Inactive Explorer.exe also infected by Win32:Bamital-AC

[jcliu0]

ok after reading alot i found many pplz were able to fix (coz using 32bit system)
when i tried follow wat they did i was stopped by using a64bit system
so now i am postin to ask wat i can do
Now to its easier to read the logs
i am goin to make a small index.....

1.10000 DDs.txt log
1.20000 attach.txt log
1.30000 MBAM scan log....

1.10000
my DDs.txt log
DDS (Ver_10-03-17.01) - NTFSX64
Run by Archer at 17:06:52.80 on 05/10/2010 Tue
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.950.886.1033.18.4095.2304 [GMT 10:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\HideWindowPlus\HWinPlus.exe
C:\Users\Archer\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Archer\AppData\Roaming\fbx.exe
C:\Program Files (x86)\BayGenie\ProEdition\BayGenie.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Users\Archer\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\gogobox\gogobox.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Lunascape\Lunascape6\Luna.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k defragsvc
C:\Program Files\P4G\BatteryLife.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Nakido\nakido.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\gogobox\gogobox_e.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\gogobox\upnp\upnp.exe
C:\Program Files (x86)\gogobox\gogobox_t.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\Archer\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://fl.iamwired.net/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\syswow64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files (x86)\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AddTask Class: {6a19c29d-ed45-4483-8999-9f939c8161f2} - c:\program files\eread\eread\WebHook.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~2\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files (x86)\orbitdownloader\GrabPro.dll
uRun: [RocketDock] "c:\program files (x86)\rocketdock\RocketDock.exe"
uRun: [HideWindowPlus] c:\program files (x86)\hidewindowplus\HWinPlus.exe -background
uRun: [Google Update] "c:\users\archer\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [InstallMon] c:\users\archer\appdata\roaming\fbx.exe
uRun: [BayGenie] "c:\program files (x86)\baygenie\proedition\BayGenie.exe"
mRun: [HControlUser] c:\program files (x86)\asus\atk hotkey\HControlUser.exe
mRun: [ATKOSD2] c:\program files (x86)\asus\atkosd2\ATKOSD2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [gogobox.exe] c:\program files (x86)\gogobox\gogobox.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [StormCodec_Helper] "c:\program files (x86)\ringz studio\storm codec\StormSet.exe" /S /opti
mRun: [Malwarebytes' Anti-Malware] "c:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\archer\appdata\roaming\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\lunasc~1.lnk - c:\program files (x86)\lunascape\lunascape6\Luna.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Download by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files (x86)\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files (x86)\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: gogobox.com.tw
Trusted Zone: gogobox.com.tw
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {3C073A4B-B1D2-4A7B-B970-7F1277D74FB0} - hxxps://www.chb.com.tw/chbib/faces/theme/CHBCertificateDBClientCOM.cab
DPF: {650BBB86-3D77-49BA-A4B2-2455E44EB031} - hxxps://netbank.chb.com.tw/Security/PasswordMD5ClientCOM.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C9B6115C-DEA9-11D6-8C3C-0050BAA6346E} - hxxps://netbank.chb.com.tw/Security/CertificateDBClientCOM.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF3336AF-E259-4978-9D69-B4BBF47BE261} - hxxp://tel.isoshu.com/zxlqs.cab
DPF: {EB8D26BA-9A4C-444C-80D1-1B544F68D797} - hxxps://netbank.chb.com.tw/Security/XMLSignatureClientCOM.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files (x86)\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\Skype4COM.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
IE-X64: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
IE-X64: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files (x86)\fiddler2\Fiddler.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\archer\appdata\roaming\mozilla\firefox\profiles\iufg130q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://fl.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://fl.iamwired.net/
FF - prefs.js: keyword.URL - hxxp://fl.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files (x86)\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~2\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~2\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files (x86)\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npBFPlugin.dll
FF - plugin: c:\users\archer\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\archer\appdata\roaming\mozilla\firefox\profiles\iufg130q.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

[jcliu0]

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-9-8 12368]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-9-8 250448]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-4-25 37392]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-9-8 125520]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-9-8 463952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-8 121936]
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 59904]
R2 ASMMAP64;ASMMAP64;c:\program files\atkgfnex\ASMMAP64.sys [2010-4-25 14904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-8 20048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-8 61008]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
R2 Nakido;Nakido;c:\program files (x86)\nakido\nakido.exe [2010-9-8 337408]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\drivers\NETw5s64.sys [2009-9-15 6952960]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-4-25 86120]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2010-3-4 346144]
S2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-9-8 119200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;c:\program files (x86)\malwarebytes' anti-malware\mbamservice.exe [2010-10-5 304464]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-8 40384]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-4-25 51120]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-5 24664]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-11 5434368]
S3 ose64;Office 64 Source Engine;c:\program files\common files\microsoft shared\source engine\OSE.EXE [2009-9-26 174424]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4924336]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 17920]
S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-25 1255736]

=============== Created Last 30 ================

2010-10-05 06:36:16 0 d-----w- c:\users\archer\appdata\roaming\Malwarebytes
2010-10-05 06:36:07 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 06:36:07 0 d-----w- c:\programdata\Malwarebytes
2010-10-05 06:36:07 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-10-05 06:08:04 0 --sha-w- C:\DkHyperbootSync
2010-10-04 09:49:37 1060864 ----a-w- c:\windows\syswow64\mfc71.dll
2010-10-04 09:49:37 1047552 ----a-w- c:\windows\syswow64\mfc71u.dll
2010-10-04 09:49:37 1 ----a-w- c:\windows\syswow64\uuddc32.dll
2010-10-04 09:49:37 0 d-----w- c:\program files (x86)\BayGenie
2010-10-04 09:39:03 40344 ----a-w- c:\users\archer\appdata\roaming\FbxU.exe
2010-09-29 00:08:19 56 ---ha-w- c:\windows\syswow64\ezsidmv.dat
2010-09-29 00:06:50 0 d-----r- c:\program files (x86)\Skype
2010-09-29 00:06:45 0 d-----w- c:\programdata\Skype
2010-09-25 00:24:46 81920 ----a-w- c:\users\archer\appdata\roaming\fbx.exe
2010-09-19 00:39:23 0 d-----w- c:\programdata\Apple Computer
2010-09-19 00:39:22 0 d-----w- c:\program files (x86)\common files\Real
2010-09-19 00:39:21 0 d-----w- c:\program files (x86)\Ringz Studio
2010-09-19 00:30:55 0 d-----w- c:\users\archer\appdata\roaming\Application Data
2010-09-19 00:30:55 0 d-----w- c:\programdata\Storm
2010-09-18 15:57:11 38 ----a-w- c:\windows\avisplitter.ini
2010-09-18 15:57:06 839680 ----a-w- c:\windows\syswow64\lameACM.acm
2010-09-18 15:57:06 414 ----a-w- c:\windows\syswow64\lame_acm.xml
2010-09-18 15:57:06 39936 ----a-w- c:\windows\syswow64\huffyuv.dll
2010-09-18 15:57:06 391680 ----a-w- c:\windows\syswow64\I263_32.drv
2010-09-18 15:57:06 2931712 ----a-w- c:\windows\syswow64\x264vfw.dll
2010-09-18 15:57:06 287744 ----a-w- c:\windows\syswow64\divxa32.acm
2010-09-18 15:57:06 232448 ----a-w- c:\windows\syswow64\mp3fhg.acm
2010-09-18 15:57:06 217088 ----a-w- c:\windows\syswow64\yv12vfw.dll
2010-09-18 15:57:06 151552 ----a-w- c:\windows\syswow64\ac3acm.acm
2010-09-15 07:46:34 0 --sh--r- C:\logwmemory.bin
2010-09-14 21:15:05 2058752 ----a-w- c:\windows\syswow64\iertutil.dll
2010-09-14 21:14:52 558592 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-08 12:04:26 463952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-09-08 12:04:25 125520 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-09-08 12:04:03 250448 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-09-08 12:03:59 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-08 12:03:38 38848 ----a-w- c:\windows\avastSS.scr
2010-09-08 12:03:38 167592 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-09-08 12:03:38 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-09-08 11:29:45 0 d-----w- c:\users\archer\appdata\roaming\PPStream
2010-09-08 11:29:44 20 ----a-w- c:\windows\powerlist.ini
2010-09-08 11:29:38 709 ----a-w- c:\windows\powerplayer.ini
2010-09-08 11:29:38 251 ----a-w- c:\windows\psnetwork.ini
2010-09-08 11:29:37 447880 ----a-w- c:\windows\system32\rmsplt.ax
2010-09-08 11:29:37 1384448 ----a-w- c:\windows\system32\PPSMInfo.dll
2010-09-08 10:52:29 0 d-----w- c:\program files (x86)\Nakido
2010-09-05 09:53:35 0 d-----w- c:\users\archer\appdata\roaming\K-ON_DTA
2010-09-05 09:51:52 0 d-----w- c:\program files (x86)\data

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-07-23 10:48:44 108432 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-07-12 09:49:51 258352 ----a-w- c:\windows\syswow64\unicows.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-04-27 17:48:08 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-04-27 17:48:08 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-04-27 17:48:08 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-04-24 17:23:51 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 17:08:36.11 ===============


1.20000
my attach.txt log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 25/04/2010 2:09:27 PM
System Uptime: 10/05/2010 5:03:39 PM (3552 hours ago)

Motherboard: ASUSTeK Computer Inc. | | N50Vn
Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | Socket 478 | 2401/267mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 98 GiB total, 2.636 GiB free.
D: is FIXED (NTFS) - 135 GiB total, 8.306 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Virtual WiFi Miniport Adapter
Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&FEFA7DE&0&01
Manufacturer: Microsoft
Name: Microsoft Virtual WiFi Miniport Adapter
PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&FEFA7DE&0&01
Service: vwifimp

Class GUID:
Description: STK7700D
Device ID: USB\VID_1164&PID_1F08\0000000001
Manufacturer:
Name: STK7700D
PNP Device ID: USB\VID_1164&PID_1F08\0000000001
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

??????????
7-Zip 4.65
Active@ Partition Recovery
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Alien Swarm - SDK
ASUS LifeFrame3
ASUS Virtual Camera
ATK Generic Function Service
ATK Hotkey
ATKOSD2
avast! Internet Security
BayGenie eBay Auction Sniper Pro Edition 3.3.5.4
Cheat Engine 5.5
Cheat Engine 5.6
e-tax 2010
GOGOBOX
Google Chrome
HP USB Disk Storage Format Tool
ImgBurn
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 20
JDownloader
K-Lite Mega Codec Pack 6.4.0
Lunascape6 (All Users)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.10)
MSVCRT
Nakido
NVIDIA PhysX
Orbit Downloader
piaip AppLocale
Picasa 3
Rainmeter (remove only)
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
RICOH R5U8xx Media Driver ver.3.62.02
RocketDock 1.3.5
save2pc Pro 3.60
Sengoku Rance English v1.01
Skype Toolbars
Skype? 4.2
StarCraft II
Steam
Storm Codec
System Requirements Lab
TalonRO Client 1.0.0
Team Fortress 2
Team Fortress 2 Dedicated Server
WC3Banlist
Windows 7 USB/DVD Download Tool
Windows Live Communications Platform
Windows Live Messenger
Windows Media Player Firefox Plugin
WinPcap 4.1.1
Wireless Console 2
μTorrent
炎?孕??????身体測定

==== Event Viewer Messages From Past Week ========

5/10/2010 5:05:58 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/10/2010 5:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
5/10/2010 5:05:57 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
5/10/2010 5:02:12 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/10/2010 5:02:11 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The remote procedure call failed. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
5/10/2010 5:02:11 PM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
5/10/2010 5:01:49 PM, Error: Service Control Manager [7034] - The ASLDR Service service terminated unexpectedly. It has done this 1 time(s).
5/10/2010 4:13:43 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
4/10/2010 9:38:34 AM, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following error: Access is denied.
4/10/2010 2:49:02 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
29/09/2010 2:14:50 AM, Error: Service Control Manager [7031] - The avast! Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

==== End Of File ===========================

 

[jcliu0]

1.30000
my MBAM scan log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4746

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/10/2010 6:22:40 PM
mbam-log-2010-10-05 (18-22-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 295956
Time elapsed: 1 hour(s), 16 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Archer\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0006e3 (Adware.Agent) -> Quarantined and deleted successfully.
C:\Users\Archer\Desktop\PPS網路電視+vip破解+無廣告\PPStreamNOAD.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
C:\Users\Archer\Desktop\temp\Desktop\CrazyMulti.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Archer\Desktop\temp\Nore._9.4.26.0\Keymaker.Nero.9.4.26.0 v5.55.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Archer\Desktop\temp\Your Uninstaller! 2008 PRO v6.1.1233\Your Uninstaller 2008\Keygen.exe (Trojan.Dropper.PGen) -> Quarantined and deleted succes

 

[Broni]

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
• Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

• Open SUPERAntiSpyware.
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Copy and paste the Scan Log results in your next reply with a new HijackThis log.
• Click Close to exit the program.

Post SUPERAntiSpyware log.

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.