Most srs virus case in LYN?

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Technical Support

Bump Topic Topic Closed RSS Feed

Outline · [ Standard ] · Linear+

Virus/Malware Most srs virus case in LYN?, Qhost Trojan is just the beginning.

views

TSMiracles	Sep 28 2009, 09:59 PM, updated 17y ago Show posts by this member only \| Post #1
★ Detective /K ★ Senior Member 1,171 posts Joined: Dec 2006	QUOTE Just few days ago, I was afk and when I come back, I saw this virus notification. It keep popping up every 2 secs as we are speaking. I did scanned in safe mode using Malwarebytes' Anti-Malware. Yes, there are 2 detected and cleaned. But this Qhost trojan keep coming in after reboot. I have no clue. :sigh: edited : yes, my AVs detected the Qhost Trojan. But after deleting it, it keeps coming back. Very persistent virus. then someone asked me to use HostXpert. And it solved the qhost problem. Pls refer to my older thread. http://forum.lowyat.net/topic/1173846 My system restore is disabled after the virus attack. I was not able to turn it on back. I tried every solutions i can find on Google. They failed. So, i rescanned my laptop. MBAM log in safe mode » Click to show Spoiler - click again to hide... « Malwarebytes' Anti-Malware 1.41 Database version: 2854 Windows 5.1.2600 Service Pack 2 9/26/2009 2:57:42 AM mbam-log-2009-09-26 (02-57-42).txt Scan type: Quick Scan Objects scanned: 119455 Time elapsed: 18 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Quarantined and deleted successfully. The ones in blue, they just keep coming back even though it was quarantined and cleaned. Everytime I scan, those 3 must be present. ------------------------------------------------------ MBAM log in normal mode (scanned mins after rebooting from safe mode) » Click to show Spoiler - click again to hide... « Malwarebytes' Anti-Malware 1.41 Database version: 2861 Windows 5.1.2600 Service Pack 2 9/26/2009 11:39:28 PM mbam-log-2009-09-26 (23-39-28).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 219769 Time elapsed: 1 hour(s), 11 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128039.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128046.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128072.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128079.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128093.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128105.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128116.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128134.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128143.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128149.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128170.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128198.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128205.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128226.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128240.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{8FE2160E-F727-429F-BEF0-7B010411026C}\RP351\A0128263.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\minidrv32.sys (Backdoor.IRCBot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Quarantined and deleted successfully. Added on September 28, 2009, 10:00 pm------------------------------------------ My Random's System Information Tool log.txt » Click to show Spoiler - click again to hide... « Logfile of random's system information tool 1.06 (written by random/random) Run by Malcolm Wong at 2009-09-26 23:44:10 Microsoft Windows XP Professional Service Pack 2 System drive C: has 51 GB (53%) free of 96 GB Total RAM: 2045 MB (65% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:44:15 PM, on 9/26/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iZZi driver\izziReminder.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iZZi driver\iZZi_UTD_UTU\iBurst_Terminal_UTL.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Documents and Settings\Malcolm Wong\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Malcolm Wong.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0" O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [izziReminder] C:\Program Files\iZZi driver\izziReminder.exe /background O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: AutoClick.lnk = C:\Program Files\AutoClick\AutoClick.exe O4 - Startup: iZZi_UTD_UTU.lnk = C:\Program Files\iZZi driver\iZZi_UTD_UTU\iBurst_Terminal_UTL.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215535216000 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{84088C64-E88D-48C3-BA10-72AE72861B0D}: NameServer = 116.206.0.42 116.206.0.35 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: WMI Security Service (WMISRSV) - WMI Security Corp. - C:\WINDOWS\system32\wbem\wmisrsv.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe -- End of file - 10055 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}] GigagetIEHelper Class - C:\WINDOWS\system32\gigagetbho_v10.dll [2006-01-09 86016] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "UCam_Menu"=C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [2007-08-16 218408] "QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-09-19 202032] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-04-16 135168] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-04-16 155648] "Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-04-16 131072] "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648] "RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208] "LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-04-13 49152] "egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-06-10 1447168] "izziReminder"=C:\Program Files\iZZi driver\izziReminder.exe [2007-06-26 286720] "hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-10-03 480560] "Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2007-07-09 159744] "IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952] "MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-03 59392] "PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168] "PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168] "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280] "Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-08 305440] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360] "MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe C:\Documents and Settings\Malcolm Wong\Start Menu\Programs\Startup AutoClick.lnk - C:\Program Files\AutoClick\AutoClick.exe iZZi_UTD_UTU.lnk - C:\Program Files\iZZi driver\iZZi_UTD_UTU\iBurst_Terminal_UTL.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2007-04-16 204800] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WINSYSMON] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WINSYSMON] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=36 "NoDriveAutoRun"=FFFFFFFF [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\Program Files\flying spaghetti monster\flying spaghetti monster.exe"="C:\Program Files\flying spaghetti monster\flying spaghetti monster.exe::Enabled:flying spaghetti monster" "C:\Documents and Settings\Malcolm Wong\Desktop\cs\cstrike.exe"="C:\Documents and Settings\Malcolm Wong\Desktop\cs\cstrike.exe::Enabled:Half-Life Launcher" "C:\Program Files\XsocamDC\XsocamDC.exe"="C:\Program Files\XsocamDC\XsocamDC.exe::Enabled:XsocamDC" "C:\Documents and Settings\Malcolm Wong\Desktop\flying spaghetti monster3.0Beta1\flying spaghetti monster.exe"="C:\Documents and Settings\Malcolm Wong\Desktop\flying spaghetti monster3.0Beta1\flying spaghetti monster.exe::Enabled:flying spaghetti monster" "C:\Program Files\Giganology\Gigaget\Gigaget.exe"="C:\Program Files\Giganology\Gigaget\Gigaget.exe::Enabled:Gigaget" "D:\Counter-Strike 1.6\cstrike.exe"="D:\Counter-Strike 1.6\cstrike.exe::Enabled:Half-Life Launcher" "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 8.0.0.358\English\setup.exe"="C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 8.0.0.358\English\setup.exe::Enabled:Kaspersky Internet Security 2009 Setup" "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe::Disabled:Kaspersky Anti-Virus" "D:\CabalSEA\Launcher\update\ESTdnheadless.exe"="D:\CabalSEA\Launcher\update\ESTdnheadless.exe::Enabled:EST! download engine" "D:\StarCraft 1.12B\starcraft.exe"="D:\StarCraft 1.12B\starcraft.exe::Enabled:Starcraft" "C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test" "C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe::Enabled:Run a DLL as an App" "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe::Enabled:hpqtra08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe::Enabled:hpofxm08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe::Enabled:hposfx08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe::Enabled:hposid01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe::Enabled:hpqscnvw.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe::Enabled:hpqkygrp.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe::Enabled:hpqcopy.exe" "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe::Enabled:hpfccopy.exe" "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe::Enabled:hpzwiz01.exe" "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe::Enabled:hpqphunl.exe" "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe::Enabled:hpoews01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe::Enabled:hpqnrs08.exe" "C:\Documents and Settings\Malcolm Wong\Desktop\April9flying spaghetti monsterRhy\flying spaghetti monster\flying spaghetti monster.exe"="C:\Documents and Settings\Malcolm Wong\Desktop\April9flying spaghetti monsterRhy\flying spaghetti monster\flying spaghetti monster.exe::Enabled:flying spaghetti monster Cracked" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype" "C:\Program Files\Warcraft III\War3.exe"="C:\Program Files\Warcraft III\War3.exe::Disabled:Warcraft III" "C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Call of Duty 4 - Modern Warfare\iw3mp.exe::Enabled:iw3mp" "C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Star Wars Battlefront\GameData\Battlefront.exe"="C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Star Wars Battlefront\GameData\Battlefront.exe::Enabled:Battlefront" "D:\Warcraft III 1.23\Frozen Throne.exe"="D:\Warcraft III 1.23\Frozen Throne.exe::Disabled:Frozen Throne.exe" "C:\WINDOWS\system\winrsc.exe"="C:\WINDOWS\system\winrsc.exe::Enabled:System stand-alone Optional Component Manager" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes" "C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe::Enabled:Remote Assistance - Windows Messenger and Voice" "C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Call of Duty 2\CoD2MP_s.exe"="C:\Documents and Settings\Malcolm Wong\My Documents\XsocamDC\Downloads\Call of Duty 2\CoD2MP_s.exe::Enabled:CoD2MP_s" "C:\WINDOWS\system32\wbem\wmisrsv.exe"="C:\WINDOWS\system32\wbem\wmisrsv.exe::Microsoft Enabled" "G:\CACHE-20194029\data.sys"="G:\CACHE-20194029\data.sys::Microsoft Enabled" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{747b7149-3898-11de-a900-00c0ee1818cd}] shell\AutoRun\command - G:\MobileLaunch.exe shell\mobile\command - G:\MobileLaunch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c703f668-8004-11de-a9cf-00c0ee1818cd}] shell\AutoRun\command - cmd /c start "" "CACHE-20194029\data.sys" shell\explore\command - cmd /c start "" "CACHE-20194029\data.sys" shell\open\command - cmd /c start "" "CACHE-20194029\data.sys" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f504c21e-a937-11de-aa55-0021001d2852}] shell\AutoRun\command - cmd /c start "" "CACHE-20194029\data.sys" shell\explore\command - cmd /c start "" "CACHE-20194029\data.sys" shell\open\command - cmd /c start "" "CACHE-20194029\data.sys" ======File associations====== .reg - open - regedit.exe "%1" %* ======List of files/folders created in the last 1 months====== 2009-09-26 23:44:10 ----D---- C:\rsit 2009-09-26 17:52:21 ----HD---- C:\WINDOWS\system32\GroupPolicy 2009-09-24 03:31:44 ----D---- C:\WINDOWS\system32\i 2009-09-19 17:20:41 ----D---- C:\Program Files\iPod 2009-09-19 17:20:36 ----D---- C:\Program Files\iTunes 2009-09-19 17:20:36 ----D---- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-19 17:17:52 ----D---- C:\Program Files\QuickTime ======List of files/folders modified in the last 1 months====== 2009-09-26 23:44:15 ----D---- C:\WINDOWS\Temp 2009-09-26 23:43:00 ----D---- C:\Program Files\Mozilla Firefox 2009-09-26 23:41:11 ----D---- C:\WINDOWS\system32\drivers 2009-09-26 23:40:52 ----D---- C:\WINDOWS 2009-09-26 23:39:52 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-09-26 23:39:28 ----D---- C:\WINDOWS\system32 2009-09-26 23:13:09 ----RD---- C:\Program Files 2009-09-26 22:30:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-09-26 21:13:06 ----D---- C:\Program Files\Warcraft III 2009-09-26 19:49:56 ----D---- C:\WINDOWS\Prefetch 2009-09-26 18:24:08 ----D---- C:\WINDOWS\system32\CatRoot2 2009-09-26 17:46:06 ----A---- C:\WINDOWS\ntbtlog.txt 2009-09-26 17:30:43 ----A---- C:\WINDOWS\NeroDigital.ini 2009-09-26 14:45:31 ----D---- C:\Program Files\flying spaghetti monster 2009-09-26 03:12:03 ----SHD---- C:\WINDOWS\Installer 2009-09-26 03:12:03 ----D---- C:\Program Files\Bonjour 2009-09-26 03:12:03 ----D---- C:\Config.Msi 2009-09-25 02:27:41 ----HD---- C:\WINDOWS\inf 2009-09-25 01:28:01 ----D---- C:\WINDOWS\system32\wbem 2009-09-25 00:53:42 ----D---- C:\Program Files\Windows Live Safety Center 2009-09-23 15:35:20 ----RSD---- C:\WINDOWS\Fonts 2009-09-23 14:40:53 ----D---- C:\WINDOWS\system32\config 2009-09-22 20:20:54 ----D---- C:\Documents and Settings 2009-09-22 17:37:36 ----D---- C:\Program Files\Panda Security 2009-09-20 01:00:50 ----D---- C:\SWSetup 2009-09-19 17:21:26 ----DC---- C:\WINDOWS\system32\DRVSTORE 2009-09-19 17:20:39 ----D---- C:\Program Files\Common Files\Apple 2009-09-18 10:42:32 ----D---- C:\Program Files\Internet Download Manager 2009-09-18 10:42:32 ----D---- C:\Documents and Settings\Malcolm Wong\Application Data\IDM 2009-09-18 10:09:14 ----D---- C:\Documents and Settings\Malcolm Wong\Application Data\DMCache 2009-09-15 22:05:04 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-09-15 21:24:07 ----D---- C:\WINDOWS\Registration 2009-09-14 21:20:44 ----D---- C:\WINDOWS\Minidump 2009-09-12 23:16:00 ----A---- C:\WINDOWS\win.ini 2009-09-04 15:10:19 ----A---- C:\WINDOWS\avisplitter.INI 2009-09-03 21:22:23 ----D---- C:\Program Files\YouTube Downloader 2009-09-03 01:36:00 ----D---- C:\WINDOWS\system ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-06-10 53256] R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312] R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2001-08-23 12160] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848] R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832] R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-06-10 39944] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672] R2 XAudio;XAudio; C:\WINDOWS\system32\DRIVERS\xaudio.sys [2007-07-10 8704] R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2007-07-07 155136] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800] R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-07-24 1294200] R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-05-12 1342602] R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080] R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAU32.sys [2008-03-05 732160] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 HpqKbFiltr;HpqKbFilter Driver; C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768] R3 HpqRemHid;HP Remote Control HID Device; C:\WINDOWS\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168] R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064] R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2007-06-20 208896] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-04-16 5760096] R3 iBurstu;iBurst Terminal; C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 37362] R3 minidrv32;MiniPort Driver Hub; \??\C:\WINDOWS\system32\drivers\minidrv32.sys [] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824] R3 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928] R3 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2005-12-22 51840] R3 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2005-11-01 308992] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol); C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504] R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-03 67584] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480] R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2004-08-04 78464] R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480] R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-05-03 259712] S3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-05-12 401664] S3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-05-12 30363] S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-05-12 148168] S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-05-12 57320] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024] S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys [] S3 flying spaghetti monsterPEngine;flying spaghetti monsterPEngine; \??\C:\DOCUME~1\MALCOL~1\LOCALS~1\Temp\FPD15A0.tmp [] S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-10-28 49664] S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-10-28 16496] S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-28 21568] S3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-11-01 211456] S3 igfx;igfx; C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2007-03-30 1671680] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 XDva195;XDva195; \??\C:\WINDOWS\system32\XDva195.sys [] S3 XDva208;XDva208; \??\C:\WINDOWS\system32\XDva208.sys [] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888] R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-05-12 258103] R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224] R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-02 135168] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120] R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936] R2 WMISRSV;WMI Security Service; C:\WINDOWS\system32\wbem\wmisrsv.exe [2009-09-25 670208] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-08 545568] R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728] S2 XAudioService;XAudioService; C:\WINDOWS\system32\DRIVERS\xaudio.exe [2007-07-10 386560] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-06-10 19200] S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-01-25 654848] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-03 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880] -----------------EOF----------------- info.txt post too long. so i attach it here. [attachmentid=1221008] After that I did a scan run using Kaspersky Online Scanner. my log. [attachmentid=1221014] And finally, my fresh my HJT log [attachmentid=1221016] Someone told me that my pc is infected with serious backdoor and trojans. I need help. This post has been edited by Miracles: Sep 28 2009, 10:10 PM
Card PM	Report Top Like Quote Reply

gyver	Sep 28 2009, 10:23 PM Show posts by this member only \| Post #2
Regular Senior Member 1,067 posts Joined: Mar 2005	Hi again, It seems you have got a variant of qhost. Somebody just modified the code straint so standard AV can't delete all trojan files. Please check back my posting about the qhost manual remove. It seems that you have skip a step. Just do what I did since year 2000 before malware was even given a name. You should do a search by time or sort files in system32 and check the dates. Suspected backdoor files should be the latest dates. Delete all suspected files. BTW the backdoor bot C:\WINDOWS\system32\secupdat.dat created here, is it the same file name or auto generated with random names everytime after you cleanup. If it is the same just do a search in registry of that entry and delete it. I hope you are comfortable enough to mess around in system32 and registry files manually This post has been edited by gyver: Sep 28 2009, 10:28 PM
Card PM	Report Top Like Quote Reply

TSMiracles	Sep 28 2009, 10:44 PM Show posts by this member only \| Post #3
★ Detective /K ★ Senior Member 1,171 posts Joined: Dec 2006	QUOTE(gyver @ Sep 28 2009, 10:23 PM) Hi again, It seems you have got a variant of qhost. Somebody just modified the code straint so standard AV can't delete all trojan files. Please check back my posting about the qhost manual remove. It seems that you have skip a step. Just do what I did since year 2000 before malware was even given a name. You should do a search by time or sort files in system32 and check the dates. Suspected backdoor files should be the latest dates. Delete all suspected files. BTW the backdoor bot C:\WINDOWS\system32\secupdat.dat created here, is it the same file name or auto generated with random names everytime after you cleanup. If it is the same just do a search in registry of that entry and delete it. I hope you are comfortable enough to mess around in system32 and registry files manually I dont really understand the qhost manual remove. im not good in computers. C:\WINDOWS\system32\secupdat.dat <-- is it the same file name everything. how do i search in registry? Backdoorfiles, even they are quarantined, they will come back with random names. This post has been edited by Miracles: Sep 28 2009, 10:50 PM
Card PM	Report Top Like Quote Reply

gyver	Sep 28 2009, 10:50 PM Show posts by this member only \| Post #4
Regular Senior Member 1,067 posts Joined: Mar 2005	I passed to you a link to manually remove this trojan. Anyways just read this and follow the steps given on how to remove » Click to show Spoiler - click again to hide... « Once the malicious script is executed, the trojan will drop a file called AOLFIX.EXE into the Windows temporary directory. It then creates a batch file that will proceed to execute AOLFIX.EXE and delete it after the execution. AOLFIX.EXE is a batch file compiled into a Windows binary executable by the "bat2exe" utility. Once run it will check if a file called %windows%\winlog exists. If it does, the trojan does nothing and will exit. If the "winlog" file is not found the trojan tries to modify the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\ "EnableDNS"="1" "NameServer"="69.57.146.14,69.57.147.175" "HostName"="host" "Domain"="mydomain.com" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ "ProxyEnable"=dword:00000000 "MigrateProxy"=dword:00000000 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Use Search Asst"="no" "Search Page"="http://www.google.com" "Search Bar"="http://www.google.com/ie" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\ ""="http://www.google.com/keyword/%%s" "provider"="gogl" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\ "SearchAssistant"="http://www.google.com/ie" These settings will make an affected system use the IP addresses 69.57.146.14 and 69.57.147.175 as its DNS servers. They also change the domain name to host.mydomain.com, disable any IE proxy, and set the IE search page to point to www.google.com. These DNS name servers are probably used to redirect name queries to servers run by the trojan's author. The trojan then checks if %windows%\system32\drivers\etc\services exists. If it finds this file, it will proceed to modify the following registry keys: (note that the presence of the "services" file generally indicates that the trojan is dealing with Windows 2000 or Windows XP.) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters "DataBasePath"=hex(2):25,00,53,00,79,00,73, 00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,68,00,65,00,6c,00,70,00,00,00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters "DataBasePath"=hex(2):25,00,53,00,79,00,73, 00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,68,00,65,00,6c,00,70,00,00,00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ Tcpip\Parameters\interfaces\windows "r0x"="your s0x" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ Tcpip\Parameters\interfaces\windows "r0x"="your s0x" The DataBasePath value is a unicode string, which redirects Windows to load the local hosts file from the directory %windows%\help, instead of the normal location %windows%\System32\drivers\etc. The trojan will also enumerate and modify every NameServer value found under HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces recursively to make sure that the DNS servers are set to 69.57.146.14 and 69.57.147.175 for every network interface present. Next the trojan will modify the hosts file located in the %windows% directory so that the domain names of some popular search engines will resolve to the IP address 207.44.220.30. Propagation: The Trojan is installed and run if a user visits a web page that exploits a vulnerability in Internet Explorer. A VB script embedded in the web page is run automatically when the page is viewed using Internet Explorer. Removal tool: Restore the file HOSTS with the latest backup copy available. Find the suspicious files: * Access the Windows system directory: For Windows 2000/NT computers, the default directory is C:\ WINNT\ SYSTEM32, and for Windows XP/Me/98/95 computers, the default directory is C:\ WINDOWS\ SYSTEM. * Arrange the files chronologically. * Note down the executable files (those with an EXE, COM, PIF, BAT or SCR extension) that have been created or modified over the last fiveteen days. * Find the entries associated to the automatic execution of the suspicious files in the Windows Registry. These entries are located in the paths below: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices Access registry edit via running regedit
Card PM	Report Top Like Quote Reply

fenzodahl512	Sep 29 2009, 02:52 AM Show posts by this member only \| Post #5
Elite 1,089 posts Joined: Jun 2008	Please download The Comedian.exe by Rorschach112 to your desktop Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how.. Double click the program to run it. It will only take around several minutes to run. It will do a series of tasks and tell you when each one is finished. You will be prompted to press any key after each step When it is done it will close and exit itself automatically. You can delete The_Comedian.exe once it is finished STOP! if you can't complete this step.. Tell me more about it.. Please download the OTM by OldTimer Save it to your Desktop. Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator") Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar) CODE :processes explorer.exe :services minidrv32 WMISRSV :files C:\WINDOWS\System32\wbem\wmiclisv.exe C:\WINDOWS\system32\asr_????? C:\WINDOWS\system32\drivers\minidrv32.sys C:\WINDOWS\system32\secupdat.dat C:\WINDOWS\system32\wbem\wmisrsv.exe G:\CACHE-20194029\data.sys C:\WINDOWS\system\winrsc.exe :reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{747b7149-3898-11de-a900-00c0ee1818cd}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c703f668-8004-11de-a9cf-00c0ee1818cd}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f504c21e-a937-11de-aa55-0021001d2852}] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "G:\CACHE-20194029\data.sys"=- "C:\WINDOWS\system\winrsc.exe"=- :commands [purity] [emptytemp] [start explorer] [reboot] Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTM If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Please download GMER and unzip it to your Desktop. <<mirror>> Please rename the random filename or GMER into GAMERS Open the renamed program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread. IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results Then run RSIT once again.. Post these logs in your next reply 1. OTM 2. GMER 3. RSIT log.txt This post has been edited by fenzodahl512: Sep 29 2009, 02:58 AM
Card PM	Report Top Like Quote Reply

TSMiracles	Sep 30 2009, 09:40 AM Show posts by this member only \| Post #6
★ Detective /K ★ Senior Member 1,171 posts Joined: Dec 2006	Hey.. Below are the logs that you requested. OTM [attachmentid=1223212] Gmer [attachmentid=1223215] RSIT [attachmentid=1223213]
Card PM	Report Top Like Quote Reply

fenzodahl512	Sep 30 2009, 11:30 PM Show posts by this member only \| Post #7
Elite 1,089 posts Joined: Jun 2008	Ok, run another scan with Malwarebytes'.. Do you still got the same detection?
Card PM	Report Top Like Quote Reply

TSMiracles	Nov 14 2009, 02:29 PM Show posts by this member only \| Post #8
★ Detective /K ★ Senior Member 1,171 posts Joined: Dec 2006	opps sorry for not noticing. yeap, no more malicious items detected. thankiu so much!
Card PM	Report Top Like Quote Reply

« Next Oldest · Technical Support · Next Newest »

Topic ClosedOptions

Change to:

0.0238sec

0.71

5 queries

GZIP Disabled
Time is now: 14th December 2025 - 11:44 AM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.