unstopable pop-ups(RESOLVED)

samisemo · #1 (**permalink**) 08-12-2008, 07:33 AM

i went on a website to watch a movie. I started getting pop-ups non-stop and the computer speed was indeed slower. I ran malwarebyte's antimalware and got rid of the bad stuff. Although, i am still getting pop ups. Its really annoying when im watching youtube or playing a game. It minimizes the movie, game, etc. I ran anti malware at least 5 more times and nothing shows up. The pop ups only pop up when i use the internet. Im doing college apps. right now and i dont want anyone stealing my stuff. The pop-ups pop up once in about 30 minutes. I have pop up blocker on so i doubt its the website pop-ups. The pop-ups all say advertisement on them. Please help me out to exterminate these pest.

Neal · #2 (**permalink**) 09-12-2008, 12:33 AM

Welcome,

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:TrendSecure | Download TrendMicro HijackThis

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

samisemo · #3 (**permalink**) 09-12-2008, 03:10 AM

Yeah i figured i forgot to use hijackthis. I ran it but when the log should pop up, a SAS message log stating that my SAS system is expired...I'm not sure what to do from here.

Neal · #4 (**permalink**) 10-12-2008, 12:49 AM

Try again also...

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe.

samisemo · #5 (**permalink**) 10-12-2008, 02:41 AM

Weird. I already named it foolyou.exe but that SAS message came up. I reinstalled it and it worked. Anyways here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:15 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\OFFICESCAN NT\pccntmon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
D:\Sam's stuff\iTunesHelper.exe
D:\sam's games\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Twain\Twain.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\LAB4\MYSQL\bin\mysqld-nt.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\Program Files\Promise\Utility\MsgSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\OfcPfwSvc.exe
D:\sam's games\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\TEMP\EZF0E.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
D:\Sam's stuff\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Xing-Guo Sun MD\Desktop\foolyou.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Chinese New Year Celebration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://proxy.ucla.edu/cgi/proxy/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 61.74.65.97 :80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4193D36D-ADD2-45F6-B755-02E582377972} - C:\WINDOWS\system32\vtUnmMeC.dll (file missing)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OFFICESCAN NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Sam's stuff\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Sam's stuff\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Skype] "D:\sam's games\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Microsoft\Windows\omxanu.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft AUT Update] MSlti16.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft AUT Update] MSlti16.exe (User 'Default user')
O4 - Global Startup: Clean Temp.lnk = C:\Program Files\MedGraphics\Breeze\CleanTemp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1221101286289
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: yzztkmsn.dll,skqncbib.dll aumnsi.dll agpfwu.dll bfvces.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/LAB4/MYSQL/bin/mysqld-nt.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - C:\PROGRA~1\Borland\vbroker\bin\oad.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - C:\PROGRA~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Promise RAID message server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise\Utility\MsgSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

--
End of file - 11809 bytes

Neal · #6 (**permalink**) 12-12-2008, 12:02 AM

Thanks for that.

Download SDFIX and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

samisemo · #7 (**permalink**) 12-12-2008, 06:47 AM

Neal, I ran into a problem.
I ran everything to your advice until after 'press y and enter to begin' part. It started but immediately a windows pop-up cames up. It said:

HLVDD-Hardlock Virtual Driver
------------------------------------
Cannot find ///FAST Hardlock Driver!

immediately following it after pressing ok was:

166bit MS-DOS Subsystem SDFdix
-----------------------------------------
HLVDD.DLL. An installable Virtual Device Driver failed Dll initiatization. Choose 'close' to terminate the application.

And so, i click close. I had to use task manager to close down SDFix 'cuz it wasn't responding and shutting down.
I restarted and now I am posting this reply. I will try again but i doubt it works 'cuz i tried this proccess twice.
Aid me in this treacherous adventure of ridding my mechanical genius of such terrible plagues.

samisemo · #8 (**permalink**) 12-12-2008, 07:17 AM

nevermind ignore all that. I just clicked 'ignore' instead of 'close'. I guess that did the trick. I got the log right here. By the way, if that was the last step in getting rid of the pop-ups, it didn't work. I'm still getting pummelled by pop-ups. For the lack of a better work, pummelled may be overexaggerating it. It more like mildly bothered. Anywho... without further adieu:

SDFix: Version 1.240
Run by Xing-Guo Sun MD on Thu 12/11/2008 at 10:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Xing-Guo Sun MD\Desktop\SDFix\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TFTP6540 - Deleted
C:\WINDOWS\system32\TFTP6232 - Deleted
C:\WINDOWS\system32\TFTP9804 - Deleted
C:\WINDOWS\system32\TFTP15012 - Deleted
C:\WINDOWS\system32\TFTP1064 - Deleted
C:\WINDOWS\system32\TFTP2352 - Deleted
C:\WINDOWS\system32\TFTP2064 - Deleted
C:\WINDOWS\system32\TFTP1076 - Deleted
C:\WINDOWS\system32\TFTP2936 - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 22:09:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard prof

ile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"="C:\\P rogram

Files\\support.com\\client\\bin\\tgcmd.exe:*

isab led:tgcmd Module"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program

Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows

Messenger"
"D:\\sam's games\\NEXON\\MapleStory\\Patcher.exe"="D:\\sam's

games\\NEXON\\MapleStory\\Patcher.exe:*:Enabled:Pa tcher MFC ?? ????"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows

Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows

Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Sam's stuff\\LimeWire\\LimeWire.exe"="D:\\Sam's stuff\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program

Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjou r"
"D:\\Sam's stuff\\iTunes.exe"="D:\\Sam's stuff\\iTunes.exe:*:Enabled:iTunes"
"D:\\sam's games\\Skype\\Phone\\Skype.exe"="D:\\sam's games\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofil

e\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows

Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows

Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\DOCUME~1\XING-G~1\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 28 Feb 2002 0 ..SHR --- "C:\TEMP\EBD.SYS"
Fri 19 Jul 2002 53,248 ...HR --- "C:\WINDOWS\system32\DellSys.dll"
Fri 19 Jul 2002 17,153 ...HR --- "C:\WINDOWS\system32\drivers\omci.sys"
Wed 31 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 27 Jul 2007 1,040 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti373.tmp"
Fri 19 Jul 2002 17,153 ...HR --- "C:\Program Files\Dell\DellSys\OMCI.SYS"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Thu 7 Aug 2008 1,024 A..H. --- "C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-

E849AAB0887F}\RP759\A0154399.sys"
Thu 11 Dec 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18

\2df9c5e1996f8d67585eb0c7918f9d33\BIT10.tmp"
Thu 11 Dec 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18

\913fb8692c662f7c4552b8d0a0e20b5f\BIT11.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Xing-Guo Sun MD\Application Data\U3

\temp\Launchpad Removal.exe"
Thu 13 Mar 2008 7,318 A..H. --- "C:\Documents and Settings\Xing-Guo Sun MD\Application

Data\Microsoft\Office\Shortcut Bar\Off15.tmp"
Wed 14 Aug 2002 8,544 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 14 Aug 2002 33,149 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 14 Aug 2002 29,628 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 14 Aug 2002 161,792 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 14 Aug 2002 202,517 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 14 Aug 2002 22,158 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 14 Aug 2002 1,608 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 14 Aug 2002 15,345 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 14 Aug 2002 14,160 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 14 Aug 2002 10,898 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\KEYB.COM"
Wed 14 Aug 2002 53,556 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 14 Aug 2002 15,777 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\MODE.COM"
Wed 14 Aug 2002 37,681 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 14 Aug 2002 21,180 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 14 Aug 2002 8,513 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 14 Aug 2002 129,240 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 14 Aug 2002 28,439 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\Paralink.com"
Wed 14 Aug 2002 13,770 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 14 Aug 2002 130,980 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 14 Aug 2002 174,080 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 14 Aug 2002 354,304 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\msbootsrv16.sy s"
Wed 14 Aug 2002 56,821 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\E.EXE"
Wed 14 Aug 2002 354,263 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\Net.exe"
Wed 14 Aug 2002 7,840 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 14 Aug 2002 374,038 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 14 Aug 2002 49,242 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 14 Aug 2002 47,826 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 14 Aug 2002 32,396 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 14 Aug 2002 50,606 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 14 Aug 2002 35,340 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 14 Aug 2002 14,378 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 14 Aug 2002 37,984 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 14 Aug 2002 44,828 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 14 Aug 2002 21,971 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 14 Aug 2002 30,955 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 14 Aug 2002 64,425 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 14 Aug 2002 41,302 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 14 Aug 2002 17,043 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 14 Aug 2002 11,491 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 14 Aug 2002 17,791 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 14 Aug 2002 11,786 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 14 Aug 2002 18,300 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 14 Aug 2002 13,360 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 14 Aug 2002 9,190 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 14 Aug 2002 12,567 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 14 Aug 2002 44,640 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 14 Aug 2002 56,896 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 14 Aug 2002 9,692 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 14 Aug 2002 32,484 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 14 Aug 2002 50,795 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 14 Aug 2002 48,223 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 14 Aug 2002 48,641 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 14 Aug 2002 49,015 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Wed 14 Aug 2002 33,860 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 14 Aug 2002 50,405 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 14 Aug 2002 48,491 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 14 Aug 2002 44,640 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 14 Aug 2002 52,225 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 14 Aug 2002 50,175 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 14 Aug 2002 12,732 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 14 Aug 2002 26,424 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 14 Aug 2002 17,952 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 14 Aug 2002 29,499 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 14 Aug 2002 12,660 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 14 Aug 2002 11,031 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 14 Aug 2002 10,710 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 14 Aug 2002 10,083 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 14 Aug 2002 28,062 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 14 Aug 2002 10,257 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 14 Aug 2002 9,424 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 14 Aug 2002 7,463 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 14 Aug 2002 13,673 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 14 Aug 2002 7,243 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 14 Aug 2002 7,825 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 14 Aug 2002 14,438 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 14 Aug 2002 14,438 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 14 Aug 2002 24,767 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 14 Aug 2002 25,460 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 14 Aug 2002 10,286 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 14 Aug 2002 28,866 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 14 Aug 2002 11,854 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 14 Aug 2002 62,391 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 14 Aug 2002 52,715 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 14 Aug 2002 48,224 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 14 Aug 2002 9,537 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 14 Aug 2002 65,088 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 14 Aug 2002 53,786 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\pcdos\command. com"
Wed 14 Aug 2002 44,240 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.C OM"
Wed 14 Aug 2002 42,550 ...H. --- "C:\Documents and Settings\All Users\Application

Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.C OM"

Finished!

Neal · #9 (**permalink**) 12-12-2008, 10:45 PM

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

samisemo · #10 (**permalink**) 13-12-2008, 02:07 AM

ComboFix 08-06-20.4 - Xing-Guo Sun MD 2008-06-27 13:42:45.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -7:00]
Running from: C:\Documents and Settings\Xing-Guo Sun MD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xing-Guo Sun MD\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\ktlu.exe
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dgkd0.exe
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gjcwptw.dll
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\mpwdeapi.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\pjjxedwd.dll
C:\WINDOWS\system32\rmfw22.exe
C:\WINDOWS\system32\s2da2f323.dll
C:\WINDOWS\system32\skqncbib.dll
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\womsoyk.exe
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\zxmsdwin.dll
C:\WINDOWS\vymp.exe
C:\WINDOWS\yotk.exe
C:\WINDOWS\ziio.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Xing-Guo Sun MD\Application Data\FNTS~1
C:\Documents and Settings\Xing-Guo Sun MD\Application Data\SMANTE~1
C:\Documents and Settings\Xing-Guo Sun MD\My Documents\CROSOF~1.NET
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dgkd0.exe
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\rmfw22.exe
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\womsoyk.exe
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zxmsdwin.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor

((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 00:11 . 2008-06-26 00:11 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-24 22:20 . 2008-06-24 22:20 <DIR> d--hs---- C:\FOUND.000
2008-06-09 17:04 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-09 16:58 . 2008-06-09 16:58 <DIR> d-------- C:\WINDOWS\Logs
2008-05-30 02:17 . 2008-05-30 02:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VOL_TOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-30 21:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 23:31 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Motive
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Verizon
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-05-21 23:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-21 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-21 23:08 --------- d-----w C:\Program Files\vol_toolbar
2008-05-21 23:08 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\vol_toolbar
2008-05-21 22:57 --------- d-----w C:\Program Files\Verizon
2008-01-27 19:34 154,024 ----a-w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 03:13 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-30 00:35 5,120 ----a-w C:\Program Files\pythonw.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\w9xpopen.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\python.exe
2006-03-29 20:24 245,894 ----a-w C:\Program Files\NEWS.txt
2006-03-23 17:47 13,755 ----a-w C:\Program Files\LICENSE.txt
2006-03-13 21:51 51,999 ----a-w C:\Program Files\README.txt
2005-10-29 03:15 766 ----a-w C:\Program Files\pyc.ico
2005-10-29 03:15 766 ----a-w C:\Program Files\py.ico
2004-01-30 02:16 114,984 ------w C:\Documents and Settings\xgsun\Application Data\GDIPFONTCACHEV1.DAT
2004-01-04 23:33 32,768 ------w C:\Documents and Settings\xgsun\index.dat
2002-08-04 11:23 234 ------w C:\Program Files\INSTALL.LOG
2001-09-18 01:00 82,206 ------w C:\Program Files\installScreen.jpg
2001-09-07 00:02 91,469 ------w C:\Program Files\installScreen2.jpg
2000-12-12 18:17 100,432 ------w C:\Program Files\Win2000PPAHotfix.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_11.39.48.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 18:35:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 20:47:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-06-25 01:29:44 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
+ 2008-06-26 07:11:32 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
- 2008-06-25 17:41:40 8,535 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-06-27 20:31:06 8,535 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-06-27 20:47:46 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft AUT Update"="MSlti16.exe" []
"Skype"="D:\sam's games\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 19:21 1409024]
"OfficeScanNT Monitor"="C:\OFFICESCAN NT\pccntmon.exe" [2006-09-01 17:58 356429]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE " [2001-08-18 05:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScI nst.exe" [ ]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT \TINTSETP.EXE" [ ]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TIN TSETP.EXE" [ ]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-02-10 09:27 4501504]
"nwiz"="nwiz.exe" [2003-02-10 09:27 323584 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2005-07-22 19:18 188416]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11 24576]
"V0230Mon.exe"="C:\WINDOWS\system32\V0230Mon.e xe" [2006-07-19 09:00 36961]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 11:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20 2061816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Microsoft AUT Update"="MSlti16.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Temp.lnk - C:\Program Files\MedGraphics\Breeze\CleanTemp.exe [2002-06-14 09

07 20548]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-05-02 17:52:04 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2003-04-08 17:45 24666 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yzztkmsn.dll,skqncbib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Temp.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Temp.lnk
backup=C:\WINDOWS\pss\Clean Temp.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gas Off.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gas Off.lnk
backup=C:\WINDOWS\pss\Gas Off.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
C:\Program Files\Common Files\CMEII\CMESys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
C:\Program Files\DownloadWare\dw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2001-08-18 05:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-06-14 16:54 254022 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--------- 2001-09-12 11:35 61440 C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--------- 2001-01-17 17:33 45056 C:\Program Files\Iomega\Common\ImgStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoviePlace]
C:\Program Files\MoviePlace\MoviePlace.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--------- 2006-09-01 17:58 356429 C:\OfficeScan NT\pccntmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Real-Tens]
--------- 2002-01-16 18:04 87040 C:\Program Files\Real-Tens\Real-Tens.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--------- 2003-03-02 00:23 26624 C:\SthVCD\SysExplr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\sam's games\\NEXON\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\sam's games\\Skype\\Phone\\Skype.exe"=

R0 fasttrak;fasttrak;C:\WINDOWS\system32\DRIVERS\fast trak.sys [2003-04-25 16:20]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S2 Portio;Portio;C:\WINDOWS\system32\drivers\portio.s ys [2004-03-16 02:40]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys []
S3 oad;Visibroker Activation Daemon;C:\PROGRA~1\Borland\vbroker\bin\oad.exe [1998-03-12 16:57]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-04-08 10:44]
S3 osagent;VisiBroker Smart Agent;C:\PROGRA~1\Borland\vbroker\bin\osagent.exe [1998-03-12 16:58]
S3 sejt1;sejt1;C:\DOCUME~1\XING-G~1\LOCALS~1\Temp\Rar$EX00.357\AkumaEngine33\sejt. sys []
S3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V023 0Vfx.sys [2006-03-23 09:00]
S3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys [2006-07-24 09:00]
S3 Vmaxcomm;Vmaxcomm;C:\WINDOWS\System32\drivers\Vmax comm.sys [2003-02-25 13:38]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{57b7de60-8e06-11db-8854-0008740432dd}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 08:36:02 C:\WINDOWS\Tasks\backup-C+D(sony).job"
- C:\WINDOWS\system32\ntbackup.exeobackup
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 13:48:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\WINDOWS\SYSTEM32\CRYPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\BORLAND\INTERBASE\BIN\IBGUARD.EXE
C:\PROGRAM FILES\IOMEGA\SYSTEM32\ACTIVITYDISK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\MSSQL7\BINN\SQLSERVR.EXE
C:\LAB4\MYSQL\BIN\MYSQLD-NT.EXE
C:\OFFICESCAN NT\NTRTSCAN.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGAGT.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGSVR.EXE
C:\OFFICESCAN NT\TMLISTEN.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\OFFICESCAN NT\OFCPFWSVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\GP27B4.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\sam's games\Skype\Plugin Manager\skypePM.exe
C:\OfficeScan NT\pccntupd.exe
.
************************************************** ************************
.
Completion time: 2008-06-27 13:52:41 - machine was rebooted [Xing-Guo Sun MD]
ComboFix-quarantined-files.txt 2008-06-27 20:52:34
ComboFix2.txt 2008-06-25 18:40:22

Pre-Run: 5,519,310,848 bytes free
Post-Run: 5,410,766,848 bytes free

311
The pop-ups are still poppin' up!