TechSpot

Malware Issues ( 8 Steps Completed)

Solved
By yh92
Feb 5, 2011
Topic Status:
Not open for further replies.
  1. I started having malware problems since weeks ago when I accidentally downloaded and opened an unidentified program.
    When I double clicked on it nothing happened, it was then that I realised my computer is infected for sure.

    Firstly many IE pop ups started popping out randomly when I'm not even using IE.
    That was weeks ago, I used avira but unfortunately it couldn't detect them.
    And so I found them through the task manager and they were named Hch.exe, Hci.exe, Htiler.exe and many similar ones that I've forgotten under WINDOWS>Prefetch or system32.

    I removed them by booting into safe mode, and they were gone after that.
    Hope I didn't do the wrong thing cause I'm not really good with computers.

    Things were okay until few days ago, when I started being redirected when I'm pressing the links in google search. I used avira again to scan and it detected sshnas21.dll several times. Even after quarantining them, they kept coming back.
    I have no choice but to search online and came across this forum.

    Please do help me.
    I've completed the basic 8 steps and I need someone to help me make sure that my system is clean. Thanks!

    I will paste the log files on my next reply.
  2. yh92

    yh92 TS Rookie Topic Starter

    Logs

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5676

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    2/5/2011 12:26:46 AM
    mbam-log-2011-02-05 (00-26-46).txt

    Scan type: Quick scan
    Objects scanned: 151647
    Time elapsed: 3 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 9
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\program files\qvodplayer\QvodBand.dll (Spyware.OnlineGames) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9F44453E-1E46-4D5C-B57C-112FF2EDAE82} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\VXEG3ZNNE5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\CE8SIIFGSU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\program files\qvodplayer\QvodBand.dll (Spyware.OnlineGames) -> Delete on reboot.
    c:\WINDOWS\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



    ===========================================================


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-05 16:25:37
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 Hitachi_HDS721616PLA380 rev.P22OA50U
    Running: lbz2mme6.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\afeyiaoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT B86DDBDE ZwCreateKey
    SSDT B86DDBD4 ZwCreateThread
    SSDT B86DDBE3 ZwDeleteKey
    SSDT B86DDBED ZwDeleteValueKey
    SSDT spxj.sys ZwEnumerateKey [0xB7ECDDA4]
    SSDT spxj.sys ZwEnumerateValueKey [0xB7ECE132]
    SSDT B86DDBF2 ZwLoadKey
    SSDT spxj.sys ZwOpenKey [0xB7EB50C0]
    SSDT B86DDBC0 ZwOpenProcess
    SSDT B86DDBC5 ZwOpenThread
    SSDT spxj.sys ZwQueryKey [0xB7ECE20A]
    SSDT spxj.sys ZwQueryValueKey [0xB7ECE08A]
    SSDT B86DDBFC ZwReplaceKey
    SSDT B86DDBF7 ZwRestoreKey
    SSDT B86DDBE8 ZwSetValueKey

    INT 0x62 ? 8A5F0BF8
    INT 0x73 ? 8A5F0BF8
    INT 0x83 ? 8A5F0BF8
    INT 0xB4 ? 8A367BF8
    INT 0xB4 ? 8A367BF8
    INT 0xB4 ? 8A367BF8
    INT 0xB4 ? 8A367BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 80503B10 4 Bytes CALL 0508A8F0
    ? spxj.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6F6C380, 0x3DF295, 0xE8000020]
    .text USBPORT.SYS!DllUnload B6F4D62C 5 Bytes JMP 8A3671D8

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!ReadFile 7C80180E 7 Bytes JMP 011E87F9 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 011E872D c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!CloseHandle 7C809B77 5 Bytes JMP 011E8AB6 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 011E8793 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!GetFileSizeEx 7C810C21 5 Bytes JMP 011E8B3E c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!GetFileSize 7C810C8F 5 Bytes JMP 011E8AF7 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!SetFilePointer 7C810DA6 5 Bytes JMP 011E89AB c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!WriteFile 7C810F9F 7 Bytes JMP 011E88AB c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!SetFilePointerEx 7C81F475 5 Bytes JMP 011E8A05 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!GetOverlappedResult 7C81FCF4 5 Bytes JMP 011E8B85 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 011E895D c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!ReadFileEx 7C8384C5 5 Bytes JMP 011E8852 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)
    .text C:\Program Files\PPStream\ppsap.exe[1904] kernel32.dll!WriteFileEx 7C85C4E1 5 Bytes JMP 011E8904 c:\Program Files\PPStream\1.1.0.2802\vodres.dll (PPS ???接?/PPStream Inc.)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spxj.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spxj.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spxj.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spxj.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spxj.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spxj.sys

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A5EF1F8
    Device \Driver\usbohci \Device\USBPDO-0 8A3631F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6391F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A6391F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A6391F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A6391F8
    Device \Driver\usbohci \Device\USBPDO-1 8A3631F8
    Device \Driver\usbehci \Device\USBPDO-2 8A3431F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5F11F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5F11F8
    Device \Driver\Cdrom \Device\CdRom0 8A2F51F8
    Device \Driver\atapi \Device\Ide\IdePort0 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdePort1 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdePort2 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdePort3 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdePort4 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdePort5 8A5F01F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-16 8A5F01F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A26E500
    Device \Driver\NetBT \Device\NetbiosSmb 8A26E500
    Device \Driver\usbohci \Device\USBFDO-0 8A3631F8
    Device \Driver\usbohci \Device\USBFDO-1 8A3631F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A444500
    Device \Driver\usbehci \Device\USBFDO-2 8A3431F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A444500
    Device \Driver\Ftdisk \Device\FtControl 8A5F11F8
    Device \FileSystem\Cdfs \Cdfs 8A28D500

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001986002950
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001986002950@0023f12af4b4 0xAB 0x17 0x59 0xC9 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000250
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDB 0x47 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001986002950 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001986002950@0023f12af4b4 0xAB 0x17 0x59 0xC9 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000250 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDB 0x47 0xA1 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPS
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPS@InstallLocation C:\Program Files\PPSGame
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

    ---- EOF - GMER 1.0.15 ----



    ==========================================================




    DDS (Ver_10-12-12.02) - NTFSx86
    Run by user at 17:08:30.73 on 02/05/2011 Sat
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.2046.1472 [GMT 8:00]

    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\PPStream\ppsap.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Documents and Settings\user\Desktop\dds.scr
    C:\WINDOWS\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/?ref=hp
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [PPS Accelerator] c:\program files\ppstream\ppsap.exe
    uRun: [Flock Update] "c:\documents and settings\user\local settings\application data\flock\update\FlockUpdate.exe" /c
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1296789077718
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\1ix7ps8c.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\1ix7ps8c.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\1ix7ps8c.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\program files\ahnlab\asp\components\aosmgr\conflict_221\npaosmgr.dll
    FF - plugin: c:\program files\ahnlab\asp\mykeydefense 2.5\npmkd25aos.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
    FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
    FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
    FF - Ext: Black Stratini: {b41cb5f0-2e52-11de-8c30-0800200c9a66} - %profile%\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
    FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
    FF - Ext: Silvermel and Charamel XT: silvermelxt@pardal.de - %profile%\extensions\silvermelxt@pardal.de
    FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
    FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-20 11608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-20 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-20 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-20 61960]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-9-11 27632]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-9-11 13224]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2011-02-05 04:41:00 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-02-05 04:37:58 266360 ----a-w- c:\windows\system32\TweakUI.exe
    2011-02-04 16:14:33 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2011-02-04 16:14:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-04 16:14:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-04 16:14:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-04 16:14:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-04 03:22:45 -------- d-----w- c:\windows\system32\PreInstall
    2011-02-04 03:12:27 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-02-04 03:12:25 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-02-04 03:12:22 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-02-04 03:12:21 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-02-04 03:12:20 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-01-25 07:58:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2011-01-25 06:47:09 -------- d-----w- c:\docume~1\user\applic~1\Local
    2011-01-21 01:47:20 268800 ----a-w- c:\program files\windows media player\plugins\wmp_lyricsplugin.dll
    2011-01-17 11:06:05 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Apple
    2011-01-17 11:05:45 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Apple Computer
    2011-01-10 13:06:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games

    ==================== Find3M ====================

    2010-11-29 09:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 09:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-27 14:34:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-11-27 14:34:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-12 10:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 08:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

    ============= FINISH: 17:08:58.67 ===============



    ========================================================




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/31/2007 6:59:59 AM
    System Uptime: 2/5/2011 3:01:41 PM (2 hours ago)

    Motherboard: Intel Corporation | | D102GGC2
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/200mhz
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 92 GiB total, 58.11 GiB free.
    D: is FIXED (NTFS) - 61 GiB total, 61.163 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&29C049B9&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&29C049B9&0
    Service: i8042prt

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader X
    Adobe Shockwave Player 11.5
    AhnLab Online Security
    AIO_Scan
    Akamai NetSession Interface
    Apple Application Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    BitTorrent
    BufferChm
    Combined Community Codec Pack 2009-09-09
    Copy
    CustomerResearchQFolder
    Destinations
    DeviceManagementQFolder
    DivX Setup
    DJ_AIO_ProductContext
    DJ_AIO_Software
    DJ_AIO_Software_min
    eSupportQFolder
    F4100
    F4100_Help
    High Definition Audio Driver Package - KB888111
    Hotfix for Windows XP (KB915865)
    HP Customer Participation Program 8.0
    HP Deskjet All-In-One Software 8.0
    HP Deskjet All-In-One Software 9.0
    HP Imaging Device Functions 8.0
    HP Photosmart Essential
    HP Product Assistant
    HP Solution Center 8.0
    HP Update
    HPProductAssistant
    HPSSupply
    Intel(R) PRO Network Connections
    Java Auto Updater
    Java(TM) 6 Update 23
    Lyrics Plugin for Windows Media Player
    Malwarebytes' Anti-Malware
    MarketResearch
    Messenger Plus! Live
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft WSE 3.0 Runtime
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mozilla Firefox (3.6.13)
    MSVCRT
    MSXML 4.0 SP2 Parser and SDK
    Nero 7 Ultra Edition
    neroxml
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    PCSX2 - Playstation 2 Emulator
    PDF Settings CS5
    PowerDVD
    PPStream V2.7.0.1208 Final
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Scan
    Segoe UI
    SolutionCenter
    Status
    Toolbox
    TrayApp
    Tweak UI
    UnloadSupport
    Update for Windows XP (KB898461)
    Update for Windows XP (KB932823-v3)
    Update Service
    VC80CRTRedist - 8.0.50727.4053
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format Runtime
    Windows Media Player 10
    WinRAR archiver
    WinZip 14.5
    谷歌拼音?入法 2.3

    ==== Event Viewer Messages From Past Week ========

    2/5/2011 2:54:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    2/5/2011 2:53:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/5/2011 2:53:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sptd ssmdrv Tcpip
    2/5/2011 2:53:37 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2011 2:53:37 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2011 2:53:37 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2011 2:53:37 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2011 2:52:15 PM, error: sptd [4] - Driver detected an internal error in its data structures for .
    2/5/2011 12:58:28 AM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
    2/5/2011 12:48:55 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
    2/5/2011 12:48:55 PM, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
    2/5/2011 12:48:55 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
    2/5/2011 12:06:09 AM, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
    2/5/2011 12:06:08 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    2/5/2011 12:06:08 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    2/5/2011 11:55:32 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
    2/4/2011 2:25:01 PM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.

    ==== End Of File ===========================
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot![​IMG]
    (Image courtesy animationplayhouse.com)

    I'll try to help with your problem. I see you're another gamer who got spyware from downloading a game! Did you by chance do downloading and/or file sharing with BitTorrent that you have installed? That is pretty much a guarantee for malware!
    ============================================
    While I finish checking these logs-I note entries that will need to be removed- please Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    By the way, is Avast the only security protection you have? No firewall? No antimalware ((spyware/adware) programs? The antivirus program isn' going to pick up all the malware, so relying on it alone to prevent/find/fix malware is not going to work.
  4. yh92

    yh92 TS Rookie Topic Starter

    Thanks a lot for your attention.

    I'm sorry I have to tell you that I can't access the internet for too long today.
    Please forgive my late actions, and I assure you that I will carry on the steps within 24 hours starting from now.

    Also, I want to apologize because I've forgotten about the rule that we shouldn't install any new things while cleaning is in process. I've deleted flock browser and installed google chrome. Will that affect anything?
    I'm really sorry for that.

    Yes I'm quite a game addict myself, and I do download stuffs through BitTorrent, mainly animations.
    It was my brother who introduced BitTorrent to me, should I delete it?

    It is only Avira that I'm relying right now.
    I'm simply afraid to use any other security programs as I've heard of cases like the antimalware program itself being a threat.
    Can you suggest reliable protections that I can get my hands on?

    That's all for now.
    I will check back ASAP tomorrow.
    Once again, I'm really grateful for your help and sorry for the trouble.
  5. yh92

    yh92 TS Rookie Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=9c41e93402ff864c92345e48cb525bd1
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-06 03:03:20
    # local_time=2011-02-06 11:03:20 (+0800, Malay Peninsula Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 94 0 62449179 185541 0
    # compatibility_mode=8192 67108863 100 0 481 481 0 0
    # scanned=56901
    # found=0
    # cleaned=0
    # scan_time=1211



    =======================================================



    ComboFix 11-02-05.01 - user 6/2011 Sun 23:16:14.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.2046.1366 [GMT 8:00]
    執行位置: c:\my documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    Error: Cfiles.dat

    ((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\user\Application Data\Local
    c:\documents and settings\user\Application Data\PriceGong
    c:\documents and settings\user\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\user\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\user\Recent\SYSTEM.CNF

    ----- BITS: Possible infected sites -----

    hxxp://update.flock.com
    .
    ((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SSHNAS


    ((((((((((((((((((((((((( 2011-01-06 至 2011-02-06 的新的檔案 )))))))))))))))))))))))))))))))
    .

    2011-02-06 14:35 . 2011-02-06 14:35 -------- d-----w- c:\program files\ESET
    2011-02-05 04:41 . 2011-02-05 04:41 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-02-05 04:37 . 2003-06-25 08:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2011-02-04 16:14 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-04 16:14 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-04 03:12 . 2009-08-06 11:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2011-02-04 03:12 . 2009-08-06 11:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-02-04 03:12 . 2009-08-06 11:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-02-04 03:12 . 2009-08-06 11:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-02-04 03:12 . 2009-08-06 11:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-02-02 00:14 . 2011-02-02 00:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2011-01-25 07:58 . 2011-01-25 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-21 01:47 . 2011-01-21 01:47 268800 ----a-w- c:\program files\Windows Media Player\Plugins\wmp_lyricsplugin.dll
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\program files\Common Files\Apple
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\program files\Apple Software Update
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-01-17 11:05 . 2011-01-17 11:05 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple Computer
    2011-01-10 13:06 . 2011-01-10 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

    .
    (((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-25 06:57 . 2010-03-19 20:05 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-25 06:57 . 2010-03-19 20:05 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-29 09:38 . 2010-11-29 09:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 09:38 . 2010-11-29 09:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-27 14:34 . 2007-01-30 23:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-11-27 14:34 . 2007-01-30 23:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-12 10:53 . 2010-04-17 08:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 08:34 . 2010-03-19 20:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    .

    ------- Sigcheck -------

    [-] 2010-10-14 . EBEAB4C47642CD68D7FD23187EECA1B0 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\backup\tcpip.sys
    [7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2004-08-03 . 3BB4B08619C111C7BE8BDA07AA0DE6A2 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白與合法缺省登錄將不會被顯示
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
    "Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-05 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-25 281768]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
    Ime File REG_SZ GOOGLEPINYIN2.IME

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\PPStream\\PPStream.exe"=
    "c:\\Program Files\\PPStream\\PPSAP.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1036:TCP"= 1036:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/6/2010 8:29 PM 691696]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:56 AM 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/20/2010 4:05 AM 135336]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [9/11/2010 8:00 PM 27632]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [9/11/2010 7:59 PM 13224]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    .
    ‘計劃任務’ 文件夾 裡的內容

    2010-12-25 c:\windows\Tasks\AdobeAAMUpdater-1.0-OEM-2FCA8EBCBEB-user.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-25 19:44]

    2011-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003Core.job
    - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 10:05]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003UA.job
    - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 10:05]

    2011-02-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-484763869-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]

    2011-02-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-484763869-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]

    2011-02-06 c:\windows\Tasks\User_Feed_Synchronization-{100A6DD8-7525-46C1-B69C-F611E33E77E1}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 20:31]
    .
    .
    ------- 而外的掃描 -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1ix7ps8c.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
    FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
    FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
    FF - Ext: Black Stratini: {b41cb5f0-2e52-11de-8c30-0800200c9a66} - %profile%\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
    FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
    FF - Ext: Silvermel and Charamel XT: silvermelxt@pardal.de - %profile%\extensions\silvermelxt@pardal.de
    FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
    FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Flock Update - c:\documents and settings\user\Local Settings\Application Data\Flock\Update\FlockUpdate.exe
    Notify-AtiExtEvent - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-06 23:22
    Windows 5.1.2600 Service Pack 2 NTFS

    掃描被隱藏的進程 ...

    掃描被隱藏的啟動組 ...

    掃描被隱藏的文件 ...

    掃描完成
    被隱藏的檔案: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- 運行進程下的動態鏈接庫 ---------------------

    - - - - - - - > 'explorer.exe'(392)
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ 其他運行進程 ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\conime.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    完成時間: 2011-02-06 23:26:02 - 電腦已重新啟動
    ComboFix-quarantined-files.txt 2011-02-06 15:25

    Pre-Run: 61,925,072,896 bytes free
    Post-Run: 61,824,241,664 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - A90F979A72B406422BEF974A8A707A4B
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let me bring a contradiction to your attention:
    First, regarding BitTorrent: File sharing is one of the biggest contributors of malware. Should you uninstall it? Read this and decide for yourself:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Second: about antimalware programs being a threat A well recommended spyware/adware program downloaded from a reliable, recommend site is an asset to the system. So is firewall. But if you go to a file sharing site to get a crack or keygen to run a security program without paying for it, if there is a charge, you will get malware.

    The contradiction is that you're using file sharing but no spyware/adware security!
    When we have finished, I will recommend free, good layered protection and the site to download it from.
    ==================================================
    It appears that you may have a second language on the system- other than English. Is that right?

    I can't find any English site to ID this. Do you know what it is?
    谷歌拼音?入法 2.3

    The files sshnas.dll and sshnas21.dll are part of a trojan that redirects search engine results in Google,

    HCH.EXE is Trojan.Agent/Gen-CDesc

    O4 - Startup: ViiKiiDesktopPlugin.lnk = C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe Do you know what this entry is/does and do you use it?

    If not unistall from Add/Remove program via control panel - ViiKiiDesktopPlugin
    ==========================================
    Please decide on BitTorrent. There is a Registry entry I need to remove if you uninstall it.
  7. yh92

    yh92 TS Rookie Topic Starter

    Oh! I understand.
    Haven't thought about it until now, thanks for bringing it up.
    I will uninstall BitTorrent for good.

    Yes, my system second language is Chinese.
    谷歌拼音?入法 2.3 is a Chinese inputting tool by Google, namely Google Pinyin in English.

    ViiKiiDesktopPlugin.lnk , I know that.
    I got it when my friend used my computer to watch Korean Dramas last year.
    It was already uninstalled sometime around the end of 2010.
    I assume that I have to just remove the entries from the Startup and Application Data folder?
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, no problem. I can remove the entries with script in Combofix:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1ix7ps8c.default\
    DDS::
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    uRun: [Flock Update] "c:\documents and settings\user\local settings\application data\flock\update\FlockUpdate.exe" /c
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"=-
    "AdobeAAMUpdater-1.0"=
    "QuickTime Task"=-
    "Adobe Reader Speed Launcher"=-
    "Adobe ARM"=-
    "SunJavaUpdateSched"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I removed some auto-updates you don't need. The Eset scan was clean. I'd like you to run one more scan to make sure there are no bad entries left:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  9. yh92

    yh92 TS Rookie Topic Starter

    Should I uninstall BitTorrent now through the add or remove programs?

    ========================

    ComboFix 11-02-07.01 - user 02/08/2011 15:28:27.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1466 [GMT 8:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point

    FILE ::
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk
    c:\program files\adobe\reader 10.0\reader\Reader_sl.exe
    c:\program files\common files\adobe\arm\1.0\AdobeARM.exe
    c:\program files\common files\java\java update\jusched.exe
    c:\program files\hp\digital imaging\bin\hpqtra08.exe
    c:\program files\hp\hp software update\HPWuSchd2.exe
    c:\windows\system32\AutoRun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-08 to 2011-02-08 )))))))))))))))))))))))))))))))
    .

    2011-02-06 14:35 . 2011-02-06 14:35 -------- d-----w- c:\program files\ESET
    2011-02-05 04:41 . 2011-02-05 04:41 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-02-05 04:37 . 2003-06-25 08:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2011-02-04 16:14 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-04 16:14 . 2011-02-04 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-04 16:14 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-04 03:12 . 2009-08-06 11:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2011-02-04 03:12 . 2009-08-06 11:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-02-04 03:12 . 2009-08-06 11:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-02-04 03:12 . 2009-08-06 11:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-02-04 03:12 . 2009-08-06 11:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-02-02 00:14 . 2011-02-02 00:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2011-01-25 07:58 . 2011-01-25 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-21 01:47 . 2011-01-21 01:47 268800 ----a-w- c:\program files\Windows Media Player\Plugins\wmp_lyricsplugin.dll
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\program files\Common Files\Apple
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\program files\Apple Software Update
    2011-01-17 11:06 . 2011-01-17 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-01-17 11:05 . 2011-01-17 11:05 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Apple Computer
    2011-01-10 13:06 . 2011-01-10 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-25 06:57 . 2010-03-19 20:05 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-25 06:57 . 2010-03-19 20:05 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-29 09:38 . 2010-11-29 09:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 09:38 . 2010-11-29 09:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-27 14:34 . 2007-01-30 23:36 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-11-27 14:34 . 2007-01-30 23:36 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-12 10:53 . 2010-04-17 08:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 08:34 . 2010-03-19 20:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
    .

    ------- Sigcheck -------

    [-] 2010-10-14 . EBEAB4C47642CD68D7FD23187EECA1B0 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\backup\tcpip.sys
    [7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2004-08-03 . 3BB4B08619C111C7BE8BDA07AA0DE6A2 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-06_15.22.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-08 07:02 . 2011-02-08 07:02 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
    + 2011-02-08 07:03 . 2011-02-08 07:03 16384 c:\windows\Temp\Perflib_Perfdata_5b8.dat
    + 2007-01-30 14:49 . 2011-02-07 15:03 3640960 c:\windows\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
    "Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-05 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-06 1657376]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-25 281768]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
    Ime File REG_SZ GOOGLEPINYIN2.IME

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\PPStream\\PPStream.exe"=
    "c:\\Program Files\\PPStream\\PPSAP.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1489:TCP"= 1489:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/6/2010 8:29 PM 691696]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:56 AM 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/20/2010 4:05 AM 135336]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [9/11/2010 8:00 PM 27632]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [9/11/2010 7:59 PM 13224]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-25 c:\windows\Tasks\AdobeAAMUpdater-1.0-OEM-2FCA8EBCBEB-user.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-25 19:44]

    2011-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

    2011-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003Core.job
    - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 10:05]

    2011-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003UA.job
    - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-05 10:05]

    2011-02-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-484763869-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]

    2011-02-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-484763869-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]

    2011-02-08 c:\windows\Tasks\User_Feed_Synchronization-{100A6DD8-7525-46C1-B69C-F611E33E77E1}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 20:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1ix7ps8c.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
    FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
    FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
    FF - Ext: Black Stratini: {b41cb5f0-2e52-11de-8c30-0800200c9a66} - %profile%\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
    FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
    FF - Ext: Silvermel and Charamel XT: silvermelxt@pardal.de - %profile%\extensions\silvermelxt@pardal.de
    FF - Ext: Silvermel: silvermel@pardal.de - %profile%\extensions\silvermel@pardal.de
    FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-08 15:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-08 15:34:38
    ComboFix-quarantined-files.txt 2011-02-08 07:34
    ComboFix2.txt 2011-02-06 15:26

    Pre-Run: 61,651,345,408 bytes free
    Post-Run: 61,639,938,048 bytes free

    - - End Of File - - 319F1AD018F8F1AF256B9D42B2C6F467


    ===============================


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:41:18 PM, on 2/8/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\PPStream\ppsap.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1296789077718
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

    --
    End of file - 7226 bytes
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can go ahead and remove BitTorrent.

    I removed these with the script in Combofix and they show deleted, but they are still on Firefox, so you will need to remove them manually:

    Remove outdated Java plugin files from the Firefox plugins folder:
    Note: It is recommended that you do not copy Java plugins from other locations to the Firefox plugins folder. Outdated Java plugins can cause Java not to work if you update Java and then uninstall the older Java version, if plugins from the old Java version are still in the Firefox plugins folder.
    1. Open Firefox> Tools> Add-ons. The Add-ons window will open.
    2. In the Add-ons window> select the Plugins panel, to display a list of installed plugins.
    3. Select each Java plugin listed to make sure that all are enabled.
    4. Check if the Java plugins are correctly detected. All Java plugins listed in the Add-ons window should match the version number of the currently installed JRE. There should be no plugins for earlier versions of Java.
    5. Java plugin files that do not match your current version means that the Firefox plugins folder contains outdated Java plugin files which should be removed. This folder is typically in the following location: Use Windows Explorer to access> My Computer> Local Drive> Programs>>>
    C:\Program Files\Mozilla Firefox\plugins
    Java files from older versions in the Firefox plugins folder can prevent Java from working.

    You do not need to put Java updates in FF extensions. The update you do on the OS will also cover Java. It is a vulnerability to have outdated versions of Java on the system.
    ==========================================================
    Take the HP Digital Imaging processes off of Startup. Find the processes for all of these and uncheck them on Startup:
    c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk
    c:\program files\adobe\reader 10.0\reader\Reader_sl.exe
    c:\program files\common files\adobe\arm\1.0\AdobeARM.exe
    c:\program files\common files\java\java update\jusched.exe
    c:\program files\hp\digital imaging\bin\hpqtra08.exe
    c:\program files\hp\hp software update\HPWuSchd2.exe


    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
    ==========================================
    Remove all of these from Scheduled Tasks. They don't need to run:
    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-25 19:44]
    c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
    c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]
    c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33] (2 entries)


    Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
    Maintenance Scheduled Tasks such as defrag are in a separate category.
    ==========================================
    There is a deleted file in Combofix that might indicate you used an infected flash drive. Did you use a flash drive while we were cleaning?
  11. yh92

    yh92 TS Rookie Topic Starter

    Done, I've removed BitTorrent.

    The last time I remembered accessing my HDD, phone memory card, and flash drive (I accessed them at the same time) was around the first day of cleaning.
    I think it's some time before I started my posting here.
    Yesterday I did some printing, the printer is connected through a USB cable.
    Other than these, I didn't use any flash drives.

    About Java.
    I have Java Deployment Toolkit 6.0.230.5 and Java (TM) Platform SE 6 U23 under my FF plugins. They are both enabled.
    Are they alright? I don't really see anything that should be removed there.

    I have some problems regarding this.
    All of the above are not found in the startup tab. Are they gone already?

    ==================================================
    I found and removed the other three in scheduled tasks but this was not seen.
    Instead, I found AdobeAAMUpdater-1.0-OEM-2FCA8EBCBEB-user.

    There are also two similar google tasks like below:
    GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003UA
    GoogleUpdateTaskUserS-1-5-21-1229272821-484763869-839522115-1003Core
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Java entries are okay. I didn't mention the Google Updater because as long as you have the Google Toolbar, the updaters will enable themselves! I've done some setting myself that has helped, but it's a real pain!

    What you found for Adobe AAMUpdated should be removed from the tasks.
    =========================================
    Regarding the following deletion in Combofix:
    This did not appear in the first Combofix log:ComboFix 11-02-05.01 - user 6/2011 Sun 23:16:14.1.2 - x86
    c:\windows\system32\AutoRun.inf

    But it was deleted as an infected entry in the second Combofix scan on ComboFix 11-02-07.01 - user 02/08/2011 15:28:27.2.2 - x86

    Did you do this in between?
    Entries for this showing as Trojan.FakeAlert were found and quarantined in Mbam, but now you have a new entry and it came from somewhere!. Although the entry was deleted in Combofix, that does not give us the source.

    Please run this: Flash disinfector
    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    What will Flash Disinfector Do
    - Clean up junks created by flash malwares
    - Deletes autorun.inf from every root folder
    - Fix back damages done to your system
    - Creates an autorun.inf folder in the root of your system drives

    The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

    Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
  13. yh92

    yh92 TS Rookie Topic Starter

    Sorry for all the troubles, I'm really grateful for your help. :)

    =============================

    I am sure that I didn't use any flash drives since I used Combofix.
    The last time i used my USB was right after I posted my first post.
    Which is of course, before I did the Combofix scanning.
    The only external thing I remembered using was my printer.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Where are you now as far as malware issues?
  15. yh92

    yh92 TS Rookie Topic Starter

    Apparent problems aren't seen.
    I guess it's okay now?
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't bleieve there is any malware remaining>

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    LEt em know if you have any more questions.
  17. yh92

    yh92 TS Rookie Topic Starter

    Okay, thanks a lot!
    Lastly, can you name me some useful protections tools that I should get?

    ==============

    By the way, Happy Valentines Day. Just a side note :)
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're very welcome! These should help:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Use a Site Advisor:
    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Give it a try-:http://www.mywot.com/en/download
  19. yh92

    yh92 TS Rookie Topic Starter

    Okay, thanks for everything
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're very welcome! Stay safe.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.