Author Topic: Need help... can anyone take a look at this logs? (Read 16557 times)

evilfantasy · « **Reply #15 on:** October 15, 2008, 10:06:31 PM »

The extra files are showing because you have the Files and Folders option set to Show All.

Rehide Hidden System Files and Folders

1. Open My Computer
2. Select the Tools menu and click Folder Options
3. Select the View tab.
4. Under the Advanced settings box option select the following:
5. Select Hide extensions for known file types
6. Select Hide protected operating system files
7. Select Do not show hidden files and folders
8. Click OK

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

jzown · « **Reply #16 on:** October 15, 2008, 11:50:38 PM »

ComboFix 08-10-15.05 - abigailong 2008-10-16 12:35:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1033.18.92 [GMT 8:00]
執行位置(Carries out the position

): D:\Documents and Settings\abigailong\Desktop\ComboFix.exe
* 成功創造新還原點 (success creates a new point of origin?

)

注意 - 這台電腦沒有安裝恢復控制台 (Attention - this computer does not have the installment to restore the control bench? )！！[/B]
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 (files that have been deleted) )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Canon PIXMA iP1000\0001\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Canon PIXMA iP1000\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Drvlog\Canon PIXMA iP1000\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Drvlog\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\0404\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\0409\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\0412\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\041E\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\0804\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\LanguageModules\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\Picture\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\UserProfile\abigailong\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\UserProfile\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000\UserProfile\SYSTEM\Desktop_.ini
D:\BJPrinter\CNMWINDOWS\Desktop_.ini
D:\BJPrinter\Desktop_.ini
D:\DOCUME~1\ABIGAI~1\LOCALS~1\Temp\tmp2.tmp
D:\Documents and Settings\abigailong\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
D:\Drivers\Desktop_.ini
D:\Drivers\SonyUSB\Desktop_.ini
D:\RECYCLER\Desktop_.ini
D:\RECYCLER\Desktop__.ini
D:\RECYCLER\NPROTECT\Desktop_.ini
D:\VFW\Desktop_.ini
D:\WINDOWS\IE4 Error Log.txt
D:\WINDOWS\msnimport.exe
G:\autorun.inf

.
((((((((((((((((((((((((( 2008-09-16 至 2008-10-16 的新的檔案 (new files from 2008-09-16 to 2008-10-16) )))))))))))))))))))))))))))))))
.

2008-10-16 08:01 . 2008-10-16 08:01   262,144   --a------   D:\ntuser.dat
2008-10-08 21:43 . 2008-10-08 21:43   <DIR>   d--------   D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-08 21:43 . 2008-10-08 21:43   <DIR>   d--------   D:\Documents and Settings\abigailong\Application Data\Malwarebytes
2008-10-08 21:42 . 2008-10-08 21:42   <DIR>   d--------   D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 21:42 . 2008-09-10 00:04   38,528   --a------   D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 21:42 . 2008-09-10 00:03   17,200   --a------   D:\WINDOWS\system32\drivers\mbam.sys
2008-10-08 21:41 . 2008-10-08 21:41   <DIR>   d--------   D:\Documents and Settings\abigailong\Application Data\SUPERAntiSpyware.com
2008-10-08 21:29 . 2008-10-08 21:29   <DIR>   d--------   D:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 18:56 . 2008-10-08 18:56   <DIR>   dr-------   D:\My Pictures
2008-10-07 14:33 . 2003-12-12 16:06   1,693,696   --a------   D:\WINDOWS\system32\ltclr13n.dll
2008-10-07 14:33 . 2003-11-04 15:11   155,648   --a------   D:\WINDOWS\system32\lftif13n.dll
2008-10-07 14:33 . 2003-11-04 15:10   98,304   --a------   D:\WINDOWS\system32\lffax13n.dll
2008-09-23 15:00 . 2008-09-23 15:00   26,800   --ah-----   D:\WINDOWS\system32\mlfcache.dat
2008-09-16 05:55 . 2008-09-16 05:55   <DIR>   d--------   D:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 (files that have been fixed within 3 months) ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 04:53   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Skype
2008-10-16 03:14   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Yahoo!
2008-10-16 00:01   ---------   d--h--r   D:\Documents and Settings\All Users\Application Data\yahoo!
2008-10-08 03:40   ---------   d-----w   D:\Program Files\Common Files\Ahead
2008-09-15 22:08   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Apple Computer
2008-09-09 03:30   ---------   d-----w   D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-03 23:17   ---------   d-----w   D:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 14:10   94,920   ----a-w   D:\WINDOWS\system32\cdm.dll
2008-07-18 14:10   53,448   ----a-w   D:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10   45,768   ----a-w   D:\WINDOWS\system32\wups2.dll
2008-07-18 14:10   36,552   ----a-w   D:\WINDOWS\system32\wups.dll
2008-07-18 14:09   563,912   ----a-w   D:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09   325,832   ----a-w   D:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09   205,000   ----a-w   D:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09   1,811,656   ----a-w   D:\WINDOWS\system32\wuaueng.dll
2008-06-20 03:18   25,976   ----a-w   D:\Documents and Settings\abigailong\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ( Important point of entry

) ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示 (* Attention * blank and legitimate default will register cannot demonstrate

)
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-03 04:56 160496 --a------ D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-06-17 5324584]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2006-07-07 20034600]
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-05 4538368]
"EPSON Stylus CX5500 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE" [2007-03-01 180736]
"EPSON Stylus CX5500 Series (Copy 1)"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE" [2007-03-01 180736]
"YSearchProtection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="D:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-06-04 126976]
"SynTPEnh"="D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-06-04 540672]
"AdaptecDirectCD"="D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"LiveMonitor"="D:\Program Files\MSI\Live Update 3\LMonitor.exe" [2006-06-08 484352]
"YSearchProtection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-07 D:\WINDOWS\GWMDMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2002-05-25 D:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-05-25 D:\WINDOWS\system32\atiptaxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-29 D:\WINDOWS\GWHotKey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-06-19 54472]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - D:\Program Files\SIFXINST\SIFXINST.EXE [2006-03-24 569344]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SecureDoc.lnk - D:\Program Files\MSI\SecureDoc\Logon.exe [2006-07-27 82944]
Wireless LAN Utility.lnk - D:\WINDOWS\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-08-27 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "F:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\msncall.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 NwSapAgent;SAP Agent;D:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 iscFlash;iscFlash;D:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys [ ]
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;D:\WINDOWS\system32\DRIVERS\sis163u.sys [2005-03-29 167424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21c77220-e0f3-11dc-8398-00e0b84a92c3}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\alecks.vbs
\Shell\open\Command - WScript.exe .\alecks.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb9079a2-ef3a-11dc-83aa-00e0b84a92c3}]
\Shell\AutoRun\command - b.com
\Shell\explore\Command - b.com
\Shell\open\Command - b.com
.
‘計劃任務’ 文件夾裡的內容 (`in plan duty' folder content

)

2008-10-16 D:\WINDOWS\Tasks\avast! Antivirus.job
- D:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe [2008-07-19 22:28]

2008-10-16 D:\WINDOWS\Tasks\Symantec NetDetect.job
- D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 08:17]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FreeCall - C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe
HKCU-Run-updateMgr - D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

.
------- 而外的掃描 (outside scanning

I think what it is trying to say is that it is scanning external files?)-------.
R0 -: HKCU-Main,Start Page = hxxp://www.mainlib.upd.edu.ph/webopac/
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyServer = 192.168.0.1
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://D:\WINDOWS\Java\classes\xmldso.cab
D:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {0F04992B-E661-4DB9-B223-903AB628225D} - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
D:\WINDOWS\Downloaded Program Files\DoMoreRunExe.INF
C:\WINDOWS\Downloaded Program Files\DoMoreRunExe.ocx
C:\WINDOWS\System32\ASYCFILT.DLL
C:\WINDOWS\System32\COMCAT.DLL
C:\WINDOWS\System32\COMDLG32.OCX
C:\WINDOWS\System32\MSSTKPRP.DLL
C:\WINDOWS\System32\msvbvm60.dll
C:\WINDOWS\System32\OLEAUT32.DLL
C:\WINDOWS\System32\OLEPRO32.DLL
C:\WINDOWS\System32\STDOLE2.TLB
C:\WINDOWS\System32\wshom.ocx

O16 -: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} - hxxp://k-defence.kbstar.com/kdfx218/kbstar/kdfense9.cab
D:\WINDOWS\Downloaded Program Files\kdfense9.inf
D:\WINDOWS\system32\mfc42.dll
D:\WINDOWS\system32\msvcrt.dll
D:\WINDOWS\system32\olepro32.dll
D:\WINDOWS\Downloaded Program Files\kdfense9.ocx
.
.
------- 文件類型 (Document type)-------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 12:45:07
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程 (The scanning the advancement which hides or this might be hidden scans on progress

)。。。 ...

掃描被隱藏的啟動組 (scanning hidden start group

)。。。

掃描被隱藏的文件 (scanning hidden files)。。。

掃描完成 (scanning complete or done)
被隱藏的檔案(hidden files): 0

**************************************************************************
.
------------------------ 其他運行進程 (other actions in progress) ------------------------
.
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\conime.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
D:\Program Files\corega\WLUSB2GL\SiSWLSvc.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\corega\WLUSB2GL\WlanCU.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間(time completed or time done): 2008-10-16 13:00:00 - 電腦已重新啟動 (computer started)ComboFix-quarantined-files.txt 2008-10-16 04:59:39

Pre-Run: 959,430,656 bytes free
Post-Run: 2,719,629,312 bytes free

216 --- E O F --- 2008-09-15 15:44:03

Some words came out in chines... I don't know most of them, so I tried the online translator, I don't know if they are right... hope you get the idea.

jzown · « **Reply #17 on:** October 15, 2008, 11:52:25 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:09 PM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
D:\Program Files\corega\WLUSB2GL\SiSWLSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\GWMDMMSG.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\WINDOWS\GWHotKey.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Skype\Phone\Skype.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Program Files\MSI\SecureDoc\Logon.exe
D:\Program Files\corega\WLUSB2GL\WlanCU.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [liveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [YSearchProtection] "D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "D:\WINDOWS\TEMP\E_SAB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "D:\WINDOWS\TEMP\E_S152.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [YSearchProtection] D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Install Pending Files.LNK = D:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SecureDoc.lnk = D:\Program Files\MSI\SecureDoc\Logon.exe
O4 - Global Startup: Wireless LAN Utility.lnk = %SystemRoot%\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) - http://k-defence.kbstar.com/kdfx218/kbstar/kdfense9.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: NBService - Nero AG - F:\Apps\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PictureTaker - LANovation - D:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - D:\Program Files\corega\WLUSB2GL\SiSWLSvc.exe

--
End of file - 7593 bytes

jzown · « **Reply #18 on:** October 16, 2008, 02:02:00 AM »

I think everything is fixed now...

I could already open my drives directly...

Thank you so much for everything...

evilfantasy · « **Reply #19 on:** October 16, 2008, 11:22:55 AM »

Looks like there was some other stuff going on I couldn't see from the prior logs.

Still need to take care of a few things.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21c77220-e0f3-11dc-8398-00e0b84a92c3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb9079a2-ef3a-11dc-83aa-00e0b84a92c3}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.

jzown · « **Reply #20 on:** October 17, 2008, 08:11:26 AM »

Here's the log...

ComboFix 08-10-16.08 - abigailong 2008-10-17 20:48:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1033.18.78 [GMT 8:00]
執行位置: D:\Documents and Settings\abigailong\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\abigailong\Desktop\CFScript.txt
* 成功創造新還原點

注意 - 這台電腦沒有安裝恢復控制台！！
.

((((((((((((((((((((((((( 2008-09-17 至 2008-10-17 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-10-16 08:01 . 2008-10-16 08:01   262,144   --a------   D:\ntuser.dat
2008-10-08 21:43 . 2008-10-08 21:43   <DIR>   d--------   D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-08 21:43 . 2008-10-08 21:43   <DIR>   d--------   D:\Documents and Settings\abigailong\Application Data\Malwarebytes
2008-10-08 21:42 . 2008-10-08 21:42   <DIR>   d--------   D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 21:42 . 2008-09-10 00:04   38,528   --a------   D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 21:42 . 2008-09-10 00:03   17,200   --a------   D:\WINDOWS\system32\drivers\mbam.sys
2008-10-08 21:41 . 2008-10-08 21:41   <DIR>   d--------   D:\Documents and Settings\abigailong\Application Data\SUPERAntiSpyware.com
2008-10-08 21:29 . 2008-10-08 21:29   <DIR>   d--------   D:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 18:56 . 2008-10-08 18:56   <DIR>   dr-------   D:\My Pictures
2008-10-07 14:33 . 2003-12-12 16:06   1,693,696   --a------   D:\WINDOWS\system32\ltclr13n.dll
2008-10-07 14:33 . 2003-11-04 15:11   155,648   --a------   D:\WINDOWS\system32\lftif13n.dll
2008-10-07 14:33 . 2003-11-04 15:10   98,304   --a------   D:\WINDOWS\system32\lffax13n.dll
2008-09-23 15:00 . 2008-09-23 15:00   26,800   --ah-----   D:\WINDOWS\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 13:03   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Skype
2008-10-16 03:14   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Yahoo!
2008-10-16 00:01   ---------   d--h--r   D:\Documents and Settings\All Users\Application Data\yahoo!
2008-10-08 03:40   ---------   d-----w   D:\Program Files\Common Files\Ahead
2008-09-15 22:08   ---------   d-----w   D:\Documents and Settings\abigailong\Application Data\Apple Computer
2008-09-15 21:55   ---------   d-----w   D:\Program Files\Apple Software Update
2008-09-15 11:57   1,846,016   ----a-w   D:\WINDOWS\system32\win32k.sys
2008-09-09 03:30   ---------   d-----w   D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-03 23:17   ---------   d-----w   D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 10:04   333,056   ----a-w   D:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38   659,456   ----a-w   D:\WINDOWS\system32\wininet.dll
2008-08-14 10:00   2,180,352   ----a-w   D:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22   2,057,728   ----a-w   D:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 14:10   94,920   ----a-w   D:\WINDOWS\system32\cdm.dll
2008-07-18 14:10   53,448   ----a-w   D:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10   45,768   ----a-w   D:\WINDOWS\system32\wups2.dll
2008-07-18 14:10   36,552   ----a-w   D:\WINDOWS\system32\wups.dll
2008-07-18 14:09   563,912   ----a-w   D:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09   325,832   ----a-w   D:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09   205,000   ----a-w   D:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09   1,811,656   ----a-w   D:\WINDOWS\system32\wuaueng.dll
2008-06-20 03:18   25,976   ----a-w   D:\Documents and Settings\abigailong\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_12.58.24.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-02-28 09:08:48   2,136,064   ------w   D:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:58:27   2,136,064   ------w   D:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 08:38:55   2,057,600   ------w   D:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:13   2,057,728   ------w   D:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 08:38:57   2,015,744   ------w   D:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:22:14   2,015,744   ------w   D:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:10:57   2,180,352   ------w   D:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 10:00:45   2,180,352   ------w   D:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
- 2008-06-23 15:38:28   1,023,488   ----a-w   D:\WINDOWS\system32\browseui.dll
+ 2008-08-20 05:38:45   1,023,488   ----a-w   D:\WINDOWS\system32\browseui.dll
- 2008-06-23 15:38:29   151,040   ----a-w   D:\WINDOWS\system32\cdfview.dll
+ 2008-08-20 05:38:39   151,040   ----a-w   D:\WINDOWS\system32\cdfview.dll
- 2008-06-23 15:38:30   1,054,208   ----a-w   D:\WINDOWS\system32\danim.dll
+ 2008-08-20 05:38:40   1,054,208   ----a-w   D:\WINDOWS\system32\danim.dll
- 2008-06-20 10:44:38   138,368   -c----w   D:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43   138,368   -c----w   D:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 15:38:28   1,023,488   -c----w   D:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-08-20 05:38:45   1,023,488   -c----w   D:\WINDOWS\system32\dllcache\browseui.dll
- 2008-06-23 15:38:29   151,040   -c----w   D:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-08-20 05:38:39   151,040   -c----w   D:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-06-23 15:38:30   1,054,208   -c----w   D:\WINDOWS\system32\dllcache\danim.dll
+ 2008-08-20 05:38:40   1,054,208   -c----w   D:\WINDOWS\system32\dllcache\danim.dll
- 2008-06-23 15:38:30   357,888   -c----w   D:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-20 05:38:40   357,888   -c----w   D:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 15:38:30   205,312   -c----w   D:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-20 05:38:40   205,312   -c----w   D:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-06-23 15:38:30   55,808   -c----w   D:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-08-20 05:38:40   55,808   -c----w   D:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 09:49:29   18,432   -c----w   D:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-08-19 09:30:39   18,432   -c----w   D:\WINDOWS\system32\dllcache\iedw.exe
- 2008-06-23 15:38:31   251,392   -c----w   D:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-08-20 05:38:41   251,392   -c----w   D:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-06-23 15:38:31   96,256   -c----w   D:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-08-20 05:38:41   96,256   -c----w   D:\WINDOWS\system32\dllcache\inseng.dll
- 2008-06-23 15:38:31   16,384   -c----w   D:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-20 05:38:44   16,384   -c----w   D:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-06-23 15:38:33   3,059,712   -c----w   D:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-20 05:38:47   3,060,224   -c----w   D:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 15:38:33   449,024   -c----w   D:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-20 05:38:43   449,024   -c----w   D:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-06-23 15:38:33   146,432   -c----w   D:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-20 05:38:41   146,432   -c----w   D:\WINDOWS\system32\dllcache\msrating.dll
- 2008-06-23 15:38:33   532,480   -c----w   D:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-20 05:38:41   532,480   -c----w   D:\WINDOWS\system32\dllcache\mstime.dll
- 2007-02-28 09:08:48   2,136,064   -c----w   D:\WINDOWS\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:58:27   2,136,064   -c----w   D:\WINDOWS\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 08:38:55   2,057,600   -c----w   D:\WINDOWS\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:22:13   2,057,728   -c----w   D:\WINDOWS\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 08:38:57   2,015,744   -c----w   D:\WINDOWS\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:22:14   2,015,744   -c----w   D:\WINDOWS\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:10:57   2,180,352   -c----w   D:\WINDOWS\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 10:00:45   2,180,352   -c----w   D:\WINDOWS\system32\dllcache\ntoskrnl.exe
- 2008-06-23 15:38:33   39,424   -c----w   D:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-20 05:38:41   39,424   -c----w   D:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-06-23 15:38:34   1,494,528   -c----w   D:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:38:42   1,494,528   -c----w   D:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-06-23 15:38:34   474,112   -c----w   D:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-08-20 05:38:44   474,112   -c----w   D:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-08-14 10:34:41   332,928   -c----w   D:\WINDOWS\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17   333,056   -c----w   D:\WINDOWS\system32\dllcache\srv.sys
- 2008-06-23 15:38:34   615,936   -c----w   D:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-20 05:38:45   615,936   -c----w   D:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-19 09:47:00   1,845,248   -c----w   D:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41   1,846,016   -c----w   D:\WINDOWS\system32\dllcache\win32k.sys
- 2008-06-23 15:38:34   659,456   -c----w   D:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-20 05:38:43   659,456   -c----w   D:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 10:44:38   138,368   ----a-w   D:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 09:51:43   138,368   ----a-w   D:\WINDOWS\system32\drivers\afd.sys
- 2008-06-23 15:38:30   357,888   ----a-w   D:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-20 05:38:40   357,888   ----a-w   D:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 15:38:30   205,312   ----a-w   D:\WINDOWS\system32\dxtrans.dll
+ 2008-08-20 05:38:40   205,312   ----a-w   D:\WINDOWS\system32\dxtrans.dll
- 2008-06-23 15:38:30   55,808   ------w   D:\WINDOWS\system32\extmgr.dll
+ 2008-08-20 05:38:40   55,808   ------w   D:\WINDOWS\system32\extmgr.dll
- 2008-06-27 05:10:23   122,928   ----a-w   D:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-17 12:22:58   122,928   ----a-w   D:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 15:38:31   251,392   ----a-w   D:\WINDOWS\system32\iepeers.dll
+ 2008-08-20 05:38:41   251,392   ----a-w   D:\WINDOWS\system32\iepeers.dll
- 2008-06-23 15:38:31   96,256   ----a-w   D:\WINDOWS\system32\inseng.dll
+ 2008-08-20 05:38:41   96,256   ----a-w   D:\WINDOWS\system32\inseng.dll
- 2008-06-23 15:38:31   16,384   ----a-w   D:\WINDOWS\system32\jsproxy.dll
+ 2008-08-20 05:38:44   16,384   ----a-w   D:\WINDOWS\system32\jsproxy.dll
- 2008-06-23 15:38:33   3,059,712   ----a-w   D:\WINDOWS\system32\mshtml.dll
+ 2008-08-20 05:38:47   3,060,224   ----a-w   D:\WINDOWS\system32\mshtml.dll
- 2008-06-23 15:38:33   449,024   ----a-w   D:\WINDOWS\system32\mshtmled.dll
+ 2008-08-20 05:38:43   449,024   ----a-w   D:\WINDOWS\system32\mshtmled.dll
- 2008-06-23 15:38:33   146,432   ----a-w   D:\WINDOWS\system32\msrating.dll
+ 2008-08-20 05:38:41   146,432   ----a-w   D:\WINDOWS\system32\msrating.dll
- 2008-06-23 15:38:33   532,480   ----a-w   D:\WINDOWS\system32\mstime.dll
+ 2008-08-20 05:38:41   532,480   ----a-w   D:\WINDOWS\system32\mstime.dll
- 2008-06-23 15:38:33   39,424   ----a-w   D:\WINDOWS\system32\pngfilt.dll
+ 2008-08-20 05:38:41   39,424   ----a-w   D:\WINDOWS\system32\pngfilt.dll
- 2008-06-23 15:38:34   1,494,528   ----a-w   D:\WINDOWS\system32\shdocvw.dll
+ 2008-08-20 05:38:42   1,494,528   ----a-w   D:\WINDOWS\system32\shdocvw.dll
- 2008-06-23 15:38:34   474,112   ----a-w   D:\WINDOWS\system32\shlwapi.dll
+ 2008-08-20 05:38:44   474,112   ----a-w   D:\WINDOWS\system32\shlwapi.dll
- 2007-07-27 02:41:40   16,760   ------w   D:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51   17,272   ------w   D:\WINDOWS\system32\spmsg.dll
- 2008-06-23 15:38:34   615,936   ----a-w   D:\WINDOWS\system32\urlmon.dll
+ 2008-08-20 05:38:45   615,936   ----a-w   D:\WINDOWS\system32\urlmon.dll
- 2008-07-03 09:14:02   351,744   ----a-w   D:\WINDOWS\system32\xpsp3res.dll
+ 2008-08-19 09:20:32   351,744   ----a-w   D:\WINDOWS\system32\xpsp3res.dll
+ 2008-10-17 12:55:05   16,384   ----atw   D:\WINDOWS\Temp\Perflib_Perfdata_690.dat
.
-- 快照技術重新設置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-03 04:56   160496   --a------   D:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-06-17 5324584]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2006-07-07 20034600]
"Yahoo! Pager"="D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-05 4538368]
"EPSON Stylus CX5500 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE" [2007-03-01 180736]
"EPSON Stylus CX5500 Series (Copy 1)"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE" [2007-03-01 180736]
"YSearchProtection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="D:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-06-04 126976]
"SynTPEnh"="D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-06-04 540672]
"AdaptecDirectCD"="D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"LiveMonitor"="D:\Program Files\MSI\Live Update 3\LMonitor.exe" [2006-06-08 484352]
"YSearchProtection"="D:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-07 D:\WINDOWS\GWMDMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2002-05-25 D:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-05-25 D:\WINDOWS\system32\atiptaxx.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-29 D:\WINDOWS\GWHotKey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-06-19 54472]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - D:\Program Files\SIFXINST\SIFXINST.EXE [2006-03-24 569344]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SecureDoc.lnk - D:\Program Files\MSI\SecureDoc\Logon.exe [2006-07-27 82944]
Wireless LAN Utility.lnk - D:\WINDOWS\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-08-27 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "F:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\msncall.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 NwSapAgent;SAP Agent;D:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 iscFlash;iscFlash;D:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys [ ]
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;D:\WINDOWS\system32\DRIVERS\sis163u.sys [2005-03-29 167424]
.
‘計劃任務’ 文件夾裡的內容

2008-10-17 D:\WINDOWS\Tasks\avast! Antivirus.job
- D:\PROGRA~1\ALWILS~1\Avast4\ashAvast.exe [2008-07-19 22:28]

2008-10-17 D:\WINDOWS\Tasks\Symantec NetDetect.job
- D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 08:17]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 20:57:21
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
------------------------ 其他運行進程 ------------------------
.
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\conime.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
D:\Program Files\corega\WLUSB2GL\SiSWLSvc.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\corega\WLUSB2GL\WlanCU.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間: 2008-10-17 21:13:50 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2008-10-17 13:13:25
ComboFix2.txt 2008-10-16 05:00:05

Pre-Run: 2,619,138,048 bytes free
Post-Run: 2,630,262,784 bytes free

251   --- E O F ---   2008-10-16 14:38:35

evilfantasy · « **Reply #21 on:** October 17, 2008, 10:32:53 AM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

How is everything now?

jzown · « **Reply #22 on:** October 20, 2008, 09:39:56 AM »

I've already done it... I guess everything's well now...

I really am not sure... Cause I really don't know much about this stuff...

Well all I know is that I could already open my drives, so I think everything's fine now.

oh... here's the one from the online scanner... don't know how to explain it so I just thought I might just put in the image here.

[Saving space - attachment deleted by admin]

jzown · « **Reply #23 on:** October 20, 2008, 09:52:49 AM »

and oh... I actually forgot to turn on the avast on-acess scanner befor... now I do not know how to turn it on... already tried to repair it, using the control panel, add/remove software, then change/remove and then repair. still can't see the avast icon on the taskbar.

So how do I get it back?

evilfantasy · « **Reply #24 on:** October 20, 2008, 01:39:01 PM »

I would reinstall Avast to be sure it is properly installed. http://filehippo.com/download_avast_antivirus/

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

jzown · « **Reply #25 on:** October 22, 2008, 01:14:09 AM »

Something's wrong now...

One day in the midst of the scans and fixes, after I've done the OTMoveIt2 cleanup, well not exactly after, maybe sometime after... I had to shut down my computer and the screen turned blue with the words Fatal system error, then it restarted.

The first time this happened I took off the plug, cause I really needed to turn it off, cause I'll be leaving the house.

Then when I turned it on again, there's this window that said "windows logon error" something like that. so I clicked on the send error report, then what came out is that there might be a problem with the drives or its drivers.

Instead of doing what was there, I did another cleanup cause I was not able to finish what I was supposed to do according to the instructions that you've given to me, then I made a restore point.

When I was having a problem staying connected to my wireless, I decided to turn it off, again the blue window with the "Fatal system error" came out and instead of shutting down it restarted.

After so, I did some stuff in the computer, opened some apps, and because the computer is running so slow and I'm a bit drowsy I decided to turn it off.

Now it won't turn off, the mouse is on the busy state, like so.

What am I supposed to do?

Computer Hope Forum

News:

Author Topic: Need help... can anyone take a look at this logs? (Read 16557 times)

evilfantasy

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

evilfantasy

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

evilfantasy

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?

evilfantasy

Re: Need help... can anyone take a look at this logs?

jzown

Re: Need help... can anyone take a look at this logs?