PDA

View Full Version : Warning: Your computer may be infected.



Nobody6501
2007-11-01, 04:37
Hi, my computer will have pop up once in a while, when i'm using internet explorer or firefox. i tried spybot and it doesn't remove completly, because i scanned more than twice and some spyware pop up more than once. Pls help me pls .

p.s. pop up Warning thing , and somtimes it just a pop up of some advertiser like ring tone, dish, and etc...

Pls help me, thanks a lot !!

ken545
2007-11-01, 18:16
Hello Nobody6501

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Nobody6501
2007-11-03, 03:35
Hi, yes i understand the rules , it's my own risk.
i looked up in c drive and i don't have a trenmicros folder i have a hijackthis folder and it's in there.

Logfile of HijackThis v1.99.1
Scan saved at 1:08:55 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
D:\valve\steam\steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\桌面\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\Documents and Settings\Administrator\×à??\WinXP\Setup.exe /SPEAKER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



pls help me . Thanks

ken545
2007-11-03, 05:09
I am not seeing anything bad on your log, I prefer that you delete the version of HJT that you have installed and download and install the newer version by Trendmicro.

C:\Documents and Settings\Administrator\桌面\HijackThis.exe <-- Delete this


Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


This is important , do this before you post a Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe

Post a new Hijackthis log from Trendmicro with it renamed to Scanner.exe

Nobody6501
2007-11-03, 05:38
ok, i delete the other version, and got the one you prefer






Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:11:47 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
D:\valve\steam\steam.exe
d:\valve\steam\steamapps\sniper6501\counter-strike source\hl2.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\Documents and Settings\Administrator\×à??\WinXP\Setup.exe /SPEAKER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

--
End of file - 2329 bytes

ken545
2007-11-03, 06:29
I have been at this for over 5 years, and everything we ask you to do is for a reason, if you want me to help you , you need to read the instructions .

This is important , do this before you post a Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe


The reason for this is that there is an infection that you are describing the is written to evade a HJT scan and by renaming it to something else, if the infection is present it will now show up on your log. I see nothing bad on your log, it may show up after you rename Hijackthis

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Post the Combofix log and a new Hijackthis log renamed to Scanner.exe

Nobody6501
2007-11-04, 02:58
oh ok and btw, almost everytime when i start the forum the pop ups comes up too

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:30 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\valve\steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\Documents and Settings\Administrator\×à??\WinXP\Setup.exe /SPEAKER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 2585 bytes


ComboFix 07-11-01.1** - Administrator 2007-10-28 4:16:15.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.1534 [GMT -5:00]
執行位置: C:\Documents and Settings\Administrator\桌面\ComboFix.exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap_nav.dat
c:\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap_navps.dat
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\QBooks\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\Support\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\DotNET11\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\Flash7\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\2000\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\2003Server\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\9x-NT\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\ME\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\JET40\XP\_desktop.ini
C:\Documents and Settings\Administrator\桌面\WinXP\QuickBooks_Financial_Software_2005\ThirdParty\MDAC28\_desktop.ini
C:\Program Files\uusee
C:\Program Files\uusee\dxva_sig.txt
C:\WINDOWS\cnsinfo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNSMINKP
-------\nm


(((((((((((((((((((((((((((( 2007-10-01 - 2007-11-01 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-10-28 04:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 03:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 22:49 <DIR> d-------- C:\Program Files\C-Media
2007-10-27 12:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-25 22:48 <DIR> d-------- C:\Program Files\Lavalys
2007-10-22 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESPN

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 02:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2007-09-19 01:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-19 01:27 --------- d-----w C:\Program Files\ImTOO
2007-09-18 01:09 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-13 21:16 --------- d-----w C:\Program Files\mIRC
2007-09-13 21:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2007-09-09 17:10 --------- d-----w C:\Program Files\LimeWire
2007-09-09 17:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-09-01 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-01 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-01 04:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\acccore
2007-09-01 02:35 --------- d-----w C:\Program Files\Viewpoint
2007-09-01 02:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-01 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-01 01:56 --------- d-----w C:\Program Files\AIM6
2007-09-01 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 09:55 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 09:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 09:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 09:55 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 09:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 09:55 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 09:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 09:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 09:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 09:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 09:55 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 09:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 09:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 09:55 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 09:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 09:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 09:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 09:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 09:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 09:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 09:55 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 09:55 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 09:55 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:19 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:19 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:19 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-27 10:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-27 23:57]
"C-Media Speaker Configuration"="C:\Documents and Settings\Administrator\×à??\WinXP\Setup.exe" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-17 12:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 12:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]
"Steam"="d:\valve\steam\steam.exe" [2007-10-26 16:09]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\switch]
c:\windows\system32\壁纸自动换.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"EloSystemService"=2 (0x2)
"P4P Service"=2 (0x2)
"MDM"=2 (0x2)
"Avg7Alrt"=2 (0x2)

S3 ATMELFVNETusb(AR)(R);ATMEL FVNETusb(AR)(R) Service for ATMEL USB FastVNET (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys
S3 EloBus;Elobus Filter Driver;C:\WINDOWS\system32\DRIVERS\EloBus.sys
S3 EloSer;Elo Serial Driver;C:\WINDOWS\system32\DRIVERS\EloSer.sys
S3 o1394bul;o1394bul;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\o1394bul.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92c90e98-9139-11db-b99d-0016e6808b0f}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 04:20:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序 ...

掃描隱藏的進程 ...

掃描隱藏的檔案 ...

掃描完成
隱藏檔案: 0

**************************************************************************
.
完成時間: 2007-11-01 4:21:45 - machine was rebooted
.
--- E O F ---

ken545
2007-11-04, 04:09
Still not looking at anything bad on your log,


Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Nobody6501
2007-11-04, 04:15
thanks for trying to help me, here's the report



SmitFraudFix v2.247

Scan done at 5:39:28.68, 11/01/2007 Thu
Run from C:\Documents and Settings\Administrator\桌面\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

换换换换换换换换换换换换 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\valve\steam\steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

换换换换换换换换换换换换 hosts


换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS


换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\WINDOWS\system32\LogFiles


换换换换换换换换换换换换 C:\Documents and Settings\Administrator


换换换换换换换换换换换换 C:\Documents and Settings\Administrator\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="当前主页"


换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Rustock



换换换换换换换换换换换换 DNS

Description: NVIDIA nForce Networking Controller - 数据包计划程序微型端口
DNS Server Search Order: 192.168.254.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{394E7D95-1CA4-44B1-8389-9C2D22EC9F20}: DhcpNameServer=68.94.156.1 75.16.23.193
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D31D2FAE-BFDA-4F62-A610-339EBD56C355}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E12B1548-5D13-4AE5-B24B-D9F72AEEDE78}: DhcpNameServer=75.16.23.193 198.6.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{394E7D95-1CA4-44B1-8389-9C2D22EC9F20}: DhcpNameServer=68.94.156.1 75.16.23.193
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D31D2FAE-BFDA-4F62-A610-339EBD56C355}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E12B1548-5D13-4AE5-B24B-D9F72AEEDE78}: DhcpNameServer=75.16.23.193 198.6.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{394E7D95-1CA4-44B1-8389-9C2D22EC9F20}: DhcpNameServer=68.94.156.1 75.16.23.193
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D31D2FAE-BFDA-4F62-A610-339EBD56C355}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E12B1548-5D13-4AE5-B24B-D9F72AEEDE78}: DhcpNameServer=75.16.23.193 198.6.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254


换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End

ken545
2007-11-04, 04:40
Still nothing bad.

Run this free online virus scanner from Panda


Run Panda's ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.

Once you are on the Panda site click the "Scan your PC" button
A new window will open...click the big "Check Now" button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
If you are on a slow connection it will take about 15 minuites for the scanner to load.
Click on "Local Disks" to start the scan
Once scan is done, click "see report" then "save report"
Save the log someplace you can find
Reboot
Post the Panda scan results in your next reply

Nobody6501
2007-11-04, 05:58
Incident Status Location

Potentially unwanted tool:Application/SuperFast Not disinfected C:\ENG\RB.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Administrator\桌面\FAST!!! ShutDown.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[statse.webtrendslive.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[server.iad.liveperson.net/]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINDOWS\快速关机(Ctrl+Alt+End).exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINDOWS\快速重启(Ctrl+Alt+Home).exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\RB.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\REBOOT.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\SD.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\ShutDown.exe
Adware:Adware/NaviPromo Not disinfected C:\QOOBOX\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap.exe.vir

Nobody6501
2007-11-04, 06:51
Incident Status Location

Potentially unwanted tool:Application/SuperFast Not disinfected C:\ENG\RB.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Administrator\桌面\FAST!!! ShutDown.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[statse.webtrendslive.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\as0avrpl.default\COOKIES.TXT[server.iad.liveperson.net/]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINDOWS\快速关机(Ctrl+Alt+End).exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\WINDOWS\快速重启(Ctrl+Alt+Home).exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\RB.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\REBOOT.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\SD.EXE
Potentially unwanted tool:Application/SuperFast Not disinfected C:\ShutDown.exe
Adware:Adware/NaviPromo Not disinfected C:\QOOBOX\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap.exe.vir

ken545
2007-11-04, 19:00
Panda did not pick up anything bad, let me ask you about the popups. What are they , you say for ring tones, have you recently upgraded a broadband account to include the phone service?? Are they porn related?? Are they directing you to certain websites?? Part of running Combofix, besides removing bad entires it also uses GMER to check for rootkits or hidden files and it found nothing.

Viewpoint Manager Service <-- this program is not malicious but installs without your knowledge or consent , uses system resources and is not needed, you can uninstall it via the Add Remove Programs in the Control Panel

We need to make sure all hidden files are showing :

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to this file
C:\Documents and Settings\Administrator\Local Settings\Application Data\vetbscqyap.exe

Then click on Submit, it will give you a report, post the report in your next reply.


Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread





Open HJT
Then open the Misc Tools section
click on Generate a Startup List Log,
Don't check the 2 boxes just yet.
Post the log into this thread



Let me see the report from Jotti, the startup list and the Uninstall Manager list please

Nobody6501
2007-11-04, 19:49
The pop ups - before halloween it has a cartoon figure of hunting house, now most of the time it shows that my computer has been infected with fake window scanning stuff and direct tv or other cable company things.
No, it never show any porn stuff.
i couldn't find the vetbscqyap.exe , i think i probably deleted , because i check on task manager and i've no idea what that is and i never install anything like that.
It start up on the msconfig - start up page , and i stop it from starting up, and i probably looked at the file and deleted.
I uninstall that viewpoint already , because this computer was a computer guy's computer , he bought it from on of his costumer and i worked there over the summer and he gave it to me. i think he install the viewpoint thing.







ACDSee 5.0.1 PowerPack
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
AIM 6
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java(TM) SE Runtime Environment 6 Update 1
KKman
K-Lite Mega Codec Pack 1.46
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
MOV Converter 3
Mozilla Firefox (2.0.0.9)
Nero 6 Ultra Edition
NVIDIA Drivers
Panda ActiveScan
PPStream
RealPlayer
Realtek High Definition Audio Driver
Spybot - Search & Destroy 1.4
Steam
TVUPlayer 2.3.2.51
Ventrilo Client
WinAVIVideoConverter
Windows Internet Explorer 7
Windows Internet Explorer 7 °2è??üD? (KB929969)
Windows Internet Explorer 7 °2è??üD? (KB933566)
Windows Internet Explorer 7 °2è??üD? (KB937143)
Windows Internet Explorer 7 °2è??üD? (KB938127)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player (KB911564) °2è??üD?
Windows Media Player 10 (KB917734) °2è??üD?
Windows Media Player 10 (KB936782) °2è??üD?
Windows Media Player 11
Windows Media Player 11
Windows Media Player 6.4 (KB925398) °2è??üD?
Windows Media Player 9 (KB917734) °2è??üD?
Windows XP (KB923689) °2è??üD?
Windows XP ?üD? (KB894391)
Windows XP ?üD? (KB898461)
Windows XP ?üD? (KB900485)
Windows XP ?üD? (KB904942)
Windows XP ?üD? (KB908531)
Windows XP ?üD? (KB910437)
Windows XP ?üD? (KB911280)
Windows XP ?üD? (KB916595)
Windows XP ?üD? (KB920872)
Windows XP ?üD? (KB922582)
Windows XP ?üD? (KB927891)
Windows XP ?üD? (KB930916)
Windows XP ?üD? (KB931836)
Windows XP ?üD? (KB933360)
Windows XP ?üD? (KB938828)
Windows XP °2è??üD? (KB890046)
Windows XP °2è??üD? (KB893756)
Windows XP °2è??üD? (KB896358)
Windows XP °2è??üD? (KB896422)
Windows XP °2è??üD? (KB896423)
Windows XP °2è??üD? (KB896424)
Windows XP °2è??üD? (KB896428)
Windows XP °2è??üD? (KB899587)
Windows XP °2è??üD? (KB899588)
Windows XP °2è??üD? (KB899589)
Windows XP °2è??üD? (KB899591)
Windows XP °2è??üD? (KB900725)
Windows XP °2è??üD? (KB901017)
Windows XP °2è??üD? (KB901190)
Windows XP °2è??üD? (KB901214)
Windows XP °2è??üD? (KB902400)
Windows XP °2è??üD? (KB904706)
Windows XP °2è??üD? (KB905414)
Windows XP °2è??üD? (KB905749)
Windows XP °2è??üD? (KB908519)
Windows XP °2è??üD? (KB911562)
Windows XP °2è??üD? (KB911567)
Windows XP °2è??üD? (KB911927)
Windows XP °2è??üD? (KB912919)
Windows XP °2è??üD? (KB913580)
Windows XP °2è??üD? (KB914388)
Windows XP °2è??üD? (KB914389)
Windows XP °2è??üD? (KB917344)
Windows XP °2è??üD? (KB917422)
Windows XP °2è??üD? (KB917537)
Windows XP °2è??üD? (KB917953)
Windows XP °2è??üD? (KB918118)
Windows XP °2è??üD? (KB918439)
Windows XP °2è??üD? (KB918899)
Windows XP °2è??üD? (KB919007)
Windows XP °2è??üD? (KB920213)
Windows XP °2è??üD? (KB920214)
Windows XP °2è??üD? (KB920670)
Windows XP °2è??üD? (KB920683)
Windows XP °2è??üD? (KB920685)
Windows XP °2è??üD? (KB921398)
Windows XP °2è??üD? (KB921503)
Windows XP °2è??üD? (KB921883)
Windows XP °2è??üD? (KB922616)
Windows XP °2è??üD? (KB922760)
Windows XP °2è??üD? (KB922819)
Windows XP °2è??üD? (KB923191)
Windows XP °2è??üD? (KB923414)
Windows XP °2è??üD? (KB923694)
Windows XP °2è??üD? (KB923789)
Windows XP °2è??üD? (KB923980)
Windows XP °2è??üD? (KB924191)
Windows XP °2è??üD? (KB924270)
Windows XP °2è??üD? (KB924496)
Windows XP °2è??üD? (KB924667)
Windows XP °2è??üD? (KB925454)
Windows XP °2è??üD? (KB925486)
Windows XP °2è??üD? (KB925902)
Windows XP °2è??üD? (KB926255)
Windows XP °2è??üD? (KB926436)
Windows XP °2è??üD? (KB927779)
Windows XP °2è??üD? (KB927802)
Windows XP °2è??üD? (KB928255)
Windows XP °2è??üD? (KB928843)
Windows XP °2è??üD? (KB929123)
Windows XP °2è??üD? (KB930178)
Windows XP °2è??üD? (KB931261)
Windows XP °2è??üD? (KB931784)
Windows XP °2è??üD? (KB932168)
Windows XP °2è??üD? (KB935839)
Windows XP °2è??üD? (KB935840)
Windows XP °2è??üD? (KB936021)
Windows XP °2è??üD? (KB938829)
Windows XP DT213ìDò (KB914440)
Windows XP DT213ìDò (KB935448)
Windows XP DT213ìDò°ü - KB873339
Windows XP DT213ìDò°ü - KB885626
Windows XP DT213ìDò°ü - KB885835
Windows XP DT213ìDò°ü - KB885836
Windows XP DT213ìDò°ü - KB885884
Windows XP DT213ìDò°ü - KB886185
Windows XP DT213ìDò°ü - KB886677
Windows XP DT213ìDò°ü - KB887472
Windows XP DT213ìDò°ü - KB888113
Windows XP DT213ìDò°ü - KB888302
Windows XP DT213ìDò°ü - KB890859
Windows XP DT213ìDò°ü - KB891781
Windows XP DT213ìDò°ü - KB893086
WinRAR ?1?????t1üàí?÷
Xfire (remove only)
Yahoo! Internet Mail
Yahoo! Messenger



StartupList report, 11/4/2007, 11:41:57 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\Scanner.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\valve\steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
Steam = "d:\valve\steam\steam.exe" -silent

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 3,530 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Nobody6501
2007-11-04, 19:53
i went to search for this file vetbscqyap and four things pops up, they're located at C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data
all four of them . and i've no idea what they are
I went to jotti and it shows this
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

ken545
2007-11-04, 23:15
(((((((((((((((((((( 其他遭刪除的檔案 )))))))))))))
I am assuming this means Other Deletions ?? If so then those files are gone

Qoobox is created by Combofix and contains the files it deleted.

Your version of Spybot Search and Destroy is outdated, uninstall it and download and install the newer version.


Download Spybot Search and Destroy 1.5.1 (http://www.safer-networking.org/en/download/index.html)
If you have the older version 1.4, remove it via the Add-Remove Programs in the Control Panel.


During Installation, just follow all the defaults.
Go to Mode and click on Advanced Mode
Then to Updates Search for Updates
If you get a Bad Checksum Error, just choose a different download location.
Then to Settings/ File Sets and take the checkmark out of Usage Tracks
Then to Tools/ Hosts Files click on Add Spybot S&D Hosts Files.
Then to Tools/ IE Tweeks and put a checkmark in Lock the Hosts Files
Then to Immunize. Up at the top by the GREEN SIGN, click on Immunize.
Then to Search and Destroy/ Check for Problems
Let it scan your system
Then to Fix Problems and fix all it finds.
Reboot your computer.





Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!


You also have AVG Anti Spyware installed, run the scan this way and post the report


Open AVG Anti Spyware
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Uncheck Only if threats were found

Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware Free

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:

Run Spybot Search and Destroy, no log needed, Run CCleaner, run AVG and Post the AVG Report and a New HJT log please

Nobody6501
2007-11-05, 03:51
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:19:35 PM 11/4/2007

+ Scan result:



C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:58 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

R3 - URLSearchHook: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

--
End of file - 3124 bytes

ken545
2007-11-05, 04:29
Still getting popups ? None of the scans we have run are picking up anything bad and your HJT log is clean. Where are you located?? Why do some of the entries in the scans like Combofix for example have Chinese characters??

Nobody6501
2007-11-05, 23:46
hey, i don't have any more pop ups for now (about 3 days)
already. It's the Chinese computer guy's computer, so i guess he install some Chinese things in there.
I'm located at houston, TX

Nobody6501
2007-11-05, 23:47
hey, i don't have any more pop ups for now (about 3 days)
already. It's the Chinese computer guy's computer, so i guess he install some Chinese things in there.
I'm located at houston, TX

Thanks alot for the help

ken545
2007-11-06, 02:12
Thats great :bigthumb:


Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.


Glad we could help

Safe Surfn
Ken