[legna]

Dear Sir/Madam,

Your help is greatly appreciated as this problem has been bothering me for more than half a year. Kindly advise. Inform by e-mail.

I believe that my computer is in serious trouble.

I have attached a printscreen of a few things that i have deleted in my registry and also the generic win32 problem.
msile.exe and the few .scr windows telephony items, i have all deleted.
I see that svchost is disabled. Should it be enabled or disabled? Has this got to do with the generic process for win32 services and no sound coming out from pc?

WHAT IS WINDOWS TELEPHONY? I can still see Windows Telephony folders in various controlsets in registry.





Many months ago, I unknowingly clicked into one website and a popup appears saying that it has STOLEN MY WHOLE PC INFORMATION! I did a malwarebytes antispyware removal scan and also did a scan with my prevous AVG (which was later infected with malware and viruses) which I had already deleted by now. I had replaced it with AVIRA.

All along, my pc had been configured to show hidden files and folders.
I have gone through the malware guide in your site and have downloaded rooter.exe and OTListIt2 on the desktop. I did not see any minimized Extras.txt
I have also done a hijackthis log.

I started looking in the registry as the malware keeps reappearing
I hope i have not done anything disastrous as I had gone to the registry to delete a folder called docker19 in a few of the controlsets.
I have also deleted sysdr32 that appears in the various controlsets in the registry as AVIRA could not detect this. I am Very sure this is a BACKDOOR PROGRAM as malwarebytes had previously caught this and I had already deleted malwarebytes from my system.

KEEPS APPEARING NOW AND THEN
As I was doing the scanning for OTListIt2, I received an Avira AntiVir Guard popup (very frequently, many times everyday,different malware found):
C:\Documents & Setups\All Users\Documents\GameSetup.exe
I immediately moved that to quarantine. I have a whole lot of malware & trojans there which I have not yet deleted.

GENERIC PROCESS FOR WIN32 SERVICES
has been bothering me for the past few months. When this happens, the taskbar keeps jumping, turns to white and back to blue again. All sounds in my pc could not work. This can happen anytime. Sometimes a few times a day. At times, internet will be disconnected. After rebooting, I could connect again.

Persistent ReInfection
When I did an AVIRA full scan, a pop up keeps on appearing showing there is malware in C:\Documents and settings\\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\armed[1].exe and arf.exe . Punisher.exe and PsKill.exe frequently appears too.
It is getting worse now because I keep on getting this same pop up by the seconds and minutes!

It seems that ANTIVIR GUARD keeps on catching the same malware and there appears to be many popups but when i did a full scan using avira, EVEN AFTER FULL SCAN HAD FINISHED, THERE ISN'T ANY DETECTION!


It seems whatever malware that is out there, I am catching it. I even have the HTML/PicFrame.Gen HTML Script Virus which I had deleted one month ago!


Malwarebytes AntiMalware could not detect any and therefore i also deleted it.

DELETED Super AntiSpyware
when I tried deleting in add and remove programs, the below error appeared.
Error 1922. Service 'SASENUM) could not be deleted. Verify that you have sufficient privileges to remove system services

Cancel. Retry . Ignore

Please wait while windows configures SuperAntiSpyware Free Edition

But anyway, I had mangaged to delete it already.


System Volume Information
When I click on my compuTer and go to C:\System Volume Information which is a hidden file, i could not click open this folder.
I believe there IS malware inside.

Previously, my AVG was infected. I have already deleted this program but in the registry under enum and root, i can still see a few of avg folders there. Can re infection occur becos of this?

SYSTEM RESTORE
As my computer had all along been a victim of viruses, trjans, malware and what-nots, i had even switched off system restore and did a scan in safe mode. Deleted whatever found and turned it back on again. But still no success in getting rid of infection. Is turning of system restore, a dangerous move?


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the various extracted avira scans

GUARD: MALWARE FOUND

Virus or unwanted program 'BDS/Backdoor.Gen [backdoor]'
detected in file 'C:\Documents and Settings\All Users\Documents\GameSetup.exe.
Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZVJR6MB1\armed[1].exe.
Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DFJW4BZO\armed[1].exe.
Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZVJR6MB1\arf[1].exe.
Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D24RFFXW\arf[1].exe.
Action performed: Move file to quarantine

Virus or unwanted program 'HEUR/Malware [heuristic]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZVJR6MB1\arf[2].exe.
Action performed: Move file to quarantine

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SCANNER: MALWARE FOUND

The file 'C:\System Volume Information\_restore{636D6522-BEB7-401B-B135-4410A33C34DF}\RP1\A0000028.INS'
contained a virus or unwanted program 'SPR/PsKill.A.13' [riskware]
Action(s) taken:
The file was moved to '49e70a75.qua'!

The file 'C:\System Volume Information\_restore{636D6522-BEB7-401B-B135-4410A33C34DF}\RP1\A0000027.INS'
contained a virus or unwanted program 'SPR/PsKill.A.13' [riskware]
Action(s) taken:
The file was moved to '49e70a74.qua'!

The file 'C:\WINDOWS\system\RESTORE.INS'
contained a virus or unwanted program 'SPR/PsKill.A.13' [riskware]
Action(s) taken:
The file was moved to '4a089166.qua'!

The file 'C:\System Volume Information\_restore{636D6522-BEB7-401B-B135-4410A33C34DF}\RP15\A0002090.exe'
contained a virus or unwanted program 'TR/Dropper.Gen' [trojan]
Action(s) taken:
The file was moved to '49e2ef18.qua'!


______________________________________________________________

GUARD:MALWARE FOUND

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
C:\WINDOWS\system\msile.exe

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZVJR6MB1\arf[1].exe.
Action performed: Move file to quarantine

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\56.scr.
Action performed: Move file to quarantine

Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\48.scr.
Action performed: Move file to quarantine

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:35, on 16/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\simone\My Documents\#HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O8 - Extra context menu item: 用維棠下載視頻 - C:\Documents and Settings\simone\My Documents\#My DL\Vidown\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: gpl.download.free.fr
O15 - Trusted Zone: http://www.google.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06) -
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6355 bytes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Here's the ROOTER.TXT

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:35840 Mo/Free:1873 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [Removable] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

16/03/2009 Mon|16:24

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
---------- C:\WINDOWS\tsnp2std.exe
---------- C:\WINDOWS\vsnp2std.exe
---------- C:\Program Files\necmfk\necmfk.exe
---------- C:\WINDOWS\System32\hkcmd.exe
---------- C:\Program Files\Apoint2K\Apoint.exe
---------- C:\WINDOWS\AGRSMMSG.exe
---------- C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
---------- C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
---------- C:\Program Files\QuickTime\QTTask.exe
---------- C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
---------- C:\Program Files\Apoint2K\HidFind.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
---------- C:\Program Files\Apoint2K\Apntex.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\conime.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
---------- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Documents and Settings\simone\桌面\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - 16/03/2009 Mon|16:25

----------------------\\ Scan completed at 16:25


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Here's the OTListIt.txt:

OTListIt logfile created on: 16/3/2009 16:38:10 - Run 2
OTListIt2 by OldTimer - Version 2.0.5.2 Folder = C:\Documents and Settings\simone\桌面
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C04 | Country: 香港特別行政區 | Language: ZHH | Date Format: d/M/yyyy

502.42 Mb Total Physical Memory | 273.91 Mb Available Physical Memory | 54.52% Memory free
842.23 Mb Paging File | 620.45 Mb Available in Paging File | 73.67% Paging File free
Paging file location(s): C:\pagefile.sys 372 744;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.00 Gb Total Space | 5.83 Gb Free Space | 16.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SNNECP
Current User Name: simone
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
PRC - C:\WINDOWS\tsnp2std.exe ()
PRC - C:\WINDOWS\vsnp2std.exe (Sonix)
PRC - C:\Program Files\necmfk\necmfk.exe (NEC)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\Program Files\SimpleCenter\bin\win\sclauncher.exe (Universal Electronics Inc.)
PRC - C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
PRC - C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe (Google Inc.)
PRC - C:\Program Files\Apoint2K\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Apoint2K\Apntex.exe (Alps Electric Co., Ltd.)
PRC - C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\simone\桌面\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirScheduler [Auto | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
SRV - (AntiVirService [Auto | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (ServiceLayer [On_Demand | Stopped]) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WindowsTelephony [Auto | Stopped]) -- File not found
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (asc [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (Aspi32 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)
DRV - (avgio [System | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys (Avira GmbH)
DRV - (avgntflt [On_Demand | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys (Avira GmbH)
DRV - (avipbb [System | Running]) -- C:\WINDOWS\system32\DRIVERS\avipbb.sys (Avira GmbH)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (FsVga [System | Running]) -- C:\WINDOWS\System32\DRIVERS\fsvga.sys (Microsoft Corporation)
DRV - (gmer [On_Demand | Stopped]) -- C:\WINDOWS\gmer.ini ()
DRV - (gv3 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\gv3.sys (Microsoft Corporation)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (MFKGTKEY [System | Running]) -- C:\WINDOWS\system32\drivers\mfkgtkey.sys (NEC Corporation)
DRV - (mraid35x [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (nmwcd [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcd.sys (Nokia)
DRV - (nmwcdc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdc.sys (Nokia)
DRV - (nmwcdcj [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdcj.sys (Nokia)
DRV - (nmwcdcm [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdcm.sys (Nokia)
DRV - (Pcouffin [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\Pcouffin.sys (VSO Software)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (PQNTDrv [System | Running]) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (Ps2Led [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Ps2Led.sys (NEC Corporation)
DRV - (Ps2LedIF [System | Running]) -- C:\WINDOWS\system32\drivers\ps2ledif.sys (NEC Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (R592 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\R592.sys (REDC)
DRV - (Rismxdp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\Rismxdp.sys (REDC)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (SNP2STD [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\snp2sxp.sys ()
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (Sparrow [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (ssmdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\ssmdrv.sys (Avira GmbH)
DRV - (symc810 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (ultra [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (usbbus [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lgusbbus.sys (LG Electronics Inc.)
DRV - (USBModem [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys (LG Electronics Inc.)
DRV - (w22n51 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\w22n51.sys (IntelR Corporation)
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)
DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\wA301a.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com...earch/?ptnrS=BW

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/10 07:37:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/07 15:21:10 | 00,000,000 | ---D | M]

[2009/02/10 16:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\mozilla\Extensions
[2009/02/10 16:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/10 16:55:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\simone\Application Data\mozilla\Firefox\Profiles\hvnqe8hm.default\extensions
[2009/02/10 16:55:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/07 15:21:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/07 15:21:00 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/07 15:21:00 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/03/08 17:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/04/08 16:33:48 | 00,002,646 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\findbook-zh-TW.xml
[2008/04/16 12:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/04/07 02:07:26 | 00,001,222 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-zh-TW.xml
[2008/08/17 02:39:48 | 00,001,350 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-answer-zh-TW.xml
[2008/08/17 02:39:48 | 00,000,834 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-bid-zh-TW.xml
[2008/08/17 02:39:48 | 00,000,843 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-zh-TW.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (eSnips) - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll (eSnips Ltd.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min (Avira GmbH)
O4 - HKLM..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" (Google Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe (NEC)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe (Universal Electronics Inc.)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]
O8 - Extra context menu item: &Download All with FlashGet - Reg Error: Value error.
O8 - Extra context menu item: &Download with FlashGet - Reg Error: Value error.
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O8 - Extra context menu item: 用維棠下載視頻 - C:\Documents and Settings\simone\My Documents\#My DL\Vidown\vd_link.htm
O9 - Extra 'Tools' menuitem : Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: free.fr ([gpl.download] * in 信任的網站)
O15 - HKCU\..Trusted Domains: google.com ([www] http in 信任的網站)
O15 - HKCU\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (目前的首頁) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\Documents and Settings\All Users\Documents\GameSetup.exe
[2009/03/16 16:23:15 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/16 16:14:31 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTViewIt.exe
[2009/03/16 16:11:33 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\simone\桌面\Rooter.exe
[2009/03/16 15:57:45 | 00,499,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTListIt2.exe
[2009/03/16 06:52:28 | 00,090,244 | ---- | C] () -- C:\Documents and Settings\simone\桌面\Pauline Lian-E.JPG
[2009/03/16 06:44:05 | 00,077,024 | ---- | C] () -- C:\Documents and Settings\simone\桌面\Pauline Lian.jpg
[2009/03/16 06:24:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\news
[2009/03/16 04:48:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\FORUM
[2009/03/14 06:12:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\elken videos
[2009/03/14 05:11:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\Application Data\Malwarebytes
[2009/03/14 05:11:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/14 05:09:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\My Documents\#DL_malwarebytes
[2009/03/14 03:38:01 | 00,000,077 | ---- | C] () -- C:\Documents and Settings\simone\桌面\JW FLV Media Player LongTail Video Home of the JW Player.URL
[2009/03/13 23:28:35 | 00,177,730 | ---- | C] () -- C:\Documents and Settings\simone\桌面\scan_13-03-09.JPG
[2009/03/13 02:32:30 | 00,011,974 | ---- | C] () -- C:\Documents and Settings\simone\桌面\OoiKokHwa1.jpg
[2009/03/08 07:25:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\My Documents\#HijackThis
[2009/03/07 06:12:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\一切完美2
[2009/03/05 03:54:56 | 00,045,376 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/03/05 03:54:56 | 00,022,336 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/03/05 03:54:55 | 00,028,352 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/03/05 03:54:52 | 00,075,072 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/03/05 03:54:51 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/03/05 03:54:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/03/03 17:29:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\Press Release
[2009/03/01 02:03:40 | 00,200,304 | ---- | C] () -- C:\Documents and Settings\simone\桌面\2009-01-15_Chua BL_BM.jpg
[2009/02/25 10:03:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\simone\桌面\十三鞭
[2009/02/24 13:14:29 | 00,000,048 | ---- | C] () -- C:\Documents and Settings\simone\桌面\IRDC.URL
[2009/02/23 16:44:29 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/02/20 14:49:19 | 14,879,232 | ---- | C] () -- C:\Documents and Settings\simone\My Documents\Ken-Eng簡報1.ppt
[2009/02/19 23:50:06 | 00,000,068 | ---- | C] () -- C:\Documents and Settings\simone\桌面\EOL - Elken On Line.URL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/03/16 16:14:33 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTViewIt.exe
[2009/03/16 16:11:45 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\simone\桌面\Rooter.exe
[2009/03/16 16:00:00 | 00,000,488 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/03/16 15:57:46 | 00,499,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\simone\桌面\OTListIt2.exe
[2009/03/16 15:24:25 | 00,000,968 | ---- | M] () -- C:\WINDOWS\necmfk.ini
[2009/03/16 15:24:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/16 15:24:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/16 07:49:55 | 00,077,024 | ---- | M] () -- C:\Documents and Settings\simone\桌面\Pauline Lian.jpg
[2009/03/16 06:52:28 | 00,090,244 | ---- | M] () -- C:\Documents and Settings\simone\桌面\Pauline Lian-E.JPG
[2009/03/16 01:07:46 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/14 03:38:01 | 00,000,077 | ---- | M] () -- C:\Documents and Settings\simone\桌面\JW FLV Media Player LongTail Video Home of the JW Player.URL
[2009/03/14 02:21:32 | 00,050,176 | ---- | M] () -- C:\Documents and Settings\simone\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/13 23:28:36 | 00,177,730 | ---- | M] () -- C:\Documents and Settings\simone\桌面\scan_13-03-09.JPG
[2009/03/13 02:32:32 | 00,011,974 | ---- | M] () -- C:\Documents and Settings\simone\桌面\OoiKokHwa1.jpg
[2009/03/13 01:06:48 | 00,027,328 | ---- | M] () -- C:\Documents and Settings\simone\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/10 00:13:45 | 00,027,328 | ---- | M] () -- C:\Documents and Settings\simone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/09 23:05:17 | 00,128,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/04 03:44:12 | 00,323,584 | ---- | M] (Stefan Toengi) -- C:\WINDOWS\System32\AUDIOGENIE2.DLL
[2009/03/04 02:14:13 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/03/01 02:03:40 | 00,200,304 | ---- | M] () -- C:\Documents and Settings\simone\桌面\2009-01-15_Chua BL_BM.jpg
[2009/02/26 00:09:26 | 00,000,376 | ---- | M] () -- C:\WINDOWS\NJCOM.INI
[2009/02/25 11:39:00 | 00,297,202 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090226-035615.backup
[2009/02/25 11:19:07 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090225-113900.backup
[2009/02/24 13:14:29 | 00,000,048 | ---- | M] () -- C:\Documents and Settings\simone\桌面\IRDC.URL
[2009/02/20 14:49:21 | 14,879,232 | ---- | M] () -- C:\Documents and Settings\simone\My Documents\Ken-Eng簡報1.ppt
[2009/02/19 23:50:06 | 00,000,068 | ---- | M] () -- C:\Documents and Settings\simone\桌面\EOL - Elken On Line.URL
[2009/02/19 08:29:00 | 00,297,202 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090221-065704.backup
< End of report >

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Advertisements]

Hi there and sorry for the delay : Be advised that dependant on the variant of this virus the only solution may be a full reformat and install. But first lets see what the variant is

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
• press start
• Allow the program to run the initial express scan
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
• Once the scan is complete, on the menu bar, click file and choose report list.
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
• Close Dr.Web Cureit.
• Please post the Dr.Web.txt report in your next reply

[Essexboy]

Hi there and sorry for the delay : Be advised that dependant on the variant of this virus the only solution may be a full reformat and install. But first lets see what the variant is

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
• press start
• Allow the program to run the initial express scan
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
• Once the scan is complete, on the menu bar, click file and choose report list.
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
• Close Dr.Web Cureit.
• Please post the Dr.Web.txt report in your next reply

[legna]

I hope I have posted correctly, whether to choose Add Reply or Fast Reply.

Just in case, this is the link to my post and your reply.

Hi,

Thank you for your reply. I have done a complete scan with DrWeb Cureit and here’s the Dr.Web.txt report:

Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\My Playlists;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0007C132;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\8FEDE9;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Pictures;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Videos;Win32.HLLW.Gavir.ini;Deleted.;
x[1].txt;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D24RFFXW;BackDoor.IRC.Itan;Deleted.;
hrdwigv[1].bmp;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DFJW4BZO;Win32.HLLW.Shadow.based;Deleted.;
SDFix v1.240_SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\simone\My Documents\#My DL\SDFix v1.240_SDFix.exe;Tool.Prockill;;
SDFix v1.240_SDFix.exe;C:\Documents and Settings\simone\My Documents\#My DL;Archive contains infected objects;Moved.;

___________________________________

For your info, before the above scan, the below pop ups appear.
TR/Crypt.XPACK.Gen trojan in C:\Windows32\x
Contains recognition pattern of the DR/Delphi.Gen dropper in C:\Windows32\37.scr
____________________________________

During the above DrWeb scan, Generic Process for Win32 Services Error appears and my whole task bar is jumping up and down…….this problem is making me crazy…..
____________________________________

I have already deleted the SDFix which is in the quarantine folder in user profile.
I have also deleted the other SDFix folder in C Windows.
There is also another file called descript.ion inside the quarantine folder
CAN THIS BE DELETED?

Oops… Was disconnected from the internet a few times after malware removal.

______________________________________
After using ccleaner to clean, Runtime Error and critical software exception pops up:

Runtime Error
C:\Program Files\CCleaner\CCleaner.exe
R6025 pure virtual function call

Unknown Software Exception (0x40000015....0x0045965E
Press confirm to stop
________________________________________

In fact, this is not the first time that this happens.

Previously, I did a windows CHDSK and after rebooting, there is no more error.

I also tried uninstalling ccleaner and reinstalling it again the other time.
WHAT SHOULD I DO THIS TIME? IS CCLEANER INFECTED?
______________________________________________

I would be glad if you could also answer this question of mine.
As I have been uploading videos to my blogger website during this long term of infection, WILL MY SITE BE INFECTED WITH VIRUS?

______________________________________________

Hope to hear from you soon. Hope my internet connection will not go haywire.
Thanks a million.

[Essexboy]

OK it was not the bad one so lets see what remains, I will not be able to make a determination until I see what this shows

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All Users
• Check the Radio button for Rootkit check YES
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[legna]

Hi,

Thanks for the prompt reply.

After the OTScanit, avira popup found this: TR/Crypt.XPACK.Gen Trojan. Generic Process for Win32 Services appeared as well.
Here's the screenshot.



Here's the OTScanIt.txt log
 OTScanIt.Txt   201.5KB   654 downloads

Awaiting your expert advice.

[Essexboy]

OK then legna lets try this and see what the outcome is

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe" -> C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe [C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe:*:Enabled:SMPCSetup]
YN -> "C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\smwinvnc.exe" -> C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\smwinvnc.exe [C:\Documents and Settings\simone\Local Settings\Temp\IXP000.TMP\smwinvnc.exe:*:Enabled:TightVNC Win32 Server]
YN -> "C:\WINDOWS\system32\drivers\svchost.exe" -> C:\WINDOWS\system32\drivers\svchost.exe [C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost]
[Custom Items]
:Files
C:\WINDOWS\system32\drivers\svchost.exe 
C:\WINDOWS\system\msile.exe
C:\WINDOWS\system32\56.scr
C:\WINDOWS\system32\48.scr
C:\Windows32\x
:end
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTListsit log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[legna]

Here's the OTScanit log
 OTScanit__Run_Fix_.txt   3.05KB   413 downloads

When running scan with OTListit2, as usual, avira pops up a recurring gamesetup.exe
, a harmful BDS/Backdoor.Gen backdoor program. Then Generic Access for Win32 services occur....pc sound total blackout!


It seems that I am always receiving this gamesetup.exe popup almost every or alternate days! Always found in the same folder:
'C:\Documents and Settings\All Users\Documents\GameSetup.exe.
No matter what program I use to scan with, avira always pop up some harmful stuff.

This backdoor problem has been on pc for many months.
Could there be a possibility that avira is infected?

Another problem that I face many many times a day is:
the Generic Access for Win32 services error. When this happens, all sounds will be cut off from my pc. I will need to reboot before the sound works. At other times, after rebooting, it pops up again (very frustrating) and I need to reboot again!

Very frequent infection in the below-mentioned folders, with the .scr extension etc.
C:\Documents and Settings\Network Service\Local Settings\Temporary Internet Files\Content IE5\.......many of the folders inside are suffering from everyday infection.

At other times, the many kinds of trojan can be found here too.
E.g. TR/Crypt.XPACK.Gen [trojan]'
'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QBL7QCDL\..names changes often........cyke[1].png

Also, very frequently, my ccleaner pops up critical error. Now, it seems to be OK.i cannot click open.
I think that my System Volume Information (hidden folder) is infected as malware could be found inside previous times by avira.

HERE'S THE OTListit2 log
 OTListIt_24_03_09.Txt   51.58KB   476 downloads

Kindly let me know what I should proceed with. Thanks a lot.

Edited by legna, 23 March 2009 - 10:13 PM.

[Essexboy]

OK lets try the hammer on this one - I have found the various names that it goes under so I will hit them all. But first lets clear your temp files

Please download ATF Cleaner by Atribune.
This program is for XP, Vista and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

THEN

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\Documents and Settings\All Users\Documents\GameSetup.exe
%System%\drivers\iexplore.exe 
%System%\drivers\spoclsv.exe 
%System%\[bleep]jacks.exe 
%System%\gamesetup.exe.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

ON COMPLETION

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[legna]

Just when I was about to submit this, avira pops up with the belowmentioned:same one again:TR/Crypt.XPACK.Gen Trojan
.

Generic Host Process for Win32 Services still exist.

As per your instructions, I had installed ATF cleaner and did the necessary clean up.

Here’s the Avenger log file.
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Documents and Settings\All Users\Documents\GameSetup.exe" not found!
Deletion of file "C:\Documents and Settings\All Users\Documents\GameSetup.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "%System%\drivers\iexplore.exe"
Deletion of file "%System%\drivers\iexplore.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "%System%\drivers\spoclsv.exe"
Deletion of file "%System%\drivers\spoclsv.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "%System%\[bleep]jacks.exe"
Deletion of file "%System%\[bleep]jacks.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "%System%\gamesetup.exe.exe"
Deletion of file "%System%\gamesetup.exe.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

_______________________________________

Here's the HIJACKTHIS log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:51, on 25/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\simone\My Documents\#HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O8 - Extra context menu item: 用維棠下載視頻 - C:\Documents and Settings\simone\My Documents\#My DL\Vidown\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: gpl.download.free.fr
O15 - Trusted Zone: http://www.google.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06) -
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6419 bytes

_________________________

As requested, a Malwarebytes’ QUICK SCAN was done. It soon found an infected object, and an Error Code 731 (0,6) occurred. The scan ended very soon at around 7 minutes when it had found 2 more (total 3) infected objects.
Rogue Installer-Backdoor.IRCBot seems to be a persistent one to eliminate as it has been playing hide and seek all these months. I removed selected.

Here’s the quick scan printscreen.


_________________________

Here’s the Malwarebytes’ Anti-Malware QUICK SCAN report.

Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 2

25/3/2009 7:32:13
mbam-log-2009-03-25 (07-32-13).txt

Scan type: Quick Scan
Objects scanned: 70853
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile (Backdoor.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msile (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________

After the Quick Scan, I discovered 2 logs inside the logs tab instead of just the present one as I had already deleted all folders of the previous uninstallation. The unknown log was dated 14-03-2009. Looks just like a clean log file that has been scanned for more than an hour!

Just in case, here's the beginning of the log which belongs to an older database version. The rest remains unchanged and i shall omit.
Malwarebytes' Anti-Malware 1.34
Database version: 1845
Windows 5.1.2600 Service Pack 2

14/3/2009 6:49:54
mbam-log-2009-03-14 (06-49-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126542
Time elapsed: 1 hour(s), 27 minute(s), 17 second(s)


I also did a FULL SCAN and was surprised to find that THERE IS STILL ONE MORE INFECTED OBJECT….the abovementioned…ROGUE INSTALLER…. The same Error Code 731 (0,6) also appeared . As you can see from the above, I had already deleted Rogue Installer in the quick scan but it still shows up in the full scan ! I remove selected and went back to the quarantine tab to delete Backdoor.IRCBot Reference#26327 & Backdoor.IRCBot Reference#93818

Strange as it is, in the FULL SCAN LOG, there are no signs of infection ! Here’s the Malwarebytes’ FULL SCAN report.
Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 2

25/3/2009 9:06:52
mbam-log-2009-03-25 (09-06-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129973
Time elapsed: 1 hour(s), 22 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________

This is indeed a persistent piece of malware or trojan. Kindly advise. Thanks for your patience.

Edited by legna, 25 March 2009 - 09:33 AM.

[Essexboy]

OK the indication of x may be a problem as that is hard to remove

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[legna]

Just received these 2 popups while editing my blogger website and after uploading the belowmentioned.
TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W12RKL27\msl[1].exe.
Action performed: Move file to quarantine

TR/Dropper.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\55.scr.
Action performed: Move file to quarantine

Here's the  virusinfo_syscure.zip   14.87KB   403 downloads

Here's the  virusinfo_syscheck.zip   14.12KB   346 downloads

Thanks for your assistance.

Edited by legna, 26 March 2009 - 10:39 AM.

[Essexboy]

We will get it one way or the other

AVZ FIX

• Double click on AVZ.exe
  
• Click File > Custom scripts
  
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

  begin
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
   StopService('WindowsTelephony');
   DeleteService('WindowsTelephony');
   SetServiceStart('WindowsTelephony', 4);
   DeleteFile('WindowsTelephony.sys');
   BC_DeleteFile('WindowsTelephony.sys');
  BC_ImportDeletedList;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.

• Note: When you run the script, your PC will be restarted
  
• Click Run
  
• Restart your PC if it doesn't do it automatically.

ON COMPLETION

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

[legna]

Oops, all the icons on my desktop are flashing on and off. When it is off, there's nothing on desktop except the wallpaper.
I almost could not shut down the pc when it is flashing. Somehow managed to shut it down. After rebooting, it is alright again. Strange!

Received these popups over a period of time after performing syscheck.
Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SAFW65TL\wuqafnd[1].jpg.
Action performed: Move file to quarantine

Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\x.
Action performed: Move file to quarantine

Here's the  virusinfo_syscheck.zip   14KB   385 downloads

Kindly check. Thanks

Edited by legna, 27 March 2009 - 10:11 AM.

[Essexboy]

OK that run did not show anything running that shouldn't be. So lets try to kill this file with a big hammer

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\WINDOWS\system32\x.
C:\WINDOWS\system32\x

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

[legna]

After executing Avenger, my laptop did not restart normally. My desktop was completely frozen. Only the wallpaper could be seen. As it remained frozen for sometime and nothing could be done, I have no choice but to switch off the power button on my pc.

I switched on the laptop and this time, it started normally.

It seems that no matter how large the hammer is, the virus can never be found.
Here's the Avenger.txt
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\x." not found!
Deletion of file "C:\WINDOWS\system32\x." failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\x" not found!
Deletion of file "C:\WINDOWS\system32\x" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


I HAVE A QUESTION.
I saw the belowmentioned in yesterday's syscheck file. Is this a trojan or keylogger?
Does it need to be deleted? CAN YOU KINDLY EXPLAIN WHAT'S THIS?


Here's the hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:55, on 28/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\simone\My Documents\#HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O8 - Extra context menu item: 用維棠下載視頻 - C:\Documents and Settings\simone\My Documents\#My DL\Vidown\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: gpl.download.free.fr
O15 - Trusted Zone: http://www.google.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06) -
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6386 bytes

Can all these hidden viruses be eradicated?