Infected by trojan horse psw onlinegames - Please help

BullGuard Antivirus Forum > Virus Removal > Removal Help > Infected by trojan horse psw onlinegames - Please help

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 7-30-2008 4:05 (GMT +1)

I get the Trojan horse psw onlinegames.xzys. I read the forum and try to follow the instructions to run Combofix. I rebot the computer and AVS still detect there are the Trojan horse virus in my computer and the number of virus found increased from 1 to 10+. Please help urgently.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 7-30-2008 7:37 (GMT +1)

Hello

Click here - ->> http://www.bullguard.com/forum/14/Before-posting-a-log_43561.html

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with SuperAntiSpyware log, C: combofix TXT in this topic

Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 7-30-2008 8:04 (GMT +1)

I restart my computer after all the step, the AVG still detect there is trojan horse file in my computer. Please help. Below are the log. Million thanks in advance:

Superspyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2008 at 02:23 AM

Application Version : 4.15.1000

Core Rules Database Version : 3521
Trace Rules Database Version: 1511

Scan type : Complete Scan
Total Scan Time : 00:36:43

Memory items scanned      : 434
Memory threats detected   : 1
Registry items scanned    : 5507
Registry threats detected : 33
File items scanned        : 16893
File threats detected     : 16

Trojan.Dropper/Packed
C:\WINDOWS\SYSTEM32\DEBUG.EXE
C:\WINDOWS\SYSTEM32\DEBUG.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}
HKCR\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}
HKCR\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}
HKCR\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}\InProcServer32
HKCR\CLSID\{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\ZSDGFF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{8C41B7F7-3168-400D-A702-0E7EFE0BA304}
HKCR\CLSID\{8C41B7F7-3168-400D-A702-0E7EFE0BA304}
HKCR\CLSID\{8C41B7F7-3168-400D-A702-0E7EFE0BA304}
HKCR\CLSID\{8C41B7F7-3168-400D-A702-0E7EFE0BA304}\InProcServer32
HKCR\CLSID\{8C41B7F7-3168-400D-A702-0E7EFE0BA304}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SGDEWG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{8C41B7F7-3168-400D-A702-0E7EFE0BA304}

Trojan.Dropper/Game
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}
HKCR\CLSID\{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}
HKCR\CLSID\{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}
HKCR\CLSID\{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}\InProcServer32
HKCR\CLSID\{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DNDSAF.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP461\A0117219.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP461\A0117228.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP461\A0118358.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Chiu\Cookies\chiu@atdmt[2].txt
C:\Documents and Settings\Chiu\Cookies\chiu@indextools[2].txt
C:\Documents and Settings\Chiu\Cookies\chiu@richmedia.yahoo[1].txt
C:\Documents and Settings\Chiu\Cookies\chiu@overture[1].txt
C:\Documents and Settings\Chiu\Cookies\chiu@doubleclick[1].txt
.richmedia.yahoo.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.socialmedia.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.socialmedia.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ads.adserver-centrelinks-hk.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ads2.adserver-centrelinks-hk.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.media-convert.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.alivemedia.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
adimages.sina.com.hk [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.ehg-dig.hitbox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.roiservice.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.mohg.112.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.pornhost.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.liveadulthost.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.lstat.youku.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.thecomicrack.blogspot.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ad.zanox.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.partygaming.122.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tradedoubler.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.fortunecity.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
stats.crayola.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.homestore.122.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tripod.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tripod.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.tripod.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
partners.webmasterplan.com [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.standardcharteredbank.122.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.divx.112.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Chiu\Application Data\Mozilla\Firefox\Profiles\7kub5ypy.default\cookies.txt ]

Trojan.Net-C3B3
HKCR\C3.bho3
HKCR\C3.bho3\CLSID
HKCR\C3.bho3\CurVer
HKCR\C3.bho3.1
HKCR\C3.bho3.1\CLSID
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}\1.0
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}\1.0\0
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}\1.0\0\win32
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}\1.0\FLAGS
HKCR\TypeLib\{BBD0D9E0-EE99-4C66-AC1E-2E77D40FE7C9}\1.0\HELPDIR
HKCR\Interface\{35B576B9-5A0F-43D7-8174-2AC714DC3AD2}
HKCR\Interface\{35B576B9-5A0F-43D7-8174-2AC714DC3AD2}\ProxyStubClsid
HKCR\Interface\{35B576B9-5A0F-43D7-8174-2AC714DC3AD2}\ProxyStubClsid32
HKCR\Interface\{35B576B9-5A0F-43D7-8174-2AC714DC3AD2}\TypeLib
HKCR\Interface\{35B576B9-5A0F-43D7-8174-2AC714DC3AD2}\TypeLib#Version

Trojan.Downloader-Gen/Suspicious
C:\WINDOWS\SYSTEM32\MYUSEMTK.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.XY3
C:\WINDOWS\SYSTEM32\THERBREKK.EXE
C:\WINDOWS\Prefetch\THERBREKK.EXE-1F9E9C23.pf

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 7-30-2008 8:06 (GMT +1)

Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:00, on 2008-07-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chiu\Local Settings\Temporary Internet Files\Content.IE5\SZ43AN43\HiJackThis[1].exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [kcodn] knx32.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: ¶×¥X¦Ü Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7477 bytes

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 7-30-2008 8:08 (GMT +1)

Combofix log:

ComboFix 08-07-28.6 - Chiu 2008-07-31 2:35:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.433 [GMT 8:00]
Running from: C:\Documents and Settings\Chiu\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\knx32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msiffei

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Documents and Settings\Chiu\Application Data\SUPERAntiSpyware.com
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 22:47 . 2008-07-30 22:47 24,576 --a------ C:\WINDOWS\system32\therbrek.dll
2008-07-30 22:33 . 2008-07-31 01:37 <DIR> d--hs---- C:\000067F1
2008-07-30 01:14 . 2008-07-31 02:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-30 01:11 . 2008-07-30 01:25 <DIR> d--hs---- C:\0000630F
2008-07-30 01:07 . 2008-07-30 01:07 <DIR> d--hs---- C:\0000614A
2008-07-30 00:54 . 2008-07-30 00:54 <DIR> d--hs---- C:\00009B55
2008-07-30 00:49 . 2008-07-30 00:49 <DIR> d--hs---- C:\00033181
2008-07-30 00:46 . 2008-07-30 00:46 <DIR> d--hs---- C:\00012584
2008-07-30 00:36 . 2008-07-30 01:22 <DIR> d--hs---- C:\0000639C
2008-07-30 00:10 . 2008-07-30 00:10 28,672 --a------ C:\WINDOWS\system32\keyiftp.dll
2008-07-30 00:10 . 2008-07-30 00:10 24,576 --a------ C:\WINDOWS\system32\xfimerl.dll
2008-07-30 00:10 . 2008-07-30 00:10 24,576 --a------ C:\WINDOWS\system32\dearnts.dll
2008-07-30 00:09 . 2008-07-30 00:09 28,672 --a------ C:\WINDOWS\system32\hourpx2.dll
2008-07-30 00:09 . 2008-07-30 00:09 24,576 --a------ C:\WINDOWS\system32\offecao.dll
2008-07-30 00:06 . 2008-07-30 00:06 24,576 --a------ C:\WINDOWS\system32\jolinos.dll
2008-07-30 00:03 . 2008-07-30 00:03 28,672 --a------ C:\WINDOWS\system32\welyri.dll
2008-07-30 00:02 . 2008-07-30 00:02 24,576 --a------ C:\WINDOWS\system32\googlons.dll
2008-07-30 00:00 . 2008-07-30 00:00 24,576 --a------ C:\WINDOWS\system32\myusemt.dll
2008-07-29 23:58 . 2008-07-30 01:21 <DIR> d--hs---- C:\00005544
2008-07-29 23:55 . 2008-07-29 23:55 <DIR> d--hs---- C:\0000A008
2008-07-29 23:23 . 2008-07-29 23:46 <DIR> d--hs---- C:\000063DA
2008-07-29 22:54 . 2008-07-30 01:24 <DIR> d--hs---- C:\0000660D
2008-07-29 20:08 . 2008-07-30 01:22 <DIR> d--hs---- C:\00006570
2008-07-28 23:42 . 2008-07-29 20:14 <DIR> d--hs---- C:\003D3BB8
2008-07-28 23:41 . 2008-07-28 23:41 <DIR> d--hs---- C:\003D2552
2008-07-16 00:08 . 2008-07-16 00:08 1,073,741,824 --a------ C:\ppsds.pgf
2008-07-12 02:01 . 2008-07-12 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-12 01:59 . 2008-07-12 02:02 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-12 01:59 . 2008-07-12 02:02 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-06 12:11 . 2008-07-31 02:30 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 12:11 . 2008-07-06 12:11 <DIR> d-------- C:\Program Files\AVG
2008-07-06 12:11 . 2008-07-09 23:36 <DIR> d-------- C:\Documents and Settings\Chiu\Application Data\AVGTOOLBAR
2008-07-06 12:11 . 2008-07-29 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-06 12:11 . 2008-07-12 14:57 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-06 12:11 . 2008-07-06 12:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-07-06 12:11 . 2008-07-12 14:57 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-05 20:43 . 2008-07-26 00:53 27 --a------ C:\WINDOWS\ppssg.ini
2008-07-05 20:42 . 2008-07-31 02:29 46 --a------ C:\WINDOWS\PCDNSetting.ini
2008-06-29 21:23 . 2008-07-05 15:03 20 --a------ C:\WINDOWS\powerlist.ini
2008-06-29 21:09 . 2008-07-31 02:29 <DIR> d-------- C:\Program Files\PPStream
2008-06-29 21:09 . 2008-07-31 02:30 1,593 --a------ C:\WINDOWS\psnetwork.ini
2008-06-29 21:09 . 2008-07-27 22:59 1,519 --a------ C:\WINDOWS\powerplayer.ini
2008-06-25 12:41 . 2008-07-31 02:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-25 12:41 . 2008-06-25 12:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-15 22:59 . 2008-06-15 22:59 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-06-15 22:59 . 2005-10-21 09:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-06-15 22:59 . 2005-10-21 09:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-06-15 22:29 . 2005-05-17 16:24 311,296 --a------ C:\WINDOWS\system32\AegisI5.exe
2008-06-15 22:29 . 2006-01-18 13:55 290,918 --a------ C:\WINDOWS\system32\Install7x.dll
2008-06-15 22:29 . 2006-01-12 19:46 252,928 --a------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-15 22:29 . 2005-10-17 19:50 245,376 --a------ C:\WINDOWS\system32\drivers\rt2500usb.SYS
2008-06-15 22:29 . 2005-11-30 11:33 2,048 --a------ C:\WINDOWS\system32\drivers\rt73.bin
2008-06-15 22:29 . 2005-08-19 15:51 138 --a------ C:\WINDOWS\filespec7x
2008-06-15 22:28 . 2008-06-15 22:28 <DIR> d-------- C:\Program Files\TP-LINK
2008-06-15 22:28 . 2008-06-15 22:28 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-11 23:51 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:51 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 15:41 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-26 07:48 --------- d-----w C:\Documents and Settings\Chiu\Application Data\ppstream
2008-07-11 16:51 --------- d-----w C:\Program Files\BitComet
2008-07-04 16:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 15:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-15 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-08 12:54 3,932 ----a-w C:\Documents and Settings\Chiu\Application Data\LMLayout.dat
2008-05-08 12:54 268 ----a-w C:\Documents and Settings\Chiu\Application Data\LMCPaper.dat
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-04-13 16:45 26,920 ----a-w C:\Documents and Settings\Chiu\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 12:00 37,696 --sh--w C:\WINDOWS\system32\knx32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-30_ 1.03.02.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-30 17:43:35 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-07-30 17:43:35 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-07-29 16:54:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-30 14:33:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-29 16:54:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-30 14:33:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-12 22:40 185896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2005-11-15 10:54 69632]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-09-05 10:05 45056]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-01-30 17:50 20480]
"tsnp325"="C:\WINDOWS\tsnp325.exe" [2006-10-10 15:49 270336]
"snp325"="C:\WINDOWS\vsnp325.exe" [2006-10-10 14:11 827392]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-12 14:57 1232152]

Let me know if you need other info.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 8-1-2008 8:55 (GMT +1)

Please download Malwarebytes' Anti-Malware:

http://www.besttechie.net/tools/mbam-setup.exe

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with new combofix log, a fresh hijackthis log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 8-2-2008 8:21 (GMT +1)

Thanks for following up my case! Here are the new log:

mbam-log:

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 2

2:54:58 PM 8/2/2008
mbam-log-8-2-2008 (14-54-58).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 95914
Time elapsed: 21 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550v (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\knx32.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cedafb.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dndsaf.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hhrdxd.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jdsaex.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jfrwdh.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jhfrxz.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jolin0.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\longasus.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mttwfh.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rfdswc.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sgdewg.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tdggrz.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wcnonpe.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wklsdd.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wyrsdj.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zefdst.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zycdex.dll.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP461\A0118375.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP463\A0118383.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP463\A0118384.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP463\A0118385.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C1478412-FE05-43F6-B6BF-A81DC450876A}\RP463\A0118390.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jolinos.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\myusemt.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tree.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 8-2-2008 8:22 (GMT +1)

Combo Fix Log:

ComboFix 08-07-28.6 - Chiu 2008-08-02 15:02:14.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.545 [GMT 8:00]
Running from: C:\Documents and Settings\Chiu\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\knx32.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\knx32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msiffei

((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-02 14:29 . 2008-08-02 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 14:29 . 2008-08-02 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 14:29 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 14:29 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 14:25 . 2008-08-02 14:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Documents and Settings\Chiu\Application Data\SUPERAntiSpyware.com
2008-07-31 01:43 . 2008-07-31 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 22:33 . 2008-07-31 01:37 <DIR> d--hs---- C:\[u]0[/u]00067F1
2008-07-30 01:14 . 2008-08-02 00:52 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-30 01:11 . 2008-08-02 00:52 <DIR> d--hs---- C:\[u]0[/u]000630F
2008-07-30 01:07 . 2008-07-30 01:07 <DIR> d--hs---- C:\[u]0[/u]000614A
2008-07-30 00:54 . 2008-07-30 00:54 <DIR> d--hs---- C:\[u]0[/u]0009B55
2008-07-30 00:49 . 2008-07-30 00:49 <DIR> d--hs---- C:\[u]0[/u]0033181
2008-07-30 00:46 . 2008-07-30 00:46 <DIR> d--hs---- C:\[u]0[/u]0012584
2008-07-30 00:36 . 2008-07-30 01:22 <DIR> d--hs---- C:\[u]0[/u]000639C
2008-07-30 00:10 . 2008-07-30 00:10 28,672 --a------ C:\WINDOWS\system32\keyiftp.dll
2008-07-30 00:10 . 2008-07-30 00:10 24,576 --a------ C:\WINDOWS\system32\xfimerl.dll
2008-07-30 00:10 . 2008-07-30 00:10 24,576 --a------ C:\WINDOWS\system32\dearnts.dll
2008-07-30 00:09 . 2008-07-30 00:09 28,672 --a------ C:\WINDOWS\system32\hourpx2.dll
2008-07-30 00:09 . 2008-07-30 00:09 24,576 --a------ C:\WINDOWS\system32\offecao.dll
2008-07-30 00:03 . 2008-07-30 00:03 28,672 --a------ C:\WINDOWS\system32\welyri.dll
2008-07-30 00:02 . 2008-07-30 00:02 24,576 --a------ C:\WINDOWS\system32\googlons.dll
2008-07-29 23:58 . 2008-07-30 01:21 <DIR> d--hs---- C:\[u]0[/u]0005544
2008-07-29 23:55 . 2008-07-29 23:55 <DIR> d--hs---- C:\[u]0[/u]000A008
2008-07-29 23:23 . 2008-07-29 23:46 <DIR> d--hs---- C:\[u]0[/u]00063DA
2008-07-29 22:54 . 2008-07-30 01:24 <DIR> d--hs---- C:\[u]0[/u]000660D
2008-07-29 20:08 . 2008-07-30 01:22 <DIR> d--hs---- C:\[u]0[/u]0006570
2008-07-28 23:42 . 2008-07-29 20:14 <DIR> d--hs---- C:\[u]0[/u]03D3BB8
2008-07-28 23:41 . 2008-07-28 23:41 <DIR> d--hs---- C:\[u]0[/u]03D2552
2008-07-16 00:08 . 2008-07-16 00:08 1,073,741,824 --a------ C:\ppsds.pgf
2008-07-12 02:01 . 2008-07-12 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-12 01:59 . 2008-07-12 02:02 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-07-12 01:59 . 2008-07-12 02:02 <DIR> d-------- C:\Program Files\AVS4YOU
2008-07-06 12:11 . 2008-08-02 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 12:11 . 2008-07-06 12:11 <DIR> d-------- C:\Program Files\AVG
2008-07-06 12:11 . 2008-07-09 23:36 <DIR> d-------- C:\Documents and Settings\Chiu\Application Data\AVGTOOLBAR
2008-07-06 12:11 . 2008-07-29 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-06 12:11 . 2008-07-12 14:57 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-06 12:11 . 2008-07-06 12:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-07-06 12:11 . 2008-07-12 14:57 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-05 20:43 . 2008-07-26 00:53 27 --a------ C:\WINDOWS\ppssg.ini
2008-07-05 20:42 . 2008-08-02 14:24 46 --a------ C:\WINDOWS\PCDNSetting.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 16:22 --------- d-----w C:\Program Files\PPStream
2008-07-28 15:41 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-07-26 07:48 --------- d-----w C:\Documents and Settings\Chiu\Application Data\ppstream
2008-07-11 16:51 --------- d-----w C:\Program Files\BitComet
2008-07-04 16:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 15:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-15 14:59 --------- d-----w C:\Program Files\Windows Mobile Resources
2008-06-15 14:28 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-15 14:28 --------- d-----w C:\Program Files\TP-LINK
2008-06-15 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:54 3,932 ----a-w C:\Documents and Settings\Chiu\Application Data\LMLayout.dat
2008-05-08 12:54 268 ----a-w C:\Documents and Settings\Chiu\Application Data\LMCPaper.dat
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-04-13 16:45 26,920 ----a-w C:\Documents and Settings\Chiu\Application Data\GDIPFONTCACHEV1.DAT
.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2007-02-21 23:08:12 1269834]
CONNECTAUTrayApp.lnk - C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe [2005-11-15 10:54:01 114688]
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2007-04-03 21:54:43 1990656]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588]
TL-WN321G Wireless Utility.lnk - C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe [2008-06-15 22:28:43 622592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=therbrek.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\TTPlayer\\TTPlayer.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"C:\\Program Files\\vLan\\vLan.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18613:TCP"= 18613:TCP:BitComet 18613 TCP
"18613:UDP"= 18613:UDP:BitComet 18613 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 IPvE;IPvE Adapter Driver;C:\WINDOWS\system32\DRIVERS\IPvE.sys [2006-10-31 21:18]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-12 14:57]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-12 14:57]
S2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2002-10-04 11:18]
S3 SNP325;USB PC Camera (SNPSTD325);C:\WINDOWS\system32\DRIVERS\snp325.sys [2007-01-27 09:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b25ad01b-7edf-11dc-984f-00ff3d2fd2b5}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2007-09-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-kcodn - knx32.exe
ShellExecuteHooks-{006CA8A1-61BC-4774-A54C-F49034270BAD} - C:\WINDOWS\system32\zgtwfx.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com.hk/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 -: 匯出至 Microsoft Excel(&X) - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 15:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-02 15:06:59
ComboFix-quarantined-files.txt 2008-08-02 07:05:55
ComboFix2.txt 2008-07-29 17:03:37

Pre-Run: 19,329,667,072 bytes free
Post-Run: 19,334,492,160 bytes free

193 --- E O F --- 2008-07-09 17:54:51

Ahu
New Member

Date Joined Jun 2008
Total Posts : 13

Posted 8-2-2008 8:24 (GMT +1)

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:12, on 2008-08-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Chiu\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: ¶×¥X¦Ü Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: therbrek.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Thanks again for following up, Touch!