Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Backdoor.bot

Started by legna , Dec 05 2009 05:13 PM

  • Please log in to reply

#1
legna
Posted 05 December 2009 - 05:13 PM

legna

    Member

  • Member
  • PipPipPip
  • 147 posts
Here's the OTL log after a Quick Scan is done.There isn't any Extras.txt.

OTL logfile created on: 6/12/2009 6:32:54 - Run 2
OTL by OldTimer - Version 3.1.11.7 Folder = C:\Documents and Settings\simone\桌面
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

502.42 Mb Total Physical Memory | 171.68 Mb Available Physical Memory | 34.17% Memory free
840.48 Mb Paging File | 545.88 Mb Available in Paging File | 64.95% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.00 Gb Total Space | 15.29 Gb Free Space | 43.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SNNECP
Current User Name: simone
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\simone\桌面\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe (Google Inc.)
PRC - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
PRC - C:\Program Files\SimpleCenter\bin\win\sclauncher.exe (Universal Electronics Inc.)
PRC - C:\WINDOWS\tsnp2std.exe ()
PRC - C:\WINDOWS\vsnp2std.exe (Sonix)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Apoint2K\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\NECMFK\necmfk.exe (NEC)
PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\Program Files\Apoint2K\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\simone\桌面\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll (Logitech Inc.)
MOD - C:\WINDOWS\system32\Syncor11.dll (SoundMAX)


========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (LVCOMSer) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
SRV - (usnjsvc) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4.5
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/26 12:37:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/28 20:51:00 | 00,000,000 | ---D | M]

[2009/02/10 16:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Mozilla\Extensions
[2009/12/05 09:42:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Mozilla\Firefox\Profiles\hvnqe8hm.default\extensions
[2009/11/23 09:24:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Mozilla\Firefox\Profiles\hvnqe8hm.default\extensions\[email protected]
[2009/12/05 09:42:11 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/24 08:23:41 | 00,002,310 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\findbook-zh-TW.xml
[2009/11/24 08:23:41 | 00,001,222 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-zh-TW.xml
[2009/11/24 08:23:41 | 00,001,350 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-answer-zh-TW.xml
[2009/11/24 08:23:41 | 00,000,834 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-bid-zh-TW.xml
[2009/11/24 08:23:41 | 00,000,843 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-zh-TW.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - No CLSID value found.
O3 - HKLM\..\Toolbar: (eSnips) - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll (eSnips Ltd.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Google Pinyin 2 Autoupdater] C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe (Google Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [NECMFK] C:\Program Files\NECMFK\necmfk.exe (NEC)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe (Universal Electronics Inc.)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm ()
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm ()
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: free.fr ([gpl.download] * in Trusted sites)
O15 - HKCU\..Trusted Domains: google.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: talkfusion.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: talkfusioncustomer.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 202.156.1.68 218.186.1.88 202.156.1.78
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (目前的首頁) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{18be95e1-d856-11de-8ea6-000e354962f8}\Shell - "" = AutoRun
O33 - MountPoints2\{18be95e1-d856-11de-8ea6-000e354962f8}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{1efa0646-3341-11de-8df8-000e354962f8}\Shell - "" = AutoRun
O33 - MountPoints2\{1efa0646-3341-11de-8df8-000e354962f8}\Shell\AutoRun\command - "" = H:\AutoRun.exe -- File not found
O33 - MountPoints2\{e02b6610-d7c7-11de-8e9c-000e354962f8}\Shell - "" = AutoRun
O33 - MountPoints2\{e02b6610-d7c7-11de-8e9c-000e354962f8}\Shell\AutoRun\command - "" = H:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/03/26 09:49:58 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (55172544294027264)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/06 06:30:50 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTL.exe
[2009/12/04 12:47:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\Deo2
[2009/12/04 08:38:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\mbam
[2009/12/04 08:04:11 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/04 08:04:06 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/04 08:04:05 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/03 19:17:31 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\simone\Recent
[2009/12/03 05:44:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\Nice Hses to View
[2009/11/30 16:54:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\Kindle_Amazon
[2009/11/30 10:41:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\H1N1 Side Effects
[2009/11/28 20:53:57 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/11/28 20:52:18 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/11/28 20:51:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/11/28 20:50:44 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/26 12:24:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\Deodorant_Thai Crystal Deodorant Stone
[2009/11/23 12:22:03 | 23,431,440 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\simone\桌面\launch(4).exe
[2009/11/23 11:04:53 | 00,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2009/11/23 10:31:23 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\simone\PrivacIE
[2009/11/23 09:44:08 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\simone\IETldCache
[2009/11/23 09:35:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/11/23 09:35:06 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/11/23 09:35:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/11/23 09:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/11/23 09:20:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/11/23 09:15:46 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2008/05/24 19:35:43 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\simone\Application Data\pcouffin.sys
[2007/04/01 00:00:30 | 00,147,456 | ---- | C] ( ) -- C:\WINDOWS\rsnp2std.dll
[2007/04/01 00:00:30 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll

========== Files - Modified Within 14 Days ==========

[2009/12/06 06:30:53 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTL.exe
[2009/12/06 06:30:33 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\simone\桌面\otl.doc
[2009/12/06 05:33:37 | 00,000,968 | ---- | M] () -- C:\WINDOWS\necmfk.ini
[2009/12/06 05:32:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/06 05:32:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/05 16:13:36 | 19,398,656 | ---- | M] () -- C:\Documents and Settings\simone\NTUSER.DAT
[2009/12/05 16:13:36 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\simone\ntuser.ini
[2009/12/05 12:22:48 | 00,000,179 | ---- | M] () -- C:\Documents and Settings\simone\桌面\2x Penthouse Common Room minutes from Eunos MRT - Singapore room rentals, apartment share & house share - Gumtree Singapore.URL
[2009/12/05 04:17:12 | 00,000,062 | ---- | M] () -- C:\Documents and Settings\simone\桌面\COLORWASH - Professional Cleaning For Bags And Shoes.URL
[2009/12/03 19:19:20 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 09:24:55 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/03 06:15:00 | 00,000,376 | ---- | M] () -- C:\WINDOWS\NJCOM.INI
[2009/11/30 10:47:29 | 11,889,735 | ---- | M] () -- C:\Documents and Settings\simone\桌面\Woman Disabled by THIS YEARS FLU SHOT (10 days AFTER vaccination ).mp4
[2009/11/30 08:34:44 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/28 19:41:10 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/28 14:50:24 | 00,117,760 | ---- | M] () -- C:\Documents and Settings\simone\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 07:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/25 07:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/25 07:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/25 07:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/25 07:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/25 07:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/11/24 09:12:49 | 00,027,712 | ---- | M] () -- C:\Documents and Settings\simone\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/23 16:13:19 | 00,131,688 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/23 16:06:27 | 00,432,690 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/23 16:06:27 | 00,287,024 | ---- | M] () -- C:\WINDOWS\System32\prfh0404.dat
[2009/11/23 16:06:27 | 00,110,586 | ---- | M] () -- C:\WINDOWS\System32\prfc0404.dat
[2009/11/23 16:06:27 | 00,067,646 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/23 16:06:26 | 00,883,152 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/23 15:56:41 | 00,000,993 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/23 12:22:03 | 23,431,440 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\simone\桌面\launch(4).exe
[2009/11/23 10:11:19 | 00,027,712 | ---- | M] () -- C:\Documents and Settings\simone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

========== Files Created - No Company Name ==========

[2009/12/06 06:30:33 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\simone\桌面\otl.doc
[2009/12/05 12:22:48 | 00,000,179 | ---- | C] () -- C:\Documents and Settings\simone\桌面\2x Penthouse Common Room minutes from Eunos MRT - Singapore room rentals, apartment share & house share - Gumtree Singapore.URL
[2009/12/05 04:17:12 | 00,000,062 | ---- | C] () -- C:\Documents and Settings\simone\桌面\COLORWASH - Professional Cleaning For Bags And Shoes.URL
[2009/11/30 10:45:02 | 11,889,735 | ---- | C] () -- C:\Documents and Settings\simone\桌面\Woman Disabled by THIS YEARS FLU SHOT (10 days AFTER vaccination ).mp4
[2009/06/04 14:15:44 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/05/29 07:25:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\setup_XP.ini
[2009/04/07 02:46:13 | 00,068,960 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/04/05 09:41:19 | 00,000,065 | ---- | C] () -- C:\WINDOWS\videotoaudio.ini
[2009/04/05 09:39:39 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/29 10:04:34 | 00,000,025 | ---- | C] () -- C:\Documents and Settings\simone\Application Data\Resize! preferences
[2008/09/12 23:28:32 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008/05/24 19:35:45 | 00,000,033 | ---- | C] () -- C:\Documents and Settings\simone\Application Data\pcouffin.log
[2008/05/24 19:35:44 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\simone\Application Data\pcouffin.cat
[2008/05/24 19:35:43 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\simone\Application Data\pcouffin.inf
[2008/05/22 00:21:27 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\AVERM.dll
[2008/05/22 00:21:27 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\AVEQT.dll
[2008/05/20 11:57:16 | 00,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/05/20 02:18:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ViDown.INI
[2008/03/14 18:24:13 | 00,152,932 | ---- | C] () -- C:\Documents and Settings\simone\Application Data\NMM-MetaData.db
[2007/09/20 18:33:52 | 03,190,784 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/09/20 18:33:52 | 00,741,376 | ---- | C] () -- C:\WINDOWS\System32\audxlib.dll
[2007/09/20 18:33:52 | 00,511,488 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2007/09/20 18:33:52 | 00,405,504 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/09/20 18:33:52 | 00,245,760 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2007/09/20 18:33:52 | 00,221,184 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2007/09/20 18:33:52 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/09/20 18:33:52 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2007/09/20 18:33:52 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2007/09/20 18:33:52 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2007/09/20 18:33:52 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2007/09/20 18:33:52 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2007/09/20 18:33:52 | 00,097,280 | ---- | C] () -- C:\WINDOWS\System32\ff_realaac.dll
[2007/09/20 18:33:52 | 00,079,872 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2007/09/20 18:33:52 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2007/09/20 18:33:52 | 00,038,400 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2007/09/20 18:33:52 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2007/08/22 19:12:45 | 00,081,920 | R--- | C] () -- C:\WINDOWS\System32\srctrl.dll
[2007/07/31 08:01:04 | 00,087,480 | ---- | C] () -- C:\WINDOWS\System32\WMTranscoder11.dll
[2007/07/31 08:00:58 | 00,071,096 | ---- | C] () -- C:\WINDOWS\System32\VFWAVSplitterInternal10.dll
[2007/04/12 01:23:22 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/04/12 01:22:46 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/04/12 01:20:19 | 00,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/04/12 01:00:09 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\CNCFLbNL.DLL
[2007/04/01 00:00:33 | 00,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2007/04/01 00:00:32 | 10,221,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2007/01/15 17:20:00 | 00,246,784 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2006/12/15 16:40:30 | 00,000,037 | ---- | C] () -- C:\WINDOWS\SWFConverter.INI
[2006/11/17 08:35:16 | 00,000,737 | ---- | C] () -- C:\WINDOWS\XMLEditor3.INI
[2006/09/02 10:56:02 | 00,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2006/04/27 10:24:24 | 00,845,312 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2006/04/20 18:50:42 | 01,003,520 | ---- | C] () -- C:\WINDOWS\System32\ltmm_n.dll
[2005/12/07 12:31:00 | 00,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2005/09/10 17:49:59 | 00,000,040 | ---- | C] () -- C:\WINDOWS\3D Text Factory.INI
[2005/08/18 14:19:16 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6f.DLL
[2005/07/14 12:31:20 | 00,027,648 | RHS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2005/06/21 22:37:42 | 00,045,568 | RHS- | C] () -- C:\WINDOWS\System32\cygz.dll
[2005/02/01 18:41:54 | 00,000,376 | ---- | C] () -- C:\WINDOWS\NJCOM.INI
[2004/10/18 23:24:57 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2004/10/01 21:57:24 | 00,117,760 | ---- | C] () -- C:\Documents and Settings\simone\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/10/01 19:41:06 | 00,010,570 | ---- | C] () -- C:\WINDOWS\CDPLAYER.INI
[2004/09/30 21:11:29 | 00,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/09/28 06:38:30 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\wmatimer.dll
[2004/07/01 18:38:44 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll
[2004/07/01 18:38:38 | 00,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll
[2004/07/01 18:38:28 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2004/07/01 18:38:28 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2004/06/18 12:44:47 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/06/18 12:33:25 | 00,000,968 | ---- | C] () -- C:\WINDOWS\necmfk.ini
[2004/06/18 12:33:25 | 00,000,576 | ---- | C] () -- C:\WINDOWS\wmfkbpok.ini
[2004/06/18 12:21:41 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/06/18 12:20:57 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2003/09/09 16:27:24 | 00,000,536 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/03/26 10:02:47 | 00,000,797 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/03/26 09:48:07 | 00,006,958 | ---- | C] () -- C:\WINDOWS\System32\wdpnt.dll
[2003/01/29 16:18:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[1980/01/01 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2007/02/21 00:51:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2006/03/11 00:30:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fellowes
[2008/03/14 18:02:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2008/03/14 18:15:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2007/04/12 01:20:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2008/11/05 06:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/11/15 17:53:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\ACD Systems
[2009/06/11 01:09:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Auslogics
[2009/11/26 11:21:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\authorPOINT
[2009/11/23 11:48:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Canon
[2007/04/12 15:09:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\CD-LabelPrint
[2008/07/04 17:49:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\eBookPro6
[2008/10/07 12:25:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\gtk-2.0
[2007/04/01 00:53:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\ICQ Toolbar
[2007/04/08 00:22:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\ICQLite
[2008/11/25 07:36:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\JAGED Inc
[2004/09/30 23:40:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Leadertech
[2007/04/12 16:31:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\NewSoft
[2008/03/14 18:11:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Nokia
[2008/05/18 10:34:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Nokia Multimedia Player
[2008/03/14 18:37:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\NSeries
[2008/03/15 06:22:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\PC Suite
[2006/04/18 16:20:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\RecordPad
[2007/04/12 01:20:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\ScanSoft
[2008/10/11 11:01:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\Vso

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 02:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 02:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/14 02:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 14:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 01:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2008/04/14 02:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 02:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 02:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 13:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/15 18:54:31 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=0A9FB6653A8AC115B5110C0A5C263952 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/15 18:54:31 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=0A9FB6653A8AC115B5110C0A5C263952 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/12 09:16:13 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=D33069982F8DCCA36BA9B5E64188BA48 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/15 18:54:35 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=380F657700A117DA25AB6E4713EB8E08 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/15 18:54:35 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=380F657700A117DA25AB6E4713EB8E08 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/12 09:16:14 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=E1E2BA80D8CFC0C6814E5774E42B53D9 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/15 18:54:37 | 00,172,544 | ---- | M] (Microsoft Corporation) MD5=011B5C1D7D51291041B4574CD423253C -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/15 18:54:37 | 00,172,544 | ---- | M] (Microsoft Corporation) MD5=011B5C1D7D51291041B4574CD423253C -- C:\WINDOWS\system32\scecli.dll
[2004/08/12 09:16:15 | 00,171,520 | ---- | M] (Microsoft Corporation) MD5=3294F364BA88EDA4A296A7FDD55653E9 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >

========== Files - Unicode (All) ==========
[2009/12/03 06:18:42 | 00,001,140 | ---- | M] ()(C:\Documents and Settings\simone\桌面\?人?作伴-林?翁立友.txt) -- C:\Documents and Settings\simone\桌面\无人来作伴-林姗翁立友.txt
[2009/12/03 06:18:42 | 00,001,140 | ---- | C] ()(C:\Documents and Settings\simone\桌面\?人?作伴-林?翁立友.txt) -- C:\Documents and Settings\simone\桌面\无人来作伴-林姗翁立友.txt
[2009/12/03 06:04:50 | 01,927,707 | ---- | M] ()(C:\Documents and Settings\simone\桌面\?人?作伴-林? 翁立友.wma) -- C:\Documents and Settings\simone\桌面\无人来作伴-林姗 翁立友.wma
[2009/12/03 05:59:09 | 01,927,707 | ---- | C] ()(C:\Documents and Settings\simone\桌面\?人?作伴-林? 翁立友.wma) -- C:\Documents and Settings\simone\桌面\无人来作伴-林姗 翁立友.wma
[2009/06/06 16:37:41 | 00,000,091 | ---- | M] ()(C:\Documents and Settings\simone\桌面\搜索??:人?小姐 - 土豆网 ??搜索 在??看.URL) -- C:\Documents and Settings\simone\桌面\搜索视频:人鱼小姐 - 土豆网 视频搜索 在线观看.URL
[2009/06/06 16:37:41 | 00,000,091 | ---- | C] ()(C:\Documents and Settings\simone\桌面\搜索??:人?小姐 - 土豆网 ??搜索 在??看.URL) -- C:\Documents and Settings\simone\桌面\搜索视频:人鱼小姐 - 土豆网 视频搜索 在线观看.URL
[2009/06/03 13:12:15 | 00,000,096 | ---- | M] ()(C:\Documents and Settings\simone\桌面\魔幻手机 全集_在??看84???_土豆网.URL) -- C:\Documents and Settings\simone\桌面\魔幻手机 全集_在线观看84个视频_土豆网.URL
[2009/06/03 13:12:15 | 00,000,096 | ---- | C] ()(C:\Documents and Settings\simone\桌面\魔幻手机 全集_在??看84???_土豆网.URL) -- C:\Documents and Settings\simone\桌面\魔幻手机 全集_在线观看84个视频_土豆网.URL
[2009/06/02 07:34:39 | 00,000,059 | ---- | M] ()(C:\Documents and Settings\simone\桌面\魔幻手机-第01集- 黑豆 – 土豆网高清版 正版清晰???、?影、????.URL) -- C:\Documents and Settings\simone\桌面\魔幻手机-第01集- 黑豆 – 土豆网高清版 正版清晰电视剧、电影、综艺视频.URL
[2009/06/02 07:34:39 | 00,000,059 | ---- | C] ()(C:\Documents and Settings\simone\桌面\魔幻手机-第01集- 黑豆 – 土豆网高清版 正版清晰???、?影、????.URL) -- C:\Documents and Settings\simone\桌面\魔幻手机-第01集- 黑豆 – 土豆网高清版 正版清晰电视剧、电影、综艺视频.URL
[2009/04/14 02:52:33 | 00,000,073 | ---- | M] ()(C:\Documents and Settings\simone\桌面\?冰者 第3集 - ?? - 优酷?? - 在??看 - ?冰者 新加坡 ?智霖 李南星 ?? 郭淑? ?松仁 ?法蓉.URL) -- C:\Documents and Settings\simone\桌面\扫冰者 第3集 - 视频 - 优酷视频 - 在线观看 - 扫冰者 新加坡 张智霖 李南星 连凯 郭淑贤 刘松仁 陈法蓉.URL
[2009/04/14 02:52:33 | 00,000,073 | ---- | C] ()(C:\Documents and Settings\simone\桌面\?冰者 第3集 - ?? - 优酷?? - 在??看 - ?冰者 新加坡 ?智霖 李南星 ?? 郭淑? ?松仁 ?法蓉.URL) -- C:\Documents and Settings\simone\桌面\扫冰者 第3集 - 视频 - 优酷视频 - 在线观看 - 扫冰者 新加坡 张智霖 李南星 连凯 郭淑贤 刘松仁 陈法蓉.URL
[2009/04/14 01:24:01 | 00,000,112 | ---- | M] ()(C:\Documents and Settings\simone\桌面\百度??搜索_?冰者 1.URL) -- C:\Documents and Settings\simone\桌面\百度视频搜索_扫冰者 1.URL
[2009/04/14 01:24:01 | 00,000,112 | ---- | C] ()(C:\Documents and Settings\simone\桌面\百度??搜索_?冰者 1.URL) -- C:\Documents and Settings\simone\桌面\百度视频搜索_扫冰者 1.URL
[2009/03/03 18:21:34 | 00,000,000 | ---D | M](C:\Documents and Settings\simone\My Documents\激?_MY QUOTES) -- C:\Documents and Settings\simone\My Documents\激励_MY QUOTES
[2008/12/16 05:38:47 | 00,000,000 | ---D | M](C:\Documents and Settings\simone\My Documents\激?_Related QUOTES) -- C:\Documents and Settings\simone\My Documents\激励_Related QUOTES
[2008/10/22 01:38:02 | 00,000,000 | ---D | C](C:\Documents and Settings\simone\My Documents\激?_MY QUOTES) -- C:\Documents and Settings\simone\My Documents\激励_MY QUOTES
[2008/01/30 02:07:41 | 00,032,256 | ---- | M] ()(C:\Documents and Settings\simone\My Documents\Eng_Chinese Sentences_吵架必?英?99句.doc) -- C:\Documents and Settings\simone\My Documents\Eng_Chinese Sentences_吵架必备英语99句.doc
[2008/01/30 02:07:40 | 00,032,256 | ---- | C] ()(C:\Documents and Settings\simone\My Documents\Eng_Chinese Sentences_吵架必?英?99句.doc) -- C:\Documents and Settings\simone\My Documents\Eng_Chinese Sentences_吵架必备英语99句.doc
[2005/09/25 02:29:59 | 00,000,000 | ---D | C](C:\Documents and Settings\simone\My Documents\激?_Related QUOTES) -- C:\Documents and Settings\simone\My Documents\激励_Related QUOTES

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
  • 0

Advertisements

#2
Essexboy
Posted 05 December 2009 - 05:24 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Simone lets see if we can fix you :)

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
O3 - HKLM\..\Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

:Commands
[purity]
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
legna
Posted 06 December 2009 - 05:10 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Here's the OTL log

Here's the Combofix.txt
  • 0

#4
Essexboy
Posted 07 December 2009 - 01:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Simone you need to set the files to share before I can access them :)
  • 0

#5
legna
Posted 07 December 2009 - 05:13 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
:) Sorry for the inconvenience caused. Had some trouble uploading to mediafire. Also had trouble logging in to the other site too! :)

PS: By the way, I also did a Quick Scan with Malwarebytes AntiMalware after performing OTL and Combofix BUT as usual, Backdoor.bot is still there!

It also seems that the software which i had deleted long ago (but still shows up the previous time and could not be deleted by Combofix the other time )
has been finally uninstalled.

Here's the OTL log.

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8E718888-423F-11D2-876E-00A0C9082467} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner

User: simone
->Temp folder emptied: 395 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 15370715 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 125921 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 54042 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 14.89 mb


OTL by OldTimer - Version 3.1.11.7 log created on 12072009_035033

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_79c.dat moved successfully.

Registry entries deleted on Reboot...


Here's the Combofix.txt

ComboFix 09-12-06.07 - simone 2/2009 Mon 4:17.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.950.852.1028.18.502.240 [GMT 8:00]
執行位置: c:\documents and settings\simone\桌面\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091206-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( 2009-11-06 至 2009-12-06 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-12-06 19:50 . 2009-12-06 19:50 -------- d-----w- C:\_OTL
2009-12-04 00:04 . 2009-12-03 08:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:04 . 2009-12-03 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 00:04 . 2009-12-04 00:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 12:53 . 2009-11-28 12:53 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 12:52 . 2009-11-28 12:53 -------- d-----w- c:\program files\QuickTime
2009-11-28 12:51 . 2009-11-28 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-28 11:41 . 2009-11-28 11:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-27 19:45 . 2009-11-27 19:45 152576 ----a-w- c:\documents and settings\simone\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-27 19:43 . 2009-11-27 19:45 79488 ----a-w- c:\documents and settings\simone\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 01:23 . 2009-11-24 01:23 10242032 ----a-w- c:\documents and settings\simone\Application Data\Google\Google Pinyin\pinyin-2.0.8.54\GooglePinyinInstaller.exe
2009-11-23 03:04 . 2009-11-23 03:04 -------- d-----w- c:\program files\Auslogics
2009-11-23 02:31 . 2009-11-23 02:31 -------- d-sh--w- c:\documents and settings\simone\PrivacIE
2009-11-23 01:44 . 2009-11-23 01:44 -------- d-sh--w- c:\documents and settings\simone\IETldCache
2009-11-23 01:35 . 2009-11-23 01:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-23 01:35 . 2009-11-23 01:35 -------- d-----w- c:\program files\MSBuild
2009-11-23 01:34 . 2009-11-23 01:34 -------- d-----w- c:\program files\Reference Assemblies
2009-11-23 01:34 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-23 01:33 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-23 01:33 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-23 01:33 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-23 01:33 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-23 01:33 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-23 01:33 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-23 01:33 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-23 01:33 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-23 01:21 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-23 01:20 . 2009-11-23 07:57 -------- d-----w- c:\windows\ie8updates
2009-11-23 01:19 . 2009-08-29 07:54 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-23 01:19 . 2009-08-29 07:54 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-23 01:15 . 2009-11-23 01:19 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 00:04 . 2009-03-13 21:11 -------- d-----w- c:\documents and settings\simone\Application Data\Malwarebytes
2009-12-04 00:04 . 2009-03-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-02 22:07 . 2004-10-01 18:10 -------- d-----w- c:\program files\NJStar Communicator
2009-11-27 19:47 . 2005-04-14 18:47 -------- d-----w- c:\program files\Java
2009-11-26 03:21 . 2008-12-11 11:06 -------- d-----w- c:\documents and settings\simone\Application Data\authorPOINT
2009-11-24 23:54 . 2009-05-12 19:44 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-05-12 19:45 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-05-12 19:45 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-05-12 19:45 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-05-12 19:45 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-05-12 19:45 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 01:43 . 2005-08-18 09:29 -------- d-----w- c:\program files\Canon
2009-11-24 01:23 . 2008-11-26 21:30 -------- d-----w- c:\program files\Google
2009-11-23 08:06 . 2003-03-26 01:48 287024 ----a-w- c:\windows\system32\prfh0404.dat
2009-11-23 08:06 . 2003-03-26 01:48 110586 ----a-w- c:\windows\system32\prfc0404.dat
2009-11-23 03:48 . 2005-08-19 07:40 -------- d-----w- c:\documents and settings\simone\Application Data\Canon
2009-11-23 02:39 . 2009-06-08 22:28 -------- d-----w- c:\documents and settings\simone\Application Data\SUPERAntiSpyware.com
2009-11-23 02:39 . 2008-10-04 05:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-23 02:11 . 2005-03-17 15:41 27712 -c--a-w- c:\documents and settings\simone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 20:17 . 2009-04-03 21:42 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-09-15 10:56 . 2009-05-12 19:45 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2009-05-12 19:45 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2009-05-12 19:45 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-11 14:17 . 2003-03-26 01:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2005-07-14 04:31 . 2005-07-14 04:31 27648 -csha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 07:32 . 2005-06-26 07:32 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-21 14:37 . 2005-06-21 14:37 45568 -csha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2007-01-20 09:28 163328 -csh--r- c:\windows\system32\flvDX.dll
2004-01-24 16:00 . 2004-01-24 16:00 70656 -csha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2008-09-30 02:46 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-09-30 02:46 216064 -csh--r- c:\windows\system32\nbDX.dll
2009-03-29 04:55 . 2009-03-29 04:52 143392 -csha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-16 114688]
"snp2std"="c:\windows\vsnp2std.exe" [2006-01-06 344064]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"NECMFK"="c:\program files\necmfk\necmfk.exe" [2004-02-10 62976]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-15 118784]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-02-27 135168]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-23 88363]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"sclauncher"="c:\program files\SimpleCenter\bin\win\sclauncher.exe" [2007-01-30 94208]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-06-03 564496]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2009-11-24 1119728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2008-04-15 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 15:46 57344 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
2005-12-06 05:08 20480 -c--a-w- c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
2006-07-11 10:06 3144800 -c--a-w- c:\program files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-01-15 16:20 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2004-07-01 11:08 53248 -c--a-w- c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-15 10:54 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
2007-09-07 06:44 3100672 -c--a-w- c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 04:45 75304 -c--a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sclauncher]
2007-01-30 02:40 94208 -c--a-w- c:\program files\SimpleCenter\bin\win\sclauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2008-04-15 10:54 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 05:16 185896 -c--a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 R592;R592;c:\windows\system32\drivers\R592.sys [1/1/1980 54912]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13/5/2009 3:45 114768]
R1 MFKGTKEY;MFKGTKEY;c:\windows\system32\drivers\mfkgtkey.sys [1/1/1980 17920]
R1 Ps2LedIF;Ps2LedIF;c:\windows\system32\drivers\Ps2LedIF.sys [1/1/1980 5376]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/5/2009 3:45 20560]
R3 Ps2Led;NEC Note Keyboard with One-touch start buttons;c:\windows\system32\drivers\Ps2Led.sys [1/1/1980 8448]
.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://service.symantec.com/LU1861
IE: &Download All with FlashGet
IE: &Download with FlashGet
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
IE: Snip to my eSnips account - c:\program files\eSnips\res\SnipIt.htm
IE: 用維棠下載視頻 - c:\documents and settings\simone\My Documents\#My DL\Vidown\vd_link.htm
Trusted Zone: free.fr\gpl.download
Trusted Zone: google.com\www
Trusted Zone: talkfusion.com\www
Trusted Zone: talkfusioncustomer.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\simone\Application Data\Mozilla\Firefox\Profiles\hvnqe8hm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_02\bin\jusched.exe
AddRemove-MediaNavigation.CDLabelPrint - c:\program files\Canon\CD-LabelPrint\Uninstal.exe Canon.CDLabelPrint.Application



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 04:33
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-2416478673-1163175544-1116799606-1005\AppEvents\Schemes\Apps\Conf\摸嗿*Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-2416478673-1163175544-1116799606-1005\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-2416478673-1163175544-1116799606-1005\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\View]
"Data"=hex:04,16,00,43,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-2416478673-1163175544-1116799606-1005\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-2416478673-1163175544-1116799606-1005\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Office\Settings\?_U *O*f*f*i*c*e* *譸\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\ESENT\Process\OU
\OULP
\(*魯i_x??*\DEBUG]
"Trace Level"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\SUPER *]
"DisplayName"="SUPER ?Version 2008.bld.33 (Sep 2, 2008)"
"UninstallString"="c:\\PROGRA~1\\ERIGHT~1\\SUPER\\Setup.exe /remove /q0"
"InstallDate"="2008-09-30 10:46"
"InstallLocation"="c:\\Program Files\\eRightSoft\\SUPER"
"InstallSource"="c:\\Documents and Settings\\simone\\桌面"
"DisplayIcon"="c:\\Program Files\\eRightSoft\\SUPER\\SUPER.exe"
"DisplayVersion"="Version 2008.bld.33 (Sep 2, 2008)"
"VersionMajor"=dword:00000000
"VersionMinor"=dword:00000000
"Publisher"="eRightSoft"
"HelpLink"="http://www.eRightSoft.com"
"URLInfoAbout"="http://www.eRightSoft.com"
"URLUpdateInfo"="http://www.eRightSoft.com"
"Contact"="[email protected]"
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'explorer.exe'(3900)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\AGRSMMSG.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Apoint2K\HidFind.exe
.
**************************************************************************
.
完成時間: 2009-12-07 04:45 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-12-06 20:45
ComboFix2.txt 2009-06-01 20:40

Pre-Run: 16,312,115,200 位元組可用
Post-Run: 16,249,126,912 位元組可用

- - End Of File - - 1236BF285EC1A19EE191E2DAA9E84059

Edited by legna, 07 December 2009 - 06:54 PM.

  • 0

#6
Essexboy
Posted 08 December 2009 - 03:22 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Simone that looks OK could you note down what file/location that mbam is reporting please and then let me know
  • 0

#7
legna
Posted 08 December 2009 - 07:04 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
As can be seen from my previous printout, there ISN'T ANY FILE LOCATION!

tHEREFORE, i SUSPECT that this is indeed a false positive that could not be deleted.

Backdoor.bot has been in my laptop for so many months and it seems that all the newest revisions of Malwarebytes did not include this fix.
  • 0

#8
Essexboy
Posted 09 December 2009 - 03:10 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I would concur with that as there is no evidence on any of the other logs - If it gave a file/registry name I could have gone to MBAM with it, but as it is keeping quiet about it I am not sure that there is much we can do at this stage
  • 0

#9
legna
Posted 10 December 2009 - 05:53 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
So it seems Backdoor.bot is here to stay.

To remove those excess icons on destop , i just start OTL.exe and click cleanup?

__________________________

Need your help in configuring and opening up the wireless in XP>

Please TAKE NOTE that I DO NOT have any problem in Vista as there is a switch on my laptop to open up the wireless icon on the bottom bar of my pc.
Normally I am using broadband internet (MaxOnline) from my internet provider, Starhub. No problems at all.

The other one is a Mobile Broadband USB stick that i carry whenever I need to use it outside.

One day, I decided to try it at home without using modem (broadband internet). I do not have any wireless router and therefore I just unplug the broadband internet modem from laptop.
This USB stick works very well in Vista. I just need to plug this into my laptop, and it immediately connects me to the internet

IS THERE ANY WAY TO TAKE AWAY THE RED X IN WIRELESS ICON?
BUT in my XP, there isn't any switch. The wireless icon is crossed out in the bottom bar on lower right of laptop.
When I right click on the wireless icon which is crossed out in the bottom right of XP, I can see that the connection is already enabled
as the first option in this menu is disable.

Here's the printscreen when i right click on the crossed out wireless icon and click on open internet connection. Sorry, it's in Chinese with some english
as well.

If my memory did not fail me, my previous technician once asked me whether I need to use wireless at home. I told him NO (I do not need it then). He then switched off the whole thing for me. I used to see this wireless icon ON the other time as there are also other wireless networks in my neighbourhood.

Is it possible to remove the red x so that I can use my USB stick to connect to internet (XP laptop).

Kindly help me to configure.

Thanks, Martin.
  • 0

#10
Essexboy
Posted 11 December 2009 - 12:34 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

To remove those excess icons on destop , i just start OTL.exe and click cleanup

Yep :)

You can't actually remove the icon but you can permanently hide it. I no longer have XP but there are some instructions here

All that is saying is that the internal wireless is not operative, the USB one will work
  • 0

Advertisements

#11
legna
Posted 11 December 2009 - 06:19 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Martin, Thanks very much for your help.
  • 0

#12
Essexboy
Posted 12 December 2009 - 04:44 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem I will have a hunt around the MBAM site and if I find an answer I will let you know :)
  • 0

#13
legna
Posted 14 December 2009 - 12:25 AM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Hey Martin, happen to see this in Malwarebytes Forum

Does it have anything to do with worm.autorun?? or isn't my case quite similar to this? (though I could not find this worm in my pc ).
  • 0

#14
Essexboy
Posted 14 December 2009 - 01:18 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It could be but the problem is that MBAM gives no indication of what the registry key is. Update and run MBAM and see if it gives us an actual registry key
  • 0

#15
legna
Posted 14 December 2009 - 09:02 PM

legna

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Had removed Backdoor.bot as many times as I had updated it BUT strangely, there is NO REGISTRY KEY.
Even did it in SAFE MODE (which actually isn't recommended according to what I had read in that forum).

BACKDOOR.BOT CANNOT BE REMOVED.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP