Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Trojan and spyware (i guess)

[Fixed] Hijackthis! Logs - Trojan and spyware (i guess) posted in the Security & Safety forums; It is my first time posting. Recently I have got some trojans from downloading DVD region free serial no. file from a website. I have then deleted those files already ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 4 1 2 3 4 >
  #1  
Old 02-06-2008
simonlaihk's Avatar
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Trojan and spyware (i guess)
It is my first time posting.
Recently I have got some trojans from downloading DVD region free serial no. file from a website.
I have then deleted those files already and use the trial version.
My AVG FREE edition showed that my computer is affected by Lops:
vtuuv.dll, oppqr.dll, jkkhf.dll, ljhhe.dll, jkkhh.dll, cbxyx.dll, awtrs.dll, wvwxu.dll,wvuus.dll.

I have manually deteled one of them, then everytime i witch on the computer it says it cannot load that dll. file.

Whenever i go on the internet at my boarding house these trojans just come back. Is it because the virus has spread though the intranet?
I have been running so many antispyware with my IT technican, like spybot and PC spyware doctor. I also ran VundoFix but the results are negative.


I am enclosing my HIjack this log. PLease help me.
Attached Files
File Type: log hijackthis.log (12.9 KB, 5 views)


  #2  
Old 02-07-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,534
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Please will you copy and past logs rather than attatch them..



Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.

=========================================

Download Combofix from any of the links below, and save it to your desktop. For further information regarding this download you can see this on this Information Page
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 02-08-2008
simonlaihk's Avatar
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Hi, somehow i cannot run RunThis.bat in safemode. Is it because of my OS (im using Vista Premium). The pop-up just flashes quickly then disapper.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:57, on 8/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Safe mode
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [QShot] C:\Program Files\BenQ\QShot\QShot.exe
O4 - HKLM\..\Run: [BenQSurround] C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe" /stop
O4 - HKLM\..\Run: [Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\SILAI~1\AppData\Local\Temp\wvuus.dll,#1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [Application Restart #0] C:\Windows\ehome\ehtray.exe
O4 - HKCU\..\RunOnce: [Application Restart #1] C:\Program Files\Internet Explorer\ieuser.exe -EMBEDDING
O4 - HKCU\..\RunOnce: [Application Restart #2] C:\Program Files\Windows Defender\MSASCui.exe -Hide
O4 - HKCU\..\RunOnce: [Application Restart #3] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: 九方快速啟動.lnk = C:\Windows\System32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: 傳送影像到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 傳送頁面到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C265B15-6DDB-4773-B911-665418977136}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\Windows\SYSTEM32\astsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 10018 bytes
  #4  
Old 02-08-2008
simonlaihk's Avatar
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Here is my combofix report. However, I cannot get on to the internet after the scan

ComboFix 08-02.05.3 - Si Lai 2008-02-08 16:40:17.1 - NTFSx86
°õ¦æ¦ì¸m?: C:\Users\Si Lai\Desktop\ComboFix.exe
.
(((((((((((((((((((((((((((( 2008-01-08 - 2008-02-08 ¤§¶¡«Ø¥ßªºÀÉ®× )))))))))))))))))))))))))))))))))
.
2008-02-08 15:25 . 2008-02-08 16:18 <DIR> d-------- C:\SDFix
2008-02-06 18:28 . 2008-02-06 18:28 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 17:10 . 2008-02-05 17:10 <DIR> d-------- C:\Users\Si Lai\Music
2008-02-01 16:00 . 2008-02-01 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 15:37 . 2008-02-01 15:37 <DIR> d-------- C:\VundoFix Backups
2008-02-01 15:32 . 2008-02-01 15:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-01 15:32 . 2008-02-01 15:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-01 15:32 . 2008-02-01 15:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-30 23:52 . 2008-01-30 23:52 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-01-30 23:52 . 2008-01-30 23:52 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-30 12:56 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-01-30 12:56 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-01-30 12:56 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-01-30 12:56 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-01-30 12:55 . 2008-01-30 12:55 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\PC Tools
2008-01-30 12:55 . 2008-02-06 18:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-30 12:36 . 2008-01-30 12:36 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\PCToolsFirewallPlus
2008-01-30 12:33 . 2008-02-08 16:37 <DIR> d-a------ C:\Users\All Users\TEMP
2008-01-30 12:33 . 2008-02-08 16:37 <DIR> d-a------ C:\ProgramData\TEMP
2008-01-30 12:31 . 2008-02-06 19:12 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2008-01-30 12:31 . 2008-01-30 12:31 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-30 12:31 . 2008-01-04 14:13 218,520 --a------ C:\Windows\System32\drivers\pctfw2.sys
2008-01-30 12:31 . 2008-01-04 14:13 125,848 --a------ C:\Windows\System32\drivers\pctfw.sys
2008-01-30 12:31 . 2008-01-04 14:13 40,856 --a------ C:\Windows\System32\drivers\pctmp.sys
2008-01-30 12:31 . 2008-01-04 14:13 18,328 --a------ C:\Windows\System32\drivers\pctssipc.sys
2008-01-27 22:12 . 2008-02-08 15:17 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\AVG7
2008-01-27 22:08 . 2008-01-27 22:08 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-27 22:08 . 2008-01-27 22:14 <DIR> d-------- C:\Users\All Users\avg7
2008-01-27 22:08 . 2008-01-27 22:08 <DIR> d-------- C:\ProgramData\Grisoft
2008-01-27 22:08 . 2008-01-27 22:14 <DIR> d-------- C:\ProgramData\avg7
2008-01-27 22:08 . 2008-01-27 22:08 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-27 18:53 . 2008-01-30 22:32 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\Free Download Manager
2008-01-27 18:53 . 2008-01-27 18:53 <DIR> d-------- C:\Program Files\Free Download Manager
2008-01-26 14:20 . 2008-01-26 14:20 67 --a------ C:\Windows\DVDRegionFree.INI
2008-01-26 14:17 . 2008-01-26 14:17 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2008-01-11 16:05 . 2008-01-11 16:05 268 --ah----- C:\sqmdata01.sqm
2008-01-11 16:05 . 2008-01-11 16:05 244 --ah----- C:\sqmnoopt01.sqm
2008-01-09 20:13 . 2008-01-09 20:13 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 20:13 . 2008-01-09 20:13 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 20:13 . 2008-01-09 20:13 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 20:13 . 2008-01-09 20:13 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 20:13 . 2008-01-09 20:13 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 20:11 . 2008-01-09 20:11 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 20:11 . 2008-01-09 20:11 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 20:10 . 2008-01-09 20:10 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 20:10 . 2008-01-09 20:10 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 20:10 . 2008-01-09 20:10 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 20:10 . 2008-01-09 20:10 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 20:10 . 2008-01-09 20:10 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 20:10 . 2008-01-09 20:10 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 20:10 . 2008-01-09 20:10 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-01-09 20:10 . 2008-01-09 20:10 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-09 18:25 . 2008-01-09 18:28 <DIR> d-------- C:\Program Files\Windows Live Safety Center
.
(((((((((((((((((((((((((((((((((((( ªñ¤T­Ó¤ë¤º§ó°ÊªºÀÉ®× )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 17:59 49,416 ----a-w C:\Users\Si Lai\AppData\Roaming\nvModes.dat
2008-01-28 18:34 --------- d-----w C:\Program Files\7-Zip
2008-01-26 13:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 05:01 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 20:11 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 20:11 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 20:11 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 20:11 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 20:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-06 14:40 --------- d-----w C:\ProgramData\Lavasoft
2008-01-06 14:40 --------- d-----w C:\Program Files\Lavasoft
2008-01-06 14:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 06:08 --------- d-----w C:\ProgramData\Age of Empires 3
2008-01-06 05:35 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2008-01-06 04:42 --------- d-----w C:\Program Files\Microsoft Games
2008-01-03 04:39 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Ahead
2008-01-03 03:42 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-03 02:37 --------- d-----w C:\ProgramData\CyberLink
2008-01-03 02:36 --------- d-----w C:\Users\Si Lai\AppData\Roaming\CyberLink
2008-01-03 02:21 685,816 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-01-02 14:43 --------- d-----w C:\Program Files\Equis
2008-01-02 14:43 --------- d-----w C:\Program Files\Common Files\Equis
2008-01-02 07:17 --------- d-----w C:\Program Files\Real
2008-01-02 07:17 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-02 07:17 --------- d-----w C:\Program Files\Common Files\Real
2008-01-01 12:06 --------- d-----w C:\Program Files\Trojan-PSW_Win32_Delf_sl_Remover
2007-12-30 12:33 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Lingoes
2007-12-29 14:04 --------- d-----w C:\Program Files\Lingoes
2007-12-29 13:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-29 13:33 --------- d-----w C:\Users\Si Lai\AppData\Roaming\AdobeUM
2007-12-29 08:39 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Media Player Classic
2007-12-29 08:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-29 08:35 --------- d-----w C:\Program Files\BulletProofSoft.com
2007-12-29 08:32 --------- d-----w C:\Program Files\Bonjour
2007-12-29 08:24 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-29 08:11 36,864 ----a-w C:\Windows\System32\QCKEY32.DLL
2007-12-29 07:57 4,994,717 ----a-w C:\Windows\System32\q9data.bin
2007-12-29 07:52 --------- d-----w C:\Program Files\RISEDICT
2007-12-29 07:51 --------- d-----w C:\Program Files\CHDICT
2007-12-29 07:49 65,536 ----a-w C:\Windows\System32\qcSkinMakerDll.dll
2007-12-29 07:49 57,396 ----a-w C:\Windows\System32\Q9xpb5u.EXE
2007-12-29 07:49 47,252 ----a-w C:\Windows\System32\Qcbeigbk.bin
2007-12-29 07:49 4,236,288 ----a-w C:\Windows\System32\q9xpb5.exe
2007-12-29 07:49 35,328 ----a-w C:\Windows\System32\qseteudc.exe
2007-12-29 07:49 29,514 ----a-w C:\Windows\System32\QCBEIB5.BIN
2007-12-29 07:49 103,840 ----a-w C:\Windows\System32\q9wave16.exe
2007-12-29 07:49 --------- d-----w C:\Program Files\Q9XPB5
2007-12-29 07:48 90,162 ----a-w C:\Windows\System32\doime.exe
2007-12-29 07:48 65,536 ----a-w C:\Windows\System32\SkinMakerDll.dll
2007-12-29 07:48 29,516 ----a-w C:\Windows\System32\q9b5gb.bin
2007-12-29 07:48 26,112 ----a-w C:\Windows\System32\QTRAYIME.EXE
2007-12-29 03:40 --------- d-----w C:\Users\Si Lai\AppData\Roaming\ArcSoft
2007-12-29 03:03 --------- d-----w C:\Program Files\BitComet
2007-12-28 15:32 --------- d-----w C:\Program Files\Windows Defender
2007-12-28 15:32 --------- d-----w C:\Program Files\Windows Calendar
2007-12-28 15:15 87,040 ----a-w C:\Windows\System32\msoert2.dll
2007-12-28 15:15 8,192 ----a-w C:\Windows\System32\riched32.dll
2007-12-28 15:15 77,824 ----a-w C:\Windows\System32\rascfg.dll
2007-12-28 15:15 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2007-12-28 15:15 694,784 ----a-w C:\Windows\System32\localspl.dll
2007-12-28 15:15 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2007-12-28 15:15 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2007-12-28 15:15 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2007-12-28 15:15 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2007-12-28 15:15 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2007-12-28 15:15 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2007-12-28 15:15 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-12-28 15:15 33,280 ----a-w C:\Windows\System32\traffic.dll
2007-12-28 15:15 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2007-12-28 15:15 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2007-12-28 15:15 22,016 ----a-w C:\Windows\System32\rasser.dll
2007-12-28 15:15 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2007-12-28 15:15 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2007-12-28 15:15 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2007-12-28 15:15 134,656 ----a-w C:\Windows\System32\dps.dll
2007-12-28 15:15 13,824 ----a-w C:\Windows\System32\wshqos.dll
2007-12-28 15:15 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2007-12-28 15:14 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-12-28 15:14 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-12-28 15:14 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-12-28 15:14 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-12-28 15:14 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-12-28 15:14 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-12-28 15:14 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-12-28 15:14 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2007-12-28 15:14 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2007-12-28 15:14 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-12-28 15:14 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2007-12-28 15:14 2,923,520 ----a-w C:\Windows\explorer.exe
2007-12-28 15:14 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-28 15:14 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2007-12-28 15:13 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2007-12-28 15:13 376,320 ----a-w C:\Windows\System32\winsrv.dll
2007-12-28 15:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-28 15:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-28 15:12 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-12-28 15:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2007-12-28 15:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2007-12-28 15:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2007-12-28 15:11 4,096 ----a-w C:\Windows\System32\dxmasf.dll
.
(((((((((((((((((((((((((((((((((((((((((( ­«­nµn¿ýÀÉ )))))))))))))))))))))))))))))))))))))))))))))))))) )))
.
.
REGEDIT4
*ª`·N* ªÅ¥Õ©Î¦Xªkªºµn¿ý­È±N¤£·|Åã¥Ü
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 20:10 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 03:35 5724184]
"Lingoes"="C:\Program Files\Lingoes\Translator2\Lingoes.exe" [2007-12-06 20:57 1933312]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-03 02:28 4608]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-28 15:13 1006264]
"Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}"="wscript.exe" [2006-11-02 09:46 135168 C:\Windows\System32\wscript.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-28 11:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-28 11:05 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray. dll" [2007-04-28 11:05 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-04 08:56 4452352 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-19 08:49 861744]
"Q-HotkeyMgr"="C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe" [2007-03-30 02:26 237673]
"QShot"="C:\Program Files\BenQ\QShot\QShot.exe" [2007-04-13 02:14 421888]
"BenQSurround"="C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe" [2007-04-20 03:33 1187840]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 07:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 14:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 07:40 155648]
"Q-MediaBar"="C:\Program Files\BenQ\Q-MediaBar\QBar.exe" [2007-01-26 00:49 159744]
"Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}"="wscript.exe" [2006-11-02 09:46 135168 C:\Windows\System32\wscript.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 23:00 33648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 07:17 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 22:08 579072]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-12-31 09:16 2594712]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 22:08 219136]
C:\Users\Si Lai\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
¤E¤è§Ö³t±Ò°Ê.lnk - C:\Windows\System32\QTRAYIME.EXE [2007-12-29 07:48:58 26112]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-27 22:08 9216 C:\Windows\System32\avgwlntf.dll
R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.s ys [2008-01-04 14:13]
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\Windows\system32\drivers\pctmp.sys [2008-01-04 14:13]
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\Windows\system32\drivers\pctssipc.sys [2008-01-04 14:13]
R2 QBIOSIO;QBIOSIo.dll;C:\Windows\system32\QBIOSIo.dl l [2007-01-19 16:02]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R3 ARCSOFTVIRTUALCAPTURE;ArcSoft Magic-i Driver;C:\Windows\system32\DRIVERS\ArcSoftVirtualC apture.sys [2006-11-24 09:53]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-01-23 08:25]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-02-07 10:35]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-03-13 02:12]
S3 btwaudio;ÂŪޭµ®Ä¸Ë¸m;C:\Windows\system32\drivers\ btwaudio.sys [2006-11-20 05:59]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-20 05:59]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwr chid.sys [2006-11-20 05:59]
S3 QBIOSIO.dll;QBIOSIO.dll;C:\Windows\system32\QBIOSI O.dll [2007-01-19 16:02]
S3 QBIOSIOdetect.dll;QBIOSIOdetect.dll;C:\DRV\BT\BTCh k\QBIOSIOdetect.dll [2007-01-22 13:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bc9495bb-b52a-11dc-8f88-806e6f6e6963}]
\shell\AutoRun\command - E:\RunGame.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c14dc390-b530-11dc-97e4-001b24a47bc1}]
\shell\AutoRun\command - H:\autorun6e.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d0d9981d-c1cf-11dc-9764-001b24a47bc1}]
\shell\AutoRun\command - EXPLORER.EXE
\shell\explore\Command - EXPLORER.EXE
\shell\open\Command - EXPLORER.EXE
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 16:42:21
Windows 6.0.6000 NTFS
±½´yÁôÂ꺵{§Ç...
±½´yÁôÂ꺶iµ{...
±½´yÁôÂêºÀÉ®×...
±½´y§¹¦¨
ÁôÂÃÀÉ®×?: 0
************************************************** ************************
.
§¹¦¨®É¶¡?: 2008-02-08 16:43:22
.
2008-02-08 15:24:59 --- E O F ---

and the latest hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11:13, on 8/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BenQ\Q-MediaBar\qbar.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live µn¤J¤pÀ°¤â - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [QShot] C:\Program Files\BenQ\QShot\QShot.exe
O4 - HKLM\..\Run: [BenQSurround] C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe" /stop
O4 - HKLM\..\Run: [Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: ¤E¤è§Ö³t±Ò°Ê.lnk = C:\Windows\System32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: ¶Ç°e¼v¹³¨ì Bluetooth ¸Ë¸m(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ¶Ç°e­¶­±¨ì Bluetooth ¸Ë¸m(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: ¶×¥X¦Ü Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C265B15-6DDB-4773-B911-665418977136}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\Windows\SYSTEM32\astsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 10513 bytes
  #5  
Old 02-08-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,534
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Sorry.Forgot that SD does not run on Vista.

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

Killall::

File::
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #6  
Old 02-09-2008
simonlaihk's Avatar
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Hi there,

When I drag the txt document into ComboFix.exe, the windows pop ups and starts to load. However, it then says that there is a "Access violation at address 770B25BF. Read of address 00200064"

What should I do?

Reply
New! Norton Internet Security 2008 – Download Now Click Here
Page 1 of 4 1 2 3 4 >

Bookmarks