Help - Search - Members - Calendar
Full Version: Trojan.Agent keeps coming back
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
FORMULA_SIN
Mar 5 2009, 07:16 AM
basically i have the same problem as use Hilary had.


here is my COMBFIX LOG...please help...thanks in advance

=======================================


ComboFix 09-03-04.01 - Michael 2009-03-04 23:01:39.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.950.1.1033.18.1535.896 [GMT -8:00]
執行位置: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: NOD32防毒系統 2.51 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* 成功創造新還原點
* Resident AV is active


注意 - 這台電腦沒有安裝恢復控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Michael\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://vestepau.cn
.
((((((((((((((((((((((((( 2009-02-05 至 2009-03-05 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-03-04 22:42 . 2009-03-04 22:42 <DIR> d-------- c:\program files\a-squared Free
2009-03-02 18:53 . 2008-04-13 17:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-02-28 22:41 . 2009-02-28 22:41 <DIR> d-------- c:\program files\FormatFactory
2009-02-28 22:41 . 2009-02-28 22:41 <DIR> d-------- c:\documents and settings\Michael\Application Data\Desktopicon
2009-02-27 23:54 . 2009-02-27 23:54 <DIR> d-------- C:\Downloads
2009-02-20 17:33 . 2009-02-20 17:33 <DIR> d-------- c:\program files\7-Zip
2009-02-16 18:06 . 2008-04-13 11:45 26,112 --a------ c:\windows\system32\drivers\usbser.sys
2009-02-16 18:06 . 2008-04-13 11:45 26,112 --a------ c:\windows\system32\dllcache\usbser.sys
2009-02-16 18:06 . 2009-02-16 18:06 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-16 18:06 . 2009-02-16 18:06 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-16 18:02 . 2009-02-16 18:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-02-15 22:43 . 2009-02-15 22:43 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-15 22:40 . 2009-02-15 22:40 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-15 22:27 . 2009-02-15 22:27 <DIR> d-------- c:\program files\MSXML 6.0
2009-02-15 22:27 . 2009-02-15 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-02-15 22:25 . 2009-02-15 22:25 <DIR> d-------- c:\program files\Common Files\muvee Technologies
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\windows\Globalization
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\program files\Common Files\Nokia
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\documents and settings\Michael\Application Data\Nokia
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\Nokia
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\DIFX
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\PC Suite
2009-02-15 22:23 . 2007-11-29 10:33 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2009-02-15 22:23 . 2007-11-29 10:39 95,744 --a------ c:\windows\system32\nmwcdcocls.dll
2009-02-15 22:23 . 2007-11-29 10:32 48,128 --a------ c:\windows\system32\nmwcdcls.dll
2009-02-15 22:23 . 2007-09-17 14:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2009-02-15 22:23 . 2007-11-29 10:39 19,328 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2009-02-15 22:23 . 2007-11-29 10:39 16,896 --a------ c:\windows\system32\drivers\ccdcmb.sys
2009-02-15 22:23 . 2007-11-29 10:39 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-02-15 22:23 . 2007-11-29 10:39 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2009-02-15 22:22 . 2009-02-15 22:22 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-15 22:15 . 2009-02-15 22:15 <DIR> d-------- c:\program files\MSBuild
2009-02-15 22:14 . 2009-02-15 22:14 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-15 22:13 . 2009-02-15 22:13 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-15 22:13 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-02-07 22:06 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-07 22:06 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-02-07 22:06 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-07 22:06 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2009-02-07 22:06 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-07 22:06 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 02:53 17,920 ----a-w c:\windows\system32\userinit.exe
2009-01-21 03:27 502,368 ----a-w c:\windows\system32\drivers\amon.sys
2009-01-21 03:27 270,336 ----a-w c:\windows\system32\imon.dll
2009-01-21 03:27 --------- d-----w c:\program files\Eset
2009-01-21 03:18 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-21 03:18 --------- d-----w c:\documents and settings\Michael\Application Data\Malwarebytes
2009-01-21 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 02:38 --------- d-----w c:\program files\ATS2
2009-01-21 02:13 --------- d-----w c:\program files\BeatTrojan2008
2009-01-21 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-17 05:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-07 23:22 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-09-17 04:49 358 ----a-w c:\program files\Shortcut to Skype.lnk
2008-02-28 04:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-07-30 05:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.

------- Sigcheck -------

2009-03-02 18:53 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
2004-08-04 20:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]
@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"
[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]
2006-04-02 17:08 381952 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-20 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-23 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-08 7405568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-08 86016]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-03 61440]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-07-22 909392]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-01-20 921600]
"nwiz"="nwiz.exe" [2006-02-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-13 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 c:\windows\sm56hlpr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-02-03 491520]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 553021]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Nokia Nseries PC Suite.lnk - c:\program files\Nokia\NNPCS\RunLauncher.exe [2008-05-08 943568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-05-02 22:23 40448 c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-10 08:20 434176 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-26 20:48 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FreeStyle\\FSLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\formula_zero\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\itsdisk.sys [2006-05-16 17840]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-20 14336]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-17 161064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-27 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-02-03 36352]
S2 BeatTrojanHelperOne;BeatTrojanHelperOne;\??\c:\program files\BeatTrojan2008\BeatTrojanHelperOne.sys --> c:\program files\BeatTrojan2008\BeatTrojanHelperOne.sys [?]
S2 木馬清除大師即時監控;木馬清除大師即時監控; [x]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2007-02-03 34944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Zshutdown - c:\sysprep\patch\sysprep.cmd


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: &使用 FlashGet 下載 - c:\program files\FlashGet\jc_link.htm
IE: &全部使用 FlashGet 下載 - c:\program files\FlashGet\jc_all.htm
IE: 下載編碼內容(S&martGet) - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_text.html
IE: 使用S&martGet下載 - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_link.htm
IE: 全部使用Smart&Get下載 - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_all.htm
LSP: c:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 23:08:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\(g?nd?Y+^sSBf綮呃]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1555759637-3371167190-2748196404-1004\Software\ACD Systems\EditLib\Presets\p_/*?IQ]
"上次使用"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"僅限調亮"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"僅限調暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"預設值"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,3c,\
"調亮/調暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsChnl.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItMsg.dll

- - - - - - - > 'lsass.exe'(1052)
c:\program files\ASUS Security Center\ASUS Security Protect Manager\bin\ASWLNPkg.dll
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\a-squared Free\a2service.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\windows\SYSTEM32\IFXSPMGT.EXE
c:\windows\SYSTEM32\IFXTCS.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\ESET\NOD32KRN.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\PSDSRVC.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICEAE.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
c:\windows\SYSTEM32\SCARDSVR.EXE
c:\program files\ASUS SECURITY CENTER\ASUS SECURITY PROTECT MANAGER\BIN\ASGHOST.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\PSDRT.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\SPTNA.EXE
c:\windows\system32\conime.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\ATK0100\ATKOSD.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
完成時間: 2009-03-04 23:09:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-05 07:09:42

Pre-Run: 11,974,082,560 bytes free
Post-Run: 14,773,452,800 bytes free

285 --- E O F --- 2009-02-26 06:08:57
FORMULA_SIN
Mar 5 2009, 07:22 AM
by the way, i did not install Recovery Console when i ran combofix....

please advise....this is driving me insane...


QUOTE (FORMULA_SIN @ Mar 5 2009, 08:16 AM) *
basically i have the same problem as use Hilary had.


here is my COMBFIX LOG...please help...thanks in advance

=======================================


ComboFix 09-03-04.01 - Michael 2009-03-04 23:01:39.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.950.1.1033.18.1535.896 [GMT -8:00]
執行位置: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: NOD32防毒系統 2.51 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* 成功創造新還原點
* Resident AV is active


注意 - 這台電腦沒有安裝恢復控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Michael\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://vestepau.cn
.
((((((((((((((((((((((((( 2009-02-05 至 2009-03-05 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-03-04 22:42 . 2009-03-04 22:42 <DIR> d-------- c:\program files\a-squared Free
2009-03-02 18:53 . 2008-04-13 17:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-02-28 22:41 . 2009-02-28 22:41 <DIR> d-------- c:\program files\FormatFactory
2009-02-28 22:41 . 2009-02-28 22:41 <DIR> d-------- c:\documents and settings\Michael\Application Data\Desktopicon
2009-02-27 23:54 . 2009-02-27 23:54 <DIR> d-------- C:\Downloads
2009-02-20 17:33 . 2009-02-20 17:33 <DIR> d-------- c:\program files\7-Zip
2009-02-16 18:06 . 2008-04-13 11:45 26,112 --a------ c:\windows\system32\drivers\usbser.sys
2009-02-16 18:06 . 2008-04-13 11:45 26,112 --a------ c:\windows\system32\dllcache\usbser.sys
2009-02-16 18:06 . 2009-02-16 18:06 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-16 18:06 . 2009-02-16 18:06 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-16 18:02 . 2009-02-16 18:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-02-15 22:43 . 2009-02-15 22:43 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-15 22:40 . 2009-02-15 22:40 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-15 22:27 . 2009-02-15 22:27 <DIR> d-------- c:\program files\MSXML 6.0
2009-02-15 22:27 . 2009-02-15 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-02-15 22:25 . 2009-02-15 22:25 <DIR> d-------- c:\program files\Common Files\muvee Technologies
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\windows\Globalization
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\program files\Common Files\Nokia
2009-02-15 22:24 . 2009-02-15 22:24 <DIR> d-------- c:\documents and settings\Michael\Application Data\Nokia
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\Nokia
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\DIFX
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-02-15 22:23 . 2009-02-15 22:23 <DIR> d-------- c:\documents and settings\Michael\Application Data\PC Suite
2009-02-15 22:23 . 2007-11-29 10:33 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2009-02-15 22:23 . 2007-11-29 10:39 95,744 --a------ c:\windows\system32\nmwcdcocls.dll
2009-02-15 22:23 . 2007-11-29 10:32 48,128 --a------ c:\windows\system32\nmwcdcls.dll
2009-02-15 22:23 . 2007-09-17 14:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2009-02-15 22:23 . 2007-11-29 10:39 19,328 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2009-02-15 22:23 . 2007-11-29 10:39 16,896 --a------ c:\windows\system32\drivers\ccdcmb.sys
2009-02-15 22:23 . 2007-11-29 10:39 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-02-15 22:23 . 2007-11-29 10:39 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2009-02-15 22:22 . 2009-02-15 22:22 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-15 22:15 . 2009-02-15 22:15 <DIR> d-------- c:\program files\MSBuild
2009-02-15 22:14 . 2009-02-15 22:14 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-15 22:13 . 2009-02-15 22:13 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-15 22:13 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-02-07 22:06 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-07 22:06 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-02-07 22:06 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-07 22:06 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\dllcache\kbdhid.sys
2009-02-07 22:06 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-07 22:06 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 02:53 17,920 ----a-w c:\windows\system32\userinit.exe
2009-01-21 03:27 502,368 ----a-w c:\windows\system32\drivers\amon.sys
2009-01-21 03:27 270,336 ----a-w c:\windows\system32\imon.dll
2009-01-21 03:27 --------- d-----w c:\program files\Eset
2009-01-21 03:18 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-21 03:18 --------- d-----w c:\documents and settings\Michael\Application Data\Malwarebytes
2009-01-21 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 02:38 --------- d-----w c:\program files\ATS2
2009-01-21 02:13 --------- d-----w c:\program files\BeatTrojan2008
2009-01-21 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-17 05:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-07 23:22 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-09-17 04:49 358 ----a-w c:\program files\Shortcut to Skype.lnk
2008-02-28 04:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-07-30 05:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072920080730\index.dat
.

------- Sigcheck -------

2009-03-02 18:53 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
2004-08-04 20:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]
@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"
[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]
2006-04-02 17:08 381952 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-20 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-23 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-08 7405568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-08 86016]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-03 61440]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-11 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-07-22 909392]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-01-20 921600]
"nwiz"="nwiz.exe" [2006-02-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-13 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-19 c:\windows\sm56hlpr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-02-03 491520]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-06-07 553021]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Nokia Nseries PC Suite.lnk - c:\program files\Nokia\NNPCS\RunLauncher.exe [2008-05-08 943568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-05-02 22:23 40448 c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-10 08:20 434176 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-26 20:48 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FreeStyle\\FSLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\formula_zero\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\itsdisk.sys [2006-05-16 17840]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-20 14336]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-17 161064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-27 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-02-03 36352]
S2 BeatTrojanHelperOne;BeatTrojanHelperOne;\??\c:\program files\BeatTrojan2008\BeatTrojanHelperOne.sys --> c:\program files\BeatTrojan2008\BeatTrojanHelperOne.sys [?]
S2 木馬清除大師即時監控;木馬清除大師即時監控; [x]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2007-02-03 34944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Zshutdown - c:\sysprep\patch\sysprep.cmd


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: &使用 FlashGet 下載 - c:\program files\FlashGet\jc_link.htm
IE: &全部使用 FlashGet 下載 - c:\program files\FlashGet\jc_all.htm
IE: 下載編碼內容(S&martGet) - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_text.html
IE: 使用S&martGet下載 - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_link.htm
IE: 全部使用Smart&Get下載 - c:\documents and settings\Michael\Desktop\SmartGet1.45.2\SmartGet1.45.2\dl_all.htm
LSP: c:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 23:08:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\(g?nd?Y+^sSBf綮呃]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1555759637-3371167190-2748196404-1004\Software\ACD Systems\EditLib\Presets\p_/*?IQ]
"上次使用"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"僅限調亮"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"僅限調暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"預設值"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,3c,\
"調亮/調暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsChnl.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItMsg.dll

- - - - - - - > 'lsass.exe'(1052)
c:\program files\ASUS Security Center\ASUS Security Protect Manager\bin\ASWLNPkg.dll
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\a-squared Free\a2service.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\windows\SYSTEM32\IFXSPMGT.EXE
c:\windows\SYSTEM32\IFXTCS.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\ESET\NOD32KRN.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\PSDSRVC.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICEAE.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
c:\windows\SYSTEM32\SCARDSVR.EXE
c:\program files\ASUS SECURITY CENTER\ASUS SECURITY PROTECT MANAGER\BIN\ASGHOST.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\PSDRT.EXE
c:\program files\INFINEON\SECURITY PLATFORM SOFTWARE\SPTNA.EXE
c:\windows\system32\conime.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\ATK0100\ATKOSD.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
完成時間: 2009-03-04 23:09:43 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-03-05 07:09:42

Pre-Run: 11,974,082,560 bytes free
Post-Run: 14,773,452,800 bytes free

285 --- E O F --- 2009-02-26 06:08:57
FORMULA_SIN
Mar 5 2009, 07:31 AM
here is my MBAM log

===============================
Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

2009/3/4 下午 11:27:50
mbam-log-2009-03-04 (23-27-43).txt

Scan type: Quick Scan
Objects scanned: 56650
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
FORMULA_SIN
Mar 5 2009, 05:32 PM
help anyone??? please
AdvancedSetup
Mar 7 2009, 11:12 AM
Please update MBAM and scan again.

YOUR VERSION
Malwarebytes' Anti-Malware 1.33
Database version: 1673


CURRENT VERSION
Malwarebytes' Anti-Malware 1.34
Database version: 1825



Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.
FORMULA_SIN
Mar 8 2009, 01:51 AM
here are the logs

MBAM:
Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 3

3/7/2009 7:47:48 AM
mbam-log-2009-03-07 (07-47-43).txt

Scan type: Quick Scan
Objects scanned: 70756
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

============================================================

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:20 AM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\WINDOWS\system32\IFXSPMGT.exe
c:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
c:\Program Files\Infineon\Security Platform Software\PSDrt.exe
c:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\WINDOWS\system32\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab55200.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour ?? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod ?? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12303 bytes
FORMULA_SIN
Mar 8 2009, 02:10 AM
i think i fixed it..i renamed the userinit.exe to userinit.bad.exe.....then i detele it mannual...then i went and copy the original userinit.exe from the Windows XP CD...

quick scan show no infection....doing a full scan now...
AdvancedSetup
Mar 8 2009, 04:31 AM
Yes, that is good. Many users don't have access to the CD.

You should run an Anti-Virus scan to make sure nothing else is left over. I would recommend you update your current AV and do a scan, then do one with another scanner online to make sure.



Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.



ActiveX version

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
FORMULA_SIN
Mar 8 2009, 11:15 PM
hi advance,

here is the online scan...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 08, 2009 21:18:47
Records in database: 1880883
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 95897
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:59:55


File name / Threat name / Threats count
C:\Program Files\Eset\infected\12JKLMDA.NQF Infected: Trojan.Win32.FraudPack.kho 1

The selected area was scanned.


=============================================================

hi jack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:59 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\WINDOWS\system32\IFXSPMGT.exe
c:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
c:\Program Files\Infineon\Security Platform Software\PSDrt.exe
c:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab55200.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour ?? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod ?? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - c:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12316 bytes
AdvancedSetup
Mar 9 2009, 05:45 AM
Looks good. That file was just one that ESET AV already removed.

Please empty the Quarantine from ESET NOD32 and from MBAM if there are any. Then I'll leave you with this as you appear to be clean now.


Please remove Combofix. Click on START - RUN and type in Combofix.exe /U (there is a space between combofix.exe and the /U ) and click OK and remove CF.



Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the new Restore Point a name, then click "Create".
  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr.exe
  • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
  • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.



Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore


Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.