Jump to content

bakura_revenge

Honorary Members
  • Posts

    36
  • Joined

  • Last visited

Reputation

0 Neutral
  1. * Avira AntiVir Rescue System - goes to sleep after first screen * Dr Web LiveCD - line error program terminated * F-Secure Rescue CD - goes to sleep after first screen * BitDefender LiveCD - goes to sleep after first screen * Kaspersky RescueDisk - crc error. system halt(going to ask their help) meanwhile, this is what i get from avira(not updated, bcoz manual update file error): Avira AntiVir Personal Report file date: Wednesday, November 18, 2009 21:25 Scanning for 1562564 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Save mode Username : sakri Computer name : SAKRI-147CE5497 Version information: BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 06:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 03:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 04:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 03:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 05:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 02:21:42 ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 15:08:01 ANTIVIR3.VDF : 7.1.5.19 139776 Bytes 7/23/2009 00:36:13 Engineversion : 8.2.0.228 AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 06:31:50 AESCRIPT.DLL : 8.1.2.18 442746 Bytes 7/23/2009 02:59:39 AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 02:59:39 AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 02:59:39 AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 06:31:50 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 02:59:39 AEHEUR.DLL : 8.1.0.143 1864055 Bytes 7/23/2009 02:59:39 AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 02:59:39 AEGEN.DLL : 8.1.1.50 352629 Bytes 7/23/2009 02:59:39 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 07:32:40 AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 02:59:39 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 07:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 01:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 03:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 07:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 03:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 08:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 03:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 08:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 01:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 03:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 08:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 03:19:48 Configuration settings for the scan: Jobname.............................: Short system scan after installation Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Process scan........................: on Scan registry.......................: on Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: Intelligent file selection Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Wednesday, November 18, 2009 21:25 The scan of running processes will be started Catched Exception in SCAN_ProcessList ACCESS_VIOLATION EAX = 00000000 EBX = 00BE7918 ECX = 78C3DF5C EDX = 00000058 ESI = 00AE1008 EDI = 00ae1008 EIP = 00412DAE EBP = 00AE1008 ESP = 01BFFE08 Flg = 00010246 CS = 00000023 SS = 0000001B Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Start scanning boot sectors: Starting to scan executable files (registry). C:\WINDOWS\system32\ati2evxx.dll [DETECTION] Contains recognition pattern of the WORM/Vodoo.2 worm [WARNING] 'Contains recognition pattern of the WORM/Vodoo.2 worm'. This detection is probably an error. Please send us this file immediately for further analysis. C:\WINDOWS\system32\cryptnet.dll [WARNING] An exception has been identified! [WARNING] In the module 'aecore.dll' an exception occured. Calling the function AVEPROC_TestFile in file: \\?\C:\WINDOWS\system32\cryptnet.dll Error description:ACCESS_VIOLATION EAX = 74726F46 EBX = 0001B62F ECX = 00004D64 EDX = 04230020 ESI = 013483C4 EDI = 01e60020 EIP = 01513B62 EBP = 0434AA74 ESP = 01BFF9B8 Flg = 00010202 CS = 00000023 SS = 0000001B The registry was scanned ( '54' files ). End of the scan: Wednesday, November 18, 2009 21:25 Used time: 00:05 Minute(s) The scan has been done completely. 0 Scanned directories 55 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 54 Files not concerned 0 Archives were scanned 3 Warnings 0 Notes Full Scan Avira AntiVir Personal Report file date: Wednesday, November 18, 2009 21:31 Scanning for 1913262 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Save mode Username : sakri Computer name : SAKRI-147CE5497 Version information: BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 06:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 03:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 04:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 03:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 06:50:58 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 06:50:58 ANTIVIR2.VDF : 7.1.6.222 5998592 Bytes 11/11/2009 09:56:32 ANTIVIR3.VDF : 7.1.6.246 254464 Bytes 11/17/2009 08:47:16 Engineversion : 8.2.1.70 AEVDF.DLL : 8.1.1.2 106867 Bytes 9/15/2009 08:58:02 AESCRIPT.DLL : 8.1.2.45 586108 Bytes 11/17/2009 02:24:22 AESCN.DLL : 8.1.2.5 127346 Bytes 9/3/2009 08:24:42 AERDL.DLL : 8.1.3.2 479604 Bytes 10/2/2009 15:15:48 AEPACK.DLL : 8.2.0.3 422261 Bytes 11/5/2009 07:21:24 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/17/2009 07:32:46 AEHEUR.DLL : 8.1.0.180 2093432 Bytes 11/6/2009 09:32:18 AEHELP.DLL : 8.1.7.4 237943 Bytes 11/17/2009 02:24:20 AEGEN.DLL : 8.1.1.74 364917 Bytes 11/11/2009 08:08:18 AEEMU.DLL : 8.1.1.0 393587 Bytes 10/2/2009 15:15:48 AECORE.DLL : 8.1.8.2 184694 Bytes 11/5/2009 07:21:22 AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 03:49:34 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 01:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 03:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 07:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 03:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 08:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 03:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 08:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 01:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 03:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 08:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 03:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, E:, F:, G:, H:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Wednesday, November 18, 2009 21:31 Starting search for hidden objects. The driver could not be initialized. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 11 processes with 11 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Boot sector 'E:\' [iNFO] No virus was found! Boot sector 'F:\' [iNFO] No virus was found! Boot sector 'G:\' [iNFO] No virus was found! Boot sector 'H:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '54' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\Administrator\Application Data\Sun\Java\jdk1.6.0_07\st160000.cab [0] Archive type: CAB (Microsoft) --> tools.zip [1] Archive type: ZIP --> lib/ct.sym [2] Archive type: ZIP --> META-INF/sym/rt.jar/javax/security/auth/x500/X500PrivateCredential.class [WARNING] The file could not be read! C:\Documents and Settings\Administrator\Desktop\Desktop File\Illusions.rar [0] Archive type: RAR --> Illusions\Optical.jpg [DETECTION] Is the TR/Regrun.frn Trojan C:\Program Files\Autorun Eater\Autorun Backup\autorun0.inf [DETECTION] Contains recognition pattern of the WORM/Autorun.VHB worm C:\Program Files\SpywareBlaster\ckdatabase.dtb [WARNING] An exception has been identified! [WARNING] In the module 'aecore.dll' an exception occured. Calling the function AVEPROC_TestFile in file: \\?\C:\Program Files\SpywareBlaster\ckdatabase.dtb Error description:ACCESS_VIOLATION EAX = 024FFF90 EBX = 011F0000 ECX = 0261A010 EDX = 0262FD50 ESI = 0262FD48 EDI = 00000201 EIP = 7C910EFE EBP = 01A6F070 ESP = 01A6EE50 Flg = 00010293 CS = 00000023 SS = 0000001B Begin scan in 'D:\' <Drama> Begin scan in 'E:\' <Manga> Begin scan in 'F:\' <Games> Begin scan in 'G:\' <Software> Begin scan in 'H:\' <Recycle> Beginning disinfection: C:\Documents and Settings\Administrator\Desktop\Desktop File\Illusions.rar [NOTE] The file was moved to '4b700998.qua'! C:\Program Files\Autorun Eater\Autorun Backup\autorun0.inf [DETECTION] Contains recognition pattern of the WORM/Autorun.VHB worm [NOTE] The file was moved to '4b7809a6.qua'! End of the scan: Wednesday, November 18, 2009 22:48 Used time: 1:14:59 Hour(s) The scan has been done completely. 11101 Scanned directories 476433 Files were scanned 2 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 2 Files were moved to quarantine 0 Files were renamed 1 Files cannot be scanned 476430 Files not concerned 2104 Archives were scanned 3 Warnings 3 Notes
  2. this is not a report but i just think you should know: i cannot find csrbc01.sys n btcomm.sys anywhere. n i will keep looking at it. about a certain website i mention before, i think i found it. here the site as written in my inbox Hi stag! Join to Social network! vk.com/reg70382 i'll make a new log as soon as i done the next step.
  3. on that day, i supposed nothing exactly happen. i don't remember when this happen, but i do remember open a certain website, posted by unknown person on travian(online game). too bad my inbox has too many message, so the message probably no more.. on the other hand, i supposed connecting to internet is not on my option. most saying PPPoe protocol will not able to run on safe mode with networking. of course, i'll try to find if there is any way to do it. should i send the file manually instead(copy n paste)?
  4. (1)Do you remember when exactly you couldn't boot into Normal Mode anymore? 05 November 2009, if i'm not mistaken (2)COMBOFIX.TXT ComboFix 09-11-07.02 - sakri 11/13/2009 0:39.2.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.662 [GMT 8:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: avast! antivirus 4.8.1351 [VPS 091104-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! file zipped: c:\windows\system32\advpack.dll . ((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 ))))))))))))))))))))))))))))))) . 2009-11-09 03:13 . 2009-11-09 03:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware45 2009-11-07 02:59 . 2009-11-07 02:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-11-07 02:59 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-07 02:59 . 2009-11-09 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 02:59 . 2009-11-07 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-07 02:59 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-29 06:04 . 2009-10-29 09:38 -------- d-----w- c:\program files\NSVRecorder . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-11 03:55 . 2009-01-03 06:44 -------- d-----w- c:\program files\Autorun Eater 2009-11-05 17:35 . 2008-04-22 13:20 -------- d-----w- c:\program files\FlashGet 2009-11-05 16:28 . 2008-04-22 13:24 -------- d-----w- c:\program files\SpywareBlaster 2009-11-05 16:27 . 2008-04-22 13:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-05 06:34 . 2008-04-22 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2009-11-05 04:31 . 2008-04-21 14:46 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-11-04 17:47 . 2008-04-22 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\MiniLyrics 2009-10-31 16:06 . 2008-04-21 16:11 -------- d-----w- c:\program files\Winamp 2009-10-27 15:03 . 2009-01-03 06:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3 2009-10-24 17:13 . 2008-04-21 15:24 -------- d-----w- c:\program files\Lx_cats 2009-10-24 14:40 . 2008-10-11 14:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC 2009-10-11 14:30 . 2009-09-12 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\X-Chat 2 2009-09-29 02:01 . 2008-04-22 14:21 177024 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1jo0ymo2.default\FlashGot.exe 2009-09-28 09:41 . 2009-09-28 09:39 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-09-27 06:17 . 2008-04-21 16:09 -------- d-----w- c:\program files\Common Files\Real 2009-09-20 15:33 . 2009-09-20 15:33 -------- d-----w- c:\program files\Conduit 2009-09-20 15:33 . 2009-09-20 15:33 -------- d-----w- c:\program files\Softonic-en 2009-08-17 16:10 . 2008-09-13 08:11 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-09-13 08:11 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-09-13 08:11 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-09-13 08:11 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-09-13 08:11 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-09-13 08:11 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-09-13 08:11 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-09-13 08:11 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-09-13 08:11 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-16 15:08 . 2009-09-28 09:39 178176 ----a-w- c:\windows\system32\unrar.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{983ad4d4-8b63-442f-8684-fbc1c067949c}"= "c:\program files\Softonic-en\tbSoft.dll" [2009-09-08 2260504] [HKEY_CLASSES_ROOT\clsid\{983ad4d4-8b63-442f-8684-fbc1c067949c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983ad4d4-8b63-442f-8684-fbc1c067949c}] 2009-09-08 05:32 2260504 ----a-w- c:\program files\Softonic-en\tbSoft.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE90C38C-97CF-4696-B290-C7973DC9675E}] 2008-10-21 02:08 806912 ----a-w- c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2008-10-21 806912] "{983ad4d4-8b63-442f-8684-fbc1c067949c}"= "c:\program files\Softonic-en\tbSoft.dll" [2009-09-08 2260504] [HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}] [HKEY_CLASSES_ROOT\clsid\{983ad4d4-8b63-442f-8684-fbc1c067949c}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-12-22 270128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "nlhr"="c:\windows\System32\AdvPack.Dll" [2008-04-13 99840] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 0 (0x0) "NoStartMenuMyMusic"= 0 (0x0) "NoSimpleStartMenu"= 0 (0x0) "NoRecentDocsNetHood"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 0 (0x0) "NoStartMenuMyMusic"= 0 (0x0) "NoRecentDocsNetHood"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" "COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" /background "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 "Autorun Eater"=c:\program files\Autorun Eater\oldmcdonald.exe "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/13/2008 4:11 PM 114768] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2008 4:11 PM 20560] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?] S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [1/31/2009 5:13 PM 603904] S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?] S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?] S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [10/24/2008 11:52 PM 27904] S3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [4/22/2008 9:34 PM 221184] S4 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?] S4 LRMINIPORT;LanRoad PPPoE Adapter;c:\windows\system32\DRIVERS\lrpppoe.sys --> c:\windows\system32\DRIVERS\lrpppoe.sys [?] S4 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?] --- Other Services/Drivers In Memory --- *Deregistered* - mbr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2009-11-05 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 08:28] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2399186 IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 IE: Open Link Target in Firefox - file://k:\portableapps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html IE: View This Page in Firefox - file://k:\portableapps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html TCP: {A65044E8-8ACE-4A6A-9D23-24E9A196B8D0} = 202.188.0.133,202.188.1.5 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1jo0ymo2.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.notify.interval - 600000 FF - user.js: content.switch.threshold - 600000 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-13 00:46 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(240) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1384) c:\program files\Windows Media Player\wmpband.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\ShellExt\AUDIOS~1.DLL . Completion time: 2009-11-12 0:49 ComboFix-quarantined-files.txt 2009-11-12 16:49 ComboFix2.txt 2009-11-09 03:40 Pre-Run: 19,625,185,280 bytes free Post-Run: 19,591,327,744 bytes free - - End Of File - - CA233DAA5EFE6EED2D83FC8D868CEF0B (3)File upload... i've tried to connect to the internet, but failed to connect, probably because i used PPPoE (DSL) protocols. However, i do manage to upload the file on the net, manually of course. *NOTE: i did all this on safe mode. i'd tried about three times on safe mode with networking mode, but my computer keep restarting.(when combofix on work.) i met a lot of file error, such as PEV.exe, grep.cfxxe n c...(forget it's name). in fact, my antivirus(avast) suddenly has some kind of skin problem that make it completely unusable.
  5. after i searched the internet last night, i somehow manage to download mbam-rules.exe which allowed me to download the updates for mbam(not the latest though). then i run everything you asked: here is the report. mbam log: Malwarebytes' Anti-Malware 1.41 Database version: 3101 Windows 5.1.2600 Service Pack 3 (Safe Mode) 11/9/2009 11:25:44 AM mbam-log-2009-11-09 (11-25-44).txt Scan type: Quick Scan Objects scanned: 107455 Time elapsed: 8 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) combofix log: ComboFix 09-11-07.02 - sakri 11/09/2009 11:31.1.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.594 [GMT 8:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1351 [VPS 091104-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\desktop.ini C:\drivers c:\drivers\Desktop.ini c:\program files\100% Free Chess Toolbar\v3.3.0.1\100%_free_chess_toolbar.dll c:\windows\100%_Free_Chess_Toolbar_Uninstaller_7296.exe c:\windows\long range shooting c:\windows\long range shooting \uninstall.exe c:\windows\system32\msehad.dll . ((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 ))))))))))))))))))))))))))))))) . 2009-11-09 03:13 . 2009-11-09 03:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware45 2009-11-07 02:59 . 2009-11-07 02:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-11-07 02:59 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-07 02:59 . 2009-11-09 03:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 02:59 . 2009-11-07 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-07 02:59 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-29 06:04 . 2009-10-29 09:38 -------- d-----w- c:\program files\NSVRecorder 2009-10-24 14:43 . 2009-10-24 14:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\IceChat 2009-10-24 14:42 . 2009-10-24 14:42 -------- d-----w- c:\program files\IceChat7 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-05 17:35 . 2008-04-22 13:20 -------- d-----w- c:\program files\FlashGet 2009-11-05 16:28 . 2008-04-22 13:24 -------- d-----w- c:\program files\SpywareBlaster 2009-11-05 16:27 . 2008-04-22 13:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-05 06:34 . 2008-04-22 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2009-11-05 04:31 . 2008-04-21 14:46 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-11-04 17:47 . 2008-04-22 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\MiniLyrics 2009-10-31 16:06 . 2008-04-21 16:11 -------- d-----w- c:\program files\Winamp 2009-10-27 15:03 . 2009-01-03 06:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3 2009-10-24 17:13 . 2008-04-21 15:24 -------- d-----w- c:\program files\Lx_cats 2009-10-24 14:40 . 2008-10-11 14:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC 2009-10-11 14:30 . 2009-09-12 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\X-Chat 2 2009-09-29 02:01 . 2008-04-22 14:21 177024 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1jo0ymo2.default\FlashGot.exe 2009-09-28 09:41 . 2009-09-28 09:39 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-09-27 06:17 . 2008-04-21 16:09 -------- d-----w- c:\program files\Common Files\Real 2009-09-20 15:33 . 2009-09-20 15:33 -------- d-----w- c:\program files\Conduit 2009-09-20 15:33 . 2009-09-20 15:33 -------- d-----w- c:\program files\Softonic-en 2009-08-17 16:10 . 2008-09-13 08:11 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-09-13 08:11 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-09-13 08:11 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-09-13 08:11 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-09-13 08:11 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-09-13 08:11 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-09-13 08:11 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-09-13 08:11 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-09-13 08:11 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-16 15:08 . 2009-09-28 09:39 178176 ----a-w- c:\windows\system32\unrar.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{983ad4d4-8b63-442f-8684-fbc1c067949c}"= "c:\program files\Softonic-en\tbSoft.dll" [2009-09-08 2260504] [HKEY_CLASSES_ROOT\clsid\{983ad4d4-8b63-442f-8684-fbc1c067949c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{983ad4d4-8b63-442f-8684-fbc1c067949c}] 2009-09-08 05:32 2260504 ----a-w- c:\program files\Softonic-en\tbSoft.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE90C38C-97CF-4696-B290-C7973DC9675E}] 2008-10-21 02:08 806912 ----a-w- c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2008-10-21 806912] "{983ad4d4-8b63-442f-8684-fbc1c067949c}"= "c:\program files\Softonic-en\tbSoft.dll" [2009-09-08 2260504] [HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}] [HKEY_CLASSES_ROOT\clsid\{983ad4d4-8b63-442f-8684-fbc1c067949c}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-12-22 270128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "nlhr"="c:\windows\System32\AdvPack.Dll" [2008-04-13 99840] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 0 (0x0) "NoStartMenuMyMusic"= 0 (0x0) "NoSimpleStartMenu"= 0 (0x0) "NoRecentDocsNetHood"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 0 (0x0) "NoStartMenuMyMusic"= 0 (0x0) "NoRecentDocsNetHood"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" "COMODO Firewall Pro"="c:\program files\Comodo\Firewall\CPF.exe" /background "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun "PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 "Autorun Eater"=c:\program files\Autorun Eater\oldmcdonald.exe "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/13/2008 4:11 PM 114768] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/13/2008 4:11 PM 20560] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?] S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [1/31/2009 5:13 PM 603904] S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?] S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?] S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [10/24/2008 11:52 PM 27904] S3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [4/22/2008 9:34 PM 221184] S4 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?] S4 LRMINIPORT;LanRoad PPPoE Adapter;c:\windows\system32\DRIVERS\lrpppoe.sys --> c:\windows\system32\DRIVERS\lrpppoe.sys [?] S4 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *Deregistered* - mbr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2009-11-05 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 08:28] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2399186 IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 IE: Open Link Target in Firefox - file://k:\portableapps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html IE: View This Page in Firefox - file://k:\portableapps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html TCP: {A65044E8-8ACE-4A6A-9D23-24E9A196B8D0} = 202.188.0.133,202.188.1.5 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1jo0ymo2.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p= FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.notify.interval - 600000 FF - user.js: content.switch.threshold - 600000 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . . ------- File Associations ------- . inifile=c:\windows\system32\NOTEPAD2.EXE %1 txtfile=c:\windows\system32\NOTEPAD2.EXE %1 . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe AddRemove-100% Free Chess Toolbar - c:\windows\100%_Free_Chess_Toolbar_Uninstaller_7296.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-09 11:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(236) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-11-09 11:40 ComboFix-quarantined-files.txt 2009-11-09 03:40 Pre-Run: 19,319,652,352 bytes free Post-Run: 19,291,680,768 bytes free - - End Of File - - 21F2BA909F56BBB76B5029D9BBE77FB4 hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:43:27 AM, on 11/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2399186 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file) O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O2 - BHO: Little Fighter 2 Toolbar Helper - {AE90C38C-97CF-4696-B290-C7973DC9675E} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Little Fighter 2 Toolbar - {C3CD744D-2FAE-4640-8297-16B5DA423104} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file) O3 - Toolbar: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [startCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Link Target in Firefox - file://K:\PortableApps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html O8 - Extra context menu item: View This Page in Firefox - file://K:\PortableApps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{A65044E8-8ACE-4A6A-9D23-24E9A196B8D0}: NameServer = 202.188.0.133,202.188.1.5 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 8229 bytes
  6. there is a problem... in Safe Mode with Networking mode, i still unable to download updates. it seem like the internet connection needed another instance which need username and password, which i failed to created. when i tried to create one(with username and password), the wizard skip certain step and says "it already been created". should i skip updating n proceed with combofix log instead? n right now i asking your help with my older pc, which has no antivirus n protections, n tried the same thing, n i'm afraid to say that this one also has been infected by malware(the same one maybe, bcoz i don't use this one for a long time)... *i able to download mbam updates with this one. should i asking help for this second problem in this same thread, or make a new one?
  7. i suddenly cannot start my computer in normal mode. i can only start with safe mode, no matter what i do or what i change.. what's bad is system restore is turned off, and i can't turn it on since i cannot log with normal mode status: safe mode / no internet connections / slow loading time instruction: (1) malwarebytes anti-malware report *cannot update error code: 732(0,0) *run 2 test Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 (Safe Mode) 11/7/2009 11:10:28 AM mbam-log-2009-11-07 (11-10-28).txt Scan type: Quick Scan Objects scanned: 99434 Time elapsed: 9 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a65044e8-8ace-4a6a-9d23-24e9a196b8d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.178 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a65044e8-8ace-4a6a-9d23-24e9a196b8d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.178 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{a65044e8-8ace-4a6a-9d23-24e9a196b8d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.178 -> Quarantined and deleted successfully. Folders Infected: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. (2) antivirus check(AVAST HOME EDITION): C - sudden shutdown D - completed E - completed F - completed G - stuck with 89%(stuck with modified xp for half an hour), after that avast stop working properly H - completed K - completed, this is usb drive * i'm forced to run the test separately, since my pc will automatically shut down after several minutes of test. (3)hijackthis report Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:00:44 PM, on 11/7/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2399186 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Home Limited R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file) O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.3.0.1\100%_Free_Chess_Toolbar.dll O2 - BHO: Little Fighter 2 Toolbar Helper - {AE90C38C-97CF-4696-B290-C7973DC9675E} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.3.0.1\100%_Free_Chess_Toolbar.dll O3 - Toolbar: Little Fighter 2 Toolbar - {C3CD744D-2FAE-4640-8297-16B5DA423104} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file) O3 - Toolbar: Softonic-en Toolbar - {983ad4d4-8b63-442f-8684-fbc1c067949c} - C:\Program Files\Softonic-en\tbSoft.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [startCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open Link Target in Firefox - file://K:\PortableApps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html O8 - Extra context menu item: View This Page in Firefox - file://K:\PortableApps\FirefoxPortable\Data\profile\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 8685 bytes in upload every save file as well, just in case mbam_log_2009_11_07__11_10_28_.txt mbam_log_2009_11_07__13_00_17_.txt f_test.txt d_test.txt e_test.txt h_test.txt k_test.txt
  8. i't been more than a year since i write something on this forums i suddenly cannot start my computer in normal mode. i can only start with safe mode, no matter what i do or what i change.. what's bad is system restore is turned off, and i can't turn it on since i cannot log with normal mode let me tell you this first, i am novice in this matter... so if someone have any suggestions, please let me know in details. next i'll put hijackthis log, if necessery.
  9. can anyone suggest interesting addon in firefox that i can use??? i currently use -noscript -mcafee site adviser -ie tab -downthemall -flashgot
  10. i know the virus must be remove...... not every antivirus can detect and remove the virus equally (in case bitdefender detect sohanad(worm) and avg is not) can i enable the task manager or the regedit manually
  11. what can i do if the task manager and regedit is disabled by virus??? for some case, only regedit is disabled..
  12. due to lack of her (my friends)response, i suggest that we closed the topic. Anyway, thanks to Jean and adchia for help. sorry for the inconvenient
  13. it seem like i cannot do the panda scan for her now, since she move to another department...... (dont know how long) anyway, i will send the new log file within a week... sorry for the inconvenient.
  14. ive stop the avg anti spyware scanning 2 times, cause to slow even to run for itself. here the latest report. i told her to delete all the detected file, i dont know if the file is deleted after the report is saved or really no action as below report.... in the end of this post, ill provide you with the other two report.... --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 1:54:40 PM 8/21/2007 + Scan result: :mozilla.41:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.97:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.13:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.14:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. :mozilla.15:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Adbrite : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@ads.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : No action taken. :mozilla.133:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken. :mozilla.134:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken. :mozilla.24:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Atdmt : No action taken. :mozilla.35:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Burstnet : No action taken. :mozilla.36:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Burstnet : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken. :mozilla.178:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken. :mozilla.60:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken. :mozilla.61:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Imrworldwide : No action taken. :mozilla.139:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Information : No action taken. :mozilla.140:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Liveperson : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@auto.search.msn[2].txt -> TrackingCookie.Msn : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken. :mozilla.149:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Netflame : No action taken. :mozilla.150:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Netflame : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken. :mozilla.114:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Overture : No action taken. :mozilla.115:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Overture : No action taken. :mozilla.116:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Overture : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken. :mozilla.19:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.20:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.21:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.22:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Pointroll : No action taken. :mozilla.120:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.121:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.132:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Revenue : No action taken. :mozilla.63:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Sitestat : No action taken. :mozilla.64:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Sitestat : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@login.tracking101[2].txt -> TrackingCookie.Tracking101 : No action taken. :mozilla.157:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@CANWYT9V.txt -> TrackingCookie.Tribalfusion : No action taken. C:\Documents and Settings\shindou hikaru\Cookies\shindou hikaru@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken. :mozilla.200:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.201:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.202:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.203:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. :mozilla.204:C:\Documents and Settings\shindou hikaru\Application Data\Mozilla\Firefox\Profiles\990gmenz.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken. ::Report end Report_Scan_20070820_152944.txt Report_Scan_20070820_153010.txt Report_Scan_20070821_135440.txt Report.txt Report_Scan_20070820_152944.txt Report_Scan_20070820_153010.txt Report_Scan_20070821_135440.txt Report.txt
  15. sorry for late reply. about the thing you asked, avg anti virus is the one that detect the virus..... she said she was not sure if she uninstall avast, but avast is still running (since she not payed the program, the program not function as before) i've done the step until avg scan report........ i still do not scan the laptop with panda online scan because the laptop seem to run slower than ever! i immediately uninstall avg anti spyware after use, but i have the report. here the sdfix log SDFix: Version 1.99 Run by shindou hikaru on Mon 08/20/2007 at 12:54 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\DOCUME~1\SHINDO~1\Desktop\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\autorun.ini - Deleted C:\WINDOWS\system32\setting.ini - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.