Blue screen appears and then shut down

H

hwangche

New member
Hi everyone,

I used to clean my computer with AVG Anti-spyware and Spybot once every two weeks. But recently, everytime when I run these programs, my computer would shut down in the middle of scanning. The situation becomes worse. My computer now shuts down even if I run other programs. It always happen all of sudden and it's very annoying since I always lose the unsaved works. Please help! Thanks.
 
thanks for replying

Shaba said:
Hi hwangche

Does those work in safe mode?

What is your CPU temperature?
Click to expand...

It works better in safe mode, but still it crashes somtimes. I don't know the CPU temperature, how can i check it? Actually, I did think about the CPU temperature before and cleaned the dust deposit on the case, but it didn't help.
 
Hi

Temperatures seem to be ok but you have only 256 megs of RAM.

However, your symptoms indicate to hardware error.

I can re-direct you to some windows forum but let's check this first:

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
hijackthis log file

I know my computer is low on memory, so i decided to upgrade it. I found this website http://www.1stchoicememory.com/catalog/products.asp?ID=2221
What's the difference between basic ram and better ram there? Coz the price is doubled.

Here is the hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 9:50:27, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
 
Hi

Your version of HijackThis is outdated, download and install newest version from my link and post back a fresh HijackThis log with that version, please :)
 
Here is the log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:31, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5643 bytes
 
Hi

Have you installed this by yourself?

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
 
Shaba said:
Hi

Have you installed this by yourself?

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe


Yes, I installed this program myself.




1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
Click to expand...

Here are the log files,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:57, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\notepad.exe
C:\ComboFix\nircmd.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5864 bytes
 
And the combofix report

ComboFix 07-12-08.1 - CM Hwang 2007-12-09 1:34:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.53 [GMT 8:00]
執行位置?: C:\Documents and Settings\CM Hwang\桌面\ComboFix.exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin22.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin23.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin24.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin25.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin26.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin27.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin28.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin29.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin30.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin31.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin32.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin33.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin34.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin35.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin36.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin37.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin38.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin39.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin40.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin41.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin42.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin43.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin44.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin45.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin46.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin47.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin48.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin49.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin50.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin51.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin52.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin53.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\Program Files\3721\CNSMIN.DAT
C:\Program Files\delfin
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\cns.dll
C:\WINDOWS\system32\cns.exe
C:\WINDOWS\system32\drivers\CnsMinKP.sys
C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNSMINKP
-------\CnsMinKP


(((((((((((((((((((((((((((( 2007-11-08 - 2007-12-08 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-12-09 01:38 . 2007-12-09 01:38 68,879 --a------ C:\Documents and Settings\CM Hwang\catchme.zip
2007-12-06 07:54 . 2007-12-06 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:37 . 2007-12-04 13:37 <DIR> d-------- C:\Program Files\Lavalys
2007-12-04 13:05 . 2007-12-04 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-12-04 13:04 . 2006-11-22 11:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2007-12-02 06:48 . 2001-07-24 23:15 241,664 --a------ C:\WINDOWS\system32\r_server.exe
2007-12-02 06:48 . 2000-07-10 20:06 90,112 --a------ C:\WINDOWS\system32\admdll.dll
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d--hs---- C:\FOUND.012
2007-11-30 15:44 . 2007-11-30 15:44 <DIR> d--hs---- C:\FOUND.011
2007-11-30 15:19 . 2007-11-30 15:19 <DIR> d--hs---- C:\FOUND.010
2007-11-30 10:57 . 2007-11-30 10:57 <DIR> d-------- C:\Program Files\Intel
2007-11-30 10:57 . 2001-11-15 00:00 87,018 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
2007-11-30 10:57 . 2001-11-15 00:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
2007-11-30 10:57 . 2001-11-15 00:00 13,654 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
2007-11-30 10:54 . 1998-02-09 03:00 1,455,736 --a------ C:\WINDOWS\system\VCL35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 996,872 --a------ C:\WINDOWS\system\CP3240MT.DLL
2007-11-30 10:54 . 1998-05-18 10:52 458,752 --a------ C:\WINDOWS\system\COMCTL32.DLL
2007-11-30 10:54 . 1998-02-09 03:00 245,912 --a------ C:\WINDOWS\system\VCLX35.BPL
2007-11-30 10:54 . 1998-02-09 03:00 187,392 --a------ C:\WINDOWS\system\BCBSMP35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 29,952 --a------ C:\WINDOWS\system\BORLNDMM.DLL
2007-11-30 10:53 . 2007-11-30 10:53 <DIR> d-------- C:\Program Files\ASUS
2007-11-30 10:53 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2007-11-30 10:53 . 1997-04-22 10:16 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-11-30 10:47 . 2007-11-30 10:56 26 --a------ C:\WINDOWS\CMCDPLAY.INI

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 04:35 --------- d-----w C:\Program Files\QuickTime
2007-10-29 04:34 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-25 16:42 8,320,512 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-14 21:15 --------- d-----w C:\Program Files\Winamp
2007-10-14 21:12 --------- d-----w C:\Program Files\Monkey's Audio
2007-10-14 06:04 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\Registry Cleaner
2007-10-13 02:32 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent
2007-10-13 02:31 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-13 02:31 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent DNA
2007-10-13 02:11 --------- d-----w C:\Program Files\eMule
2007-07-26 02:16 54,504 ----a-w C:\Documents and Settings\CM Hwang\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 22:38 912 ----a-w C:\Program Files\INSTALL.LOG
2007-01-05 00:52 5 --sha-w C:\WINDOWS\system32\faaabe_s.dll
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47]
"NVIEW"="nview.dll" [2003-05-02 15:19 C:\WINDOWS\system32\nview.dll]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-04-05 13:44]
"MsServer"="msfun80.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-13 10:31]
"Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:48 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-05-02 15:19 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-22 23:31]
"IMJPMIG8.2"="msime82.exe" []
"SoundMnEx32"="C:\WINDOWS\sscserv.exe" []
"jpgdiag"="C:\WINDOWS\system32\jpgconf.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 14:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Replace C-Media Mixer"="C:\WINDOWS\W2KSetup.exe" [2001-12-08 04:32]
"C-Media Mixer"="Mixer.exe" [2001-10-23 01:24 C:\WINDOWS\Mixer.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 15:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:02]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtmmnmd]
C:\WINDOWS\system32\dxtmmnmd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jpgmgr]
jpgmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^GStartup.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CM Hwang^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\CM Hwang\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\CyberLink\PowerVCRII\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent]
C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 ADPTEHCD;%ADPT_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\asusehcd.sys
R2 AUSBD_FilterService;AUSBD Filter Service;C:\WINDOWS\system32\DRIVERS\asususbd.sys
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 AVCam;Samsung MPCC20 Digital Camera; Video;C:\WINDOWS\system32\DRIVERS\CamDrS21.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0467ebfa-d2ad-11db-8122-00045a7a43d1}]
\Shell\Auto\command - F:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{999fc0ee-5175-11db-80f8-00045a7a43d1}]
\Shell\AutoRun\command - F:\Autorun.exe

.
排程工作資料夾的內容
"2007-12-08 17:28:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-01-07 18:36:28 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 01:42:58
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfun80.exe???.

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-12-09 1:44:34 - machine was rebooted
.
--- E O F ---
 
Hi

Thanks for info.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\faaabe_s.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsServer"=-
"Registry Cleaner"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMnEx32"=-
"jpgdiag"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtmmnmd]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jpgmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^GStartup.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0467ebfa-d2ad-11db-8122-00045a7a43d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{999fc0ee-5175-11db-80f8-00045a7a43d1}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:32, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5275 bytes
 
ComboFix 07-12-08.1 - CM Hwang 2007-12-09 4:49:42.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.49 [GMT 8:00]
執行位置?: C:\Documents and Settings\CM Hwang\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\CM Hwang\桌面\CFScript.txt
* 已建立新的還原點

FILE
C:\WINDOWS\system32\faaabe_s.dll
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\faaabe_s.dll

.
(((((((((((((((((((((((((((( 2007-11-08 - 2007-12-08 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-12-09 01:38 . 2007-12-09 01:38 68,879 --a------ C:\Documents and Settings\CM Hwang\catchme.zip
2007-12-06 07:54 . 2007-12-06 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:37 . 2007-12-04 13:37 <DIR> d-------- C:\Program Files\Lavalys
2007-12-04 13:05 . 2007-12-04 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-12-04 13:04 . 2006-11-22 11:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2007-12-02 06:48 . 2001-07-24 23:15 241,664 --a------ C:\WINDOWS\system32\r_server.exe
2007-12-02 06:48 . 2000-07-10 20:06 90,112 --a------ C:\WINDOWS\system32\admdll.dll
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d--hs---- C:\FOUND.012
2007-11-30 15:44 . 2007-11-30 15:44 <DIR> d--hs---- C:\FOUND.011
2007-11-30 15:19 . 2007-11-30 15:19 <DIR> d--hs---- C:\FOUND.010
2007-11-30 10:57 . 2007-11-30 10:57 <DIR> d-------- C:\Program Files\Intel
2007-11-30 10:57 . 2001-11-15 00:00 87,018 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
2007-11-30 10:57 . 2001-11-15 00:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
2007-11-30 10:57 . 2001-11-15 00:00 13,654 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
2007-11-30 10:54 . 1998-02-09 03:00 1,455,736 --a------ C:\WINDOWS\system\VCL35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 996,872 --a------ C:\WINDOWS\system\CP3240MT.DLL
2007-11-30 10:54 . 1998-05-18 10:52 458,752 --a------ C:\WINDOWS\system\COMCTL32.DLL
2007-11-30 10:54 . 1998-02-09 03:00 245,912 --a------ C:\WINDOWS\system\VCLX35.BPL
2007-11-30 10:54 . 1998-02-09 03:00 187,392 --a------ C:\WINDOWS\system\BCBSMP35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 29,952 --a------ C:\WINDOWS\system\BORLNDMM.DLL
2007-11-30 10:53 . 2007-11-30 10:53 <DIR> d-------- C:\Program Files\ASUS
2007-11-30 10:53 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2007-11-30 10:53 . 1997-04-22 10:16 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-11-30 10:47 . 2007-11-30 10:56 26 --a------ C:\WINDOWS\CMCDPLAY.INI

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 04:35 --------- d-----w C:\Program Files\QuickTime
2007-10-29 04:34 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-25 16:42 8,320,512 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-14 21:15 --------- d-----w C:\Program Files\Winamp
2007-10-14 21:12 --------- d-----w C:\Program Files\Monkey's Audio
2007-10-14 06:04 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\Registry Cleaner
2007-10-13 02:32 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent
2007-10-13 02:31 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-13 02:31 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent DNA
2007-10-13 02:11 --------- d-----w C:\Program Files\eMule
2007-07-26 02:16 54,504 ----a-w C:\Documents and Settings\CM Hwang\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 22:38 912 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-12-09_ 1.43.50.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47]
"NVIEW"="nview.dll" [2003-05-02 15:19 C:\WINDOWS\system32\nview.dll]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-04-05 13:44]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-13 10:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:48 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-05-02 15:19 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-22 23:31]
"IMJPMIG8.2"="msime82.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 14:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Replace C-Media Mixer"="C:\WINDOWS\W2KSetup.exe" [2001-12-08 04:32]
"C-Media Mixer"="Mixer.exe" [2001-10-23 01:24 C:\WINDOWS\Mixer.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 15:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:02]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CM Hwang^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\CM Hwang\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\CyberLink\PowerVCRII\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent]
C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 ADPTEHCD;%ADPT_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\asusehcd.sys
R2 AUSBD_FilterService;AUSBD Filter Service;C:\WINDOWS\system32\DRIVERS\asususbd.sys
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 AVCam;Samsung MPCC20 Digital Camera; Video;C:\WINDOWS\system32\DRIVERS\CamDrS21.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys

.
排程工作資料夾的內容
"2007-12-08 20:43:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-01-07 18:36:28 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 04:55:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-12-09 4:57:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 01:44
.
--- E O F ---
 
Hi

Looking better :)

Next step is online scan:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
sorry that i have no internet connection at home right now. I will following your steps and post the report as soon as i get back the connection at home. Thanks for helping
 
You must log in or register to reply here.
Back
Top