet?? - c:\smartget1.45.3\dl_link.htm
IE: ????3?? - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetUrl.htm
IE: ????3?????? - c:\documents and settings\Phoenitiques\Desktop\FlashGet 3\GetAllUrl.htm
IE: ???????? - c:\program files\FlashGet\jc_link.htm
IE: ???????????? - c:\program files\FlashGet\jc_all.htm
IE: ?????? - c:\thunder5.7.6.426-lite-final\Program\geturl.htm
IE: ?????????? - c:\thunder5.7.6.426-lite-final\Program\getallurl.htm
IE: ????Smart&Get?? - c:\smartget1.45.3\dl_all.htm
TCP: {F4230752-7565-4C75-9869-69580885D546} = 205.152.37.23 205.152.144.23
FF - ProfilePath - c:\documents and settings\Phoenitiques\Application Data\Mozilla\Firefox\Profiles\plx9ubg5.default\
FF - plugin: c:\documents and settings\Phoenitiques\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f�3*N}�]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetUrl.htm"
"contexts"=dword:00000022

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_f�3*N}�hQè�þ”¥c]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Phoenitiques\\Desktop\\FlashGet 3\\GetAllUrl.htm"
"contexts"=dword:000000f3

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga2*]
"Order"=hex:08,00,00,00,02,00,00,00,66,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_USERS\S-1-5-21-343818398-2049760794-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Yzfga°e*NãN4xã‰Hr]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,6e,00,
00,00,00,00,00,00,60,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,4e,00,36,\

[HKEY_LOCAL_MACHINE\software\dzh\SUPERSTK\IndiGroups\”Ni_K*¿~]
"??"="KDJ0\09W&R0\09RSI\09QSZL\09RSI0\09W&R\09KDJ\09"
"1.K???"="K290\09K180\09K390\09K280\09K170\09K380\09K270\09K160\09K370\09K260\09K150\09K360\09K250\09K140\09K350\09K240\09K130\09K340\09K230\09K120\09K330\09K220\09K165\09K132\09K110\09K320\09K210\09K310\09K200\09K134\09K300\09K400\09K190\09"
"2.??K???"="U300\09U190\09U290\09U180\09U280\09U170\09U380\09U270\09U370\09U260\09U150\09U360\09U250\09U140\09U350\09U240\09U130\09U340\09U230\09U120\09U330\09U220\09U110\09U320\09U210\09U100\09U310\09U200\09"
"3.??K???"="D300\09D190\09D290\09D180\09D280\09D170\09D270\09D160\09D260\09D150\09D360\09D250\09D140\09D350\09D240\09D130\09D340\09D230\09D120\09D330\09D220\09D110\09D320\09D210\09D100\09D310\09D200\09"
"4.??K???"="R220\09R110\09R210\09R100\09R200\09R190\09R180\09R170\09R160\09R150\09R140\09R130\09R120\09"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-12 18:31:56
ComboFix-quarantined-files.txt 2010-05-12 22:31
ComboFix2.txt 2010-05-11 05:32
ComboFix3.txt 2010-03-04 05:36
ComboFix4.txt 2008-12-12 22:49

Pre-Run: 7,400,964,096 bytes free
Post-Run: 7,361,777,664 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4EF50236C49112A578F662B7796CA026
Upload was successful

HelpAsst.txt:

C:\Documents and Settings\Phoenitiques\Desktop\HelpAsst_mebroot_fix.exe
Wed 05/12/2010 at 9:41:19.87

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"8994:TCP"=-
"8993:TCP"=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-343818398-2049760794-839522115-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 05/12/2010 at 18:14:10.51

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Ried · May 13, 2010

Much better. :sayyes:

Your logs are clean.

If there aren't any more problems, we have some final housekeeping to tend to now.

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

helpasst -cleanup

Next, and please do not skip this step as it will implement some important cleanup procedures, one of which is resetting your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
- SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.
WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for both Firefox and IE.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
BACKING UP YOUR REGISTRY
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

**Kindly respond one more time and let me know if we may consider this thread resolved.

goukoy · May 15, 2010

Sorry for the delay, Ried. I run the two last cleanup steps. The computer is running much better now. Thanks for all your help. I will check out the links you provided to further prevent this from happening again.

I got one last question, I also have a HP Vista home laptop that I think is running rather slowly than it should be. I don't know what's causing it since it doesn't have obvious symptoms like this one with the spyware. However, It always got a handful of svchost processes that jacked up the CPU usage and memory. I want to let you take a look on that one too...Do I need to open a new thread or I can post some logs here...please advise.

Again, thanks a lot for your help, Ried. :grin:

Ried · May 15, 2010

You're welcome, goukoy. :smile:

Yes, please begin a new thread for the laptop. Entitle it Ried - Laptop so it is not mistaken as a duplicate thread.

After you've begun the new thread, come back here and post the link for me. I hope to be able to get to your other computer later today.

goukoy · May 15, 2010

Alrighty, Ried. I started a new thread for the laptop. I included both DDS logs and Gmer log.

Here is the link: http://www.techsupportforum.com/f50/ried-laptop-483619.html#post2726507

Looking forward to working with you on this one

Thanks

Need spyware/virus/trojan removal help (AKM Antivirus 2010 pro spyware)

Registered

Attachments

Registered

Attachments

TSF Security Manager, Emeritus

Registered

Attachments

Registered

Attachments

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Attachments

TSF Security Manager, Emeritus

Registered

Attachments

Registered

TSF Security Manager, Emeritus

Registered

Attachments

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered