[DONE] Redirecting google/yahoo search virus/problem

BullGuard Antivirus Forum > Virus > Virus Questions > [DONE] Redirecting google/yahoo search virus/problem

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

ht
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-10-2008 3:49 (GMT +1)

when i click on the searched result link ,it automatically direct to other website,i read the other post,and i followed the instruction and here is the saved log.thankyou for who willing to help me and may i ask how i get this virus?and how to prevent it?please

-----------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1378
Windows 6.0.6000

2008/11/10 上午 01:37:05
mbam-log-2008-11-10 (01-37-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162227
Time elapsed: 2 hour(s), 58 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a81.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3b75ea36-6975-4362-ae51-42a588354d88}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3b75ea36-6975-4362-ae51-42a588354d88}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3b75ea36-6975-4362-ae51-42a588354d88}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.108;85.255.112.167 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------

ComboFix 08-11-09.01 - Chanht 2008-11-10 2:03:16.1 - NTFSx86

Running from: c:\users\Chanht\Desktop\FIX\ComboFix.exe
* Resident AV is active

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf
d:\recycler\autorun.inf
d:\recycler\desktop.ini
d:\recycler\Folder.htt
d:\recycler\info.exe
d:\recycler\protect.ed
d:\recycler\warning.bmp

.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-11-09 23:55 . 2008-11-09 23:55 <DIR> d-------- c:\users\All Users\Yahoo! Companion
2008-11-09 23:55 . 2008-11-09 23:55 <DIR> d-------- c:\programdata\Yahoo! Companion
2008-11-09 23:14 . 2008-11-09 23:14 <DIR> d-------- c:\program files\Yahoo!
2008-11-09 23:14 . 2008-11-09 23:15 <DIR> d-------- c:\program files\CCleaner
2008-11-09 22:35 . 2008-11-09 22:35 <DIR> d-------- c:\users\Chanht\AppData\Roaming\Malwarebytes
2008-11-09 22:35 . 2008-11-09 22:35 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-09 22:35 . 2008-11-09 22:35 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-09 22:35 . 2008-11-09 22:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 22:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 22:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-09 21:59 . 2008-11-09 21:59 <DIR> d-------- c:\program files\Trend Micro
2008-11-09 21:07 . 2008-11-09 21:06 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-11-09 18:32 . 2008-11-09 18:32 <DIR> d-------- c:\users\All Users\Avira
2008-11-09 18:32 . 2008-11-09 18:32 <DIR> d-------- c:\programdata\Avira
2008-11-09 18:32 . 2008-11-09 18:32 <DIR> d-------- c:\program files\Avira
2008-11-07 20:34 . 2008-11-09 18:23 <DIR> d-------- c:\users\All Users\avg8
2008-11-07 20:34 . 2008-11-09 18:23 <DIR> d-------- c:\programdata\avg8
2008-11-07 20:34 . 2008-11-07 20:34 <DIR> d-------- c:\program files\AVG
2008-11-07 16:57 . 2008-11-07 16:57 <DIR> d-------- c:\program files\Guitar Pro 5
2008-10-28 21:03 . 2008-08-12 03:29 441,856 --a------ c:\windows\System32\win32spl.dll
2008-10-28 21:03 . 2008-08-12 03:29 37,376 --a------ c:\windows\System32\printcom.dll
2008-10-14 20:19 . 2008-09-18 04:35 3,505,208 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 20:19 . 2008-09-18 04:35 3,470,904 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 18:32 . 2008-09-18 02:03 2,027,520 --a------ c:\windows\System32\win32k.sys
2008-10-14 18:26 . 2008-08-26 01:12 290,304 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 02:06 --------- d-----w c:\users\Chanht\AppData\Roaming\DNA
2008-11-09 23:44 --------- d-----w c:\users\Chanht\AppData\Roaming\Skype
2008-11-09 18:02 --------- d-----w c:\users\Chanht\AppData\Roaming\skypePM
2008-11-08 00:32 --------- d-----w c:\program files\Java
2008-11-07 21:20 --------- d-----w c:\users\Chanht\AppData\Roaming\Foxy
2008-11-07 18:01 --------- d-----w c:\users\Chanht\AppData\Roaming\BitTorrent
2008-11-07 16:16 --------- d-----w c:\program files\BitTorrent
2008-10-15 02:12 --------- d-----w c:\programdata\Microsoft Help
2008-10-13 18:20 274 ----a-w c:\users\Chanht\AppData\Roaming\wklnhst.dat
2008-10-07 17:23 --------- d-----w c:\users\Chanht\AppData\Roaming\SiteAdvisor
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-11 17:58 --------- d-----w c:\program files\Microsoft Works
2008-07-10 03:28 174 --sha-w c:\program files\desktop.ini
2007-12-21 00:51 32 ----a-w c:\users\All Users\ezsid.dat
2007-12-21 00:51 32 ----a-w c:\programdata\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"BitTorrent DNA"="c:\users\Chanht\Program Files\DNA\btdna.exe" [2008-11-08 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-31 30192]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-18 152144]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 36904]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-15 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-17 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B6059C1A-1422-44EB-96D5-801DEC3BB540}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FD5950AD-6A97-4791-A5A5-99B536B4D323}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F3722006-1EFE-404B-967F-BC2BEC7473B7}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{8F0F866F-BD17-4F38-A994-C0DA6EEFCC72}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8E8A0E68-3E38-4DA5-B790-8F615EABF914}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{69CF74ED-278B-4B77-B37A-DF5DE366E5B1}"= UDP:c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe:VoipStunt
"{9F706B26-51E4-403B-8AC9-0385746F237D}"= TCP:c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe:VoipStunt
"{00807749-8570-4F6A-8031-65C5E9B08851}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E4DFCB64-1D15-455E-B195-13DDBCF74ACA}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{33272BD4-613A-4291-BA1F-A68B97A47460}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{215B3898-E9BB-4951-B520-66D7B94B2AE1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{69F59182-F530-477F-AC37-81EAD3D9F513}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3F631F71-8D3A-4D18-BC2F-2CD73121DFB8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F1620910-EE88-4796-88FC-7A7B9651A15B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D0046427-B429-4509-BF09-3ED9155FF5D6}"= UDP:c:\users\Chanht\Desktop\AOC\age2_x1.exe:age2_x1
"{3CFACA5A-F50F-4214-B581-A27F33EB097D}"= TCP:c:\users\Chanht\Desktop\AOC\age2_x1.exe:age2_x1
"{E527F73B-3428-44F2-A3FD-EE0D96328D09}"= UDP:c:\users\Chanht\Desktop\AOC\age2_x1\age2_x1.exe:age2_x1
"{16AB5FD3-6448-407A-86A4-C700466F7630}"= TCP:c:\users\Chanht\Desktop\AOC\age2_x1\age2_x1.exe:age2_x1
"TCP Query User{8FF66752-D173-46EF-8ADC-B9E8C85E73F1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{BACA8A9C-2EED-4CCD-9E81-EA62A548DF10}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{C4AA7010-0234-41B9-8CA0-79961F370F99}c:\\users\\chanht\\program files\\dna\\btdna.exe"= UDP:c:\users\chanht\program files\dna\btdna.exe:btdna.exe
"UDP Query User{FEDCB347-892C-4A6E-AAA9-A46D295A9D92}c:\\users\\chanht\\program files\\dna\\btdna.exe"= TCP:c:\users\chanht\program files\dna\btdna.exe:btdna.exe
"TCP Query User{352027CD-B9DE-453F-8253-C369521E6D4E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{635603EC-3D1F-48FB-8D44-8507F295FBFB}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DD12CA80-5AB1-4FAD-8BE6-9254B779AA95}c:\\program files\\foxy\\foxy.exe"= UDP:c:\program files\foxy\foxy.exe:Foxy Network Client Application
"UDP Query User{729557C6-3695-47D4-A679-C6486E373475}c:\\program files\\foxy\\foxy.exe"= TCP:c:\program files\foxy\foxy.exe:Foxy Network Client Application
"TCP Query User{57F8AB67-ECB6-44D0-A07A-D64617C7C436}c:\\users\\chanht\\desktop\\aoc\\age2_x1\\age2_x1.exe"= UDP:c:\users\chanht\desktop\aoc\age2_x1\age2_x1.exe:age2_x1.exe
"UDP Query User{AEDEF036-A0F5-451F-A274-230F7F538212}c:\\users\\chanht\\desktop\\aoc\\age2_x1\\age2_x1.exe"= TCP:c:\users\chanht\desktop\aoc\age2_x1\age2_x1.exe:age2_x1.exe
"TCP Query User{D4F6C90E-83D3-498C-9BEC-38D0C65EBA26}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{5F535C10-0731-4755-972C-0A8740C0E3DD}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Program Files\\PPStream\\PPStream.exe"= c:\program files\PPStream\PPStream.exe:*:Enabled:PPS厙釐萇弝
"c:\\Program Files\\PPStream\\PPSAP.exe"= c:\program files\PPStream\PPSAP.exe:*:Enabled:PPS 厙釐樓厒

R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-01-30 205312]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdrli.exe [2006-11-02 69120]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-31 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
‘計劃任務’ 文件夾裡的內容

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VoipStunt - c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Chanht\AppData\Roaming\Mozilla\Firefox\Profiles\fxzq0dct.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 02:10:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 2:13:22
ComboFix-quarantined-files.txt 2008-11-10 02:13:15

Pre-Run: 13,940,838,400 bytes free
Post-Run: 13,706,240,000 bytes free

184 --- E O F --- 2008-10-29 03:02:34

----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 02:30:17, on 2008/11/10
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Chanht\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Mail\WinMail.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\System32\notepad.exe
C:\Users\Chanht\Desktop\FIX\HijackThis.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - URLSearchHook: Yahoo! 絳瑤沭 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! 絳瑤沭 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Chanht\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} (ClientATXCtrl Control) - http://www.wayi.com.tw/gameup/ClientATXCtrl.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B75EA36-6975-4362-AE51-42A588354D88}: NameServer = 85.255.112.108;85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE981036-D16D-460E-9472-99448F1CBB37}: NameServer = 85.255.112.108;85.255.112.167
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdrli.exe

--
End of file - 11439 bytes

Post Edited (Touch) : 12-11-2008 04:57:56 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16750

Posted 11-10-2008 5:18 (GMT +1)

Hello

"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Remove/uninstall from "Programs and Features" in controlpanel:

One of Your antivirus programs

Also remove:

BitTorrent

Reboot.

Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop

QUOTE

Killall::

Snapshot::

File::
c:\windows\system32\kdrli.exe

Driver::

Windows Tribute Service

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3b75ea36-6975-4362-ae51-42a588354d88}]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae981036-d16d-460e-9472-99448f1cbb37}]

http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, along with new hijackthis log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ht
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-11-2008 1:28 (GMT +1)

ComboFix 08-11-09.04 - Chanht 2008-11-10 18:02:24.2 - NTFSx86

執行位置: c:\users\Chanht\Desktop\FIX\ComboFix.exe
Command switches used :: c:\users\Chanht\Desktop\CFScript.txt

FILE ::
c:\windows\system32\kdrli.exe
.

((((((((((((((((((((((((((((((((((((((( deleted files )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows Tribute Service

((((((((((((((((((((((((( 2008-10-10 - 2008-11-10 new file )))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((( 3m ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 17:45 --------- d-----w c:\programdata\SiteAdvisor
2008-11-10 17:37 --------- d-----w c:\programdata\McAfee
2008-11-09 23:44 --------- d-----w c:\users\Chanht\AppData\Roaming\Skype
2008-11-09 18:02 --------- d-----w c:\users\Chanht\AppData\Roaming\skypePM
2008-11-08 00:32 --------- d-----w c:\program files\Java
2008-11-07 21:20 --------- d-----w c:\users\Chanht\AppData\Roaming\Foxy
2008-11-07 16:16 --------- d-----w c:\program files\BitTorrent
2008-10-15 02:12 --------- d-----w c:\programdata\Microsoft Help
2008-10-13 18:20 274 ----a-w c:\users\Chanht\AppData\Roaming\wklnhst.dat
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-09-11 17:58 --------- d-----w c:\program files\Microsoft Works
2008-07-10 03:28 174 --sha-w c:\program files\desktop.ini
2007-12-21 00:51 32 ----a-w c:\users\All Users\ezsid.dat
2007-12-21 00:51 32 ----a-w c:\programdata\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( reload ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-15 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-17 40072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B6059C1A-1422-44EB-96D5-801DEC3BB540}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FD5950AD-6A97-4791-A5A5-99B536B4D323}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8F0F866F-BD17-4F38-A994-C0DA6EEFCC72}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8E8A0E68-3E38-4DA5-B790-8F615EABF914}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{69CF74ED-278B-4B77-B37A-DF5DE366E5B1}"= UDP:c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe:VoipStunt
"{9F706B26-51E4-403B-8AC9-0385746F237D}"= TCP:c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe:VoipStunt
"{00807749-8570-4F6A-8031-65C5E9B08851}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E4DFCB64-1D15-455E-B195-13DDBCF74ACA}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{33272BD4-613A-4291-BA1F-A68B97A47460}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{215B3898-E9BB-4951-B520-66D7B94B2AE1}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{69F59182-F530-477F-AC37-81EAD3D9F513}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3F631F71-8D3A-4D18-BC2F-2CD73121DFB8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F1620910-EE88-4796-88FC-7A7B9651A15B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D0046427-B429-4509-BF09-3ED9155FF5D6}"= UDP:c:\users\Chanht\Desktop\AOC\age2_x1.exe:age2_x1
"{3CFACA5A-F50F-4214-B581-A27F33EB097D}"= TCP:c:\users\Chanht\Desktop\AOC\age2_x1.exe:age2_x1
"{E527F73B-3428-44F2-A3FD-EE0D96328D09}"= UDP:c:\users\Chanht\Desktop\AOC\age2_x1\age2_x1.exe:age2_x1
"{16AB5FD3-6448-407A-86A4-C700466F7630}"= TCP:c:\users\Chanht\Desktop\AOC\age2_x1\age2_x1.exe:age2_x1
"TCP Query User{8FF66752-D173-46EF-8ADC-B9E8C85E73F1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{BACA8A9C-2EED-4CCD-9E81-EA62A548DF10}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{C4AA7010-0234-41B9-8CA0-79961F370F99}c:\\users\\chanht\\program files\\dna\\btdna.exe"= UDP:c:\users\chanht\program files\dna\btdna.exe:btdna.exe
"UDP Query User{FEDCB347-892C-4A6E-AAA9-A46D295A9D92}c:\\users\\chanht\\program files\\dna\\btdna.exe"= TCP:c:\users\chanht\program files\dna\btdna.exe:btdna.exe
"TCP Query User{352027CD-B9DE-453F-8253-C369521E6D4E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{635603EC-3D1F-48FB-8D44-8507F295FBFB}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DD12CA80-5AB1-4FAD-8BE6-9254B779AA95}c:\\program files\\foxy\\foxy.exe"= UDP:c:\program files\foxy\foxy.exe:Foxy Network Client Application
"UDP Query User{729557C6-3695-47D4-A679-C6486E373475}c:\\program files\\foxy\\foxy.exe"= TCP:c:\program files\foxy\foxy.exe:Foxy Network Client Application
"TCP Query User{57F8AB67-ECB6-44D0-A07A-D64617C7C436}c:\\users\\chanht\\desktop\\aoc\\age2_x1\\age2_x1.exe"= UDP:c:\users\chanht\desktop\aoc\age2_x1\age2_x1.exe:age2_x1.exe
"UDP Query User{AEDEF036-A0F5-451F-A274-230F7F538212}c:\\users\\chanht\\desktop\\aoc\\age2_x1\\age2_x1.exe"= TCP:c:\users\chanht\desktop\aoc\age2_x1\age2_x1.exe:age2_x1.exe
"TCP Query User{D4F6C90E-83D3-498C-9BEC-38D0C65EBA26}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{5F535C10-0731-4755-972C-0A8740C0E3DD}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-01-30 205312]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-31 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\LaunchU3.exe -a
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 22:13:00
Windows 6.0.6000 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

**************************************************************************
.
------------------------ 其他運行進程 ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\System32\conime.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
.
**************************************************************************
.
完成時間: 2008-11-10 22:17:59 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2008-11-10 22:16:47
ComboFix2.txt 2008-11-10 02:13:23

Pre-Run: 12,668,637,184 bytes free
Post-Run: 12,082,552,832 bytes free

162 --- E O F --- 2008-10-29 03:02:34

----------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:14:21, on 2008/11/11
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Chanht\Desktop\FIX\HijackThis.exe

R3 - URLSearchHook: Yahoo! 絳瑤沭 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! 絳瑤沭 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JR1916~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {81F3CC2E-5F40-41A5-9FCA-6DAAA6051D46} (ClientATXCtrl Control) - http://www.wayi.com.tw/gameup/ClientATXCtrl.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 8629 bytes

ht
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-11-2008 1:29 (GMT +1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:14:21, on 2008/11/11
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

--
End of file - 8629 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16750

Posted 11-11-2008 9:09 (GMT +1)

Looks clean. How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

ht
New Member

Date Joined Nov 2008
Total Posts : 5

Posted 11-11-2008 8:13 (GMT +1)

it is totally fine now,thanks so much :)
and now do i need to delete the program i used ?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16750

Posted 11-12-2008 5:56 (GMT +1)

Sounds good smile

It´s up to you, if you will delete them -

Download this file and save it on desktop as FIX_removal.exe

http://www.ctrlaltdel.dk/FIX_removal.exe

Double click FIX_removal.exe and follow the instructions - this will remove the programs that you have used during the cleaning process. Once the program is finished, reboot your computer to finalise the clean-up procedure.

I also suggest you read Tony Klein´s article :

So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Wednesday, March 17, 2010 1:28 AM (GMT +1)
There are a total of 76.256 posts in 17.608 threads.
In the last 3 days there were 14 new threads and 66 reply posts. View Active Threads