The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

NEW post with SUPERAntiSpyware Scan Log, combofix log, and hijackthis report

Posted 2/4/2009 4:00 AM
#71948
User avatar

HowardChu Member

Date Joined Nov 2016
Total Posts: 4
SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 02/02/2009 at 10:06 PM

Application Version : 4.25.1012

Core Rules Database Version : 3741
Trace Rules Database Version: 1707

Scan type : Complete Scan
Total Scan Time : 00:40:15

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 5642
Registry threats detected : 0
File items scanned : 32981
File threats detected : 0



ComboFix 09-02-02.04 - Owner 2009-02-02 22:21:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.894.373 [GMT -5:00]
执行位置: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Application Data\baidu
C:\Program Files\StormII
C:\Program Files\StormII\GdiPlus.dll
C:\Program Files\StormII\GifParser.dll
C:\Program Files\StormII\video.dll
C:\WINDOWS\system32\dbxDgrevCheck.dll
.
---- 早前运行的结果 -------
.
C:\Documents and Settings\Owner\Local Settings\Application Data\baidu
C:\Program Files\StormII
C:\Program Files\StormII\GdiPlus.dll
C:\Program Files\StormII\GifParser.dll
C:\Program Files\StormII\server.ecs
C:\Program Files\StormII\StormExcept.log
C:\Program Files\StormII\video.dll
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\lylk.dat

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDGUARD
-------\Legacy_PACKET
-------\Legacy_BDGUARD
-------\Legacy_PACKET


((((((((((((((((((((((((( 2009-01-03 至 2009-02-03 的新的档案 )))))))))))))))))))))))))))))))
.

2009-01-31 10:02 . 2009-02-02 12:05 d-------- C:\WINDOWS\system32\CatRoot_bak
2009-01-31 01:54 . 2009-01-31 09:59 d-------- C:\Program Files\Spyware Doctor
2009-01-31 01:48 . 2009-01-31 09:59 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-01-31 00:15 . 2009-01-31 00:15 d-------- C:\WINDOWS\system32\scripting
2009-01-31 00:15 . 2009-01-31 00:15 d-------- C:\WINDOWS\l2schemas
2009-01-31 00:03 . 2009-01-31 00:16 d-------- C:\WINDOWS\ServicePackFiles
2009-01-30 23:57 . 2006-12-29 20:02 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2009-01-30 23:57 . 2006-12-29 20:21 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod
2009-01-30 23:54 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003082_.tmp
2009-01-30 11:48 . 2009-02-02 21:02 d-------- C:\ComboFix(2)
2009-01-30 10:05 . 2009-01-30 10:05 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2009-01-29 08:31 . 2009-01-29 08:31 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-29 08:30 . 2009-01-29 08:30 d-------- C:\Program Files\SUPERAntiSpyware
2009-01-29 08:30 . 2009-01-29 08:30 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-01-29 08:27 . 2009-01-29 08:27 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-29 07:36 . 2009-01-29 07:37 d-------- C:\Program Files\CCleaner
2009-01-28 21:56 . 2009-02-01 19:09 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2009-01-28 21:56 . 2009-02-01 19:10 55,152 --a------ C:\WINDOWS\system32\drivers\HookNtos.sys
2009-01-28 21:56 . 2009-02-01 19:10 34,800 --a------ C:\WINDOWS\system32\drivers\HOOKREG.sys
2009-01-28 21:54 . 2009-01-30 09:29 d-------- C:\Program Files\Rising
2009-01-28 21:06 . 2009-01-28 21:06 d-------- C:\Program Files\Common Files\xing shared
2009-01-28 21:05 . 2009-01-29 01:14 d-------- C:\Program Files\KWREAL
2009-01-28 21:04 . 2009-01-28 21:04 d-------- C:\Program Files\Real
2009-01-28 21:04 . 2009-01-28 21:07 d-------- C:\Program Files\Common Files\Real
2009-01-27 19:42 . 2009-01-27 19:42 d-------- C:\Documents and Settings\Owner\Application Data\Moyea
2009-01-27 19:41 . 2009-01-27 19:41 d-------- C:\Program Files\Moyea
2009-01-27 15:24 . 2009-01-27 15:24 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2009-01-27 07:42 . 2009-01-27 07:42 d-------- C:\spoolerlogs
2009-01-27 07:38 . 2009-01-27 07:38 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2009-01-27 07:37 . 2009-01-27 07:37 d-------- C:\Program Files\Common Files\Skype
2009-01-27 00:39 . 2009-01-27 00:39 d-------- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-01-26 16:24 . 2009-01-26 16:43 d-------- C:\SES renew

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 16:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2009-01-31 15:07 --------- d-----w C:\Program Files\DivX
2009-01-31 14:59 --------- d-----w C:\Program Files\Picasa2
2009-01-31 14:59 --------- d-----w C:\Program Files\Google
2009-01-31 14:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-30 23:45 --------- d-----w C:\Program Files\Java
2009-01-29 16:59 --------- d-----w C:\Program Files\eMule
2009-01-29 08:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2009-01-29 08:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rising
2009-01-27 12:37 --------- d-----w C:\Program Files\Skype
2009-01-27 05:37 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-26 19:10 --------- d-----w C:\Program Files\Thunder Network
2009-01-26 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2008-12-11 11:57 333,184 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-01-04 12:34 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-06-11 20:11 36,864 ----a-w C:\Program Files\mozilla firefox\components\NsThunderLoader.dll
2008-06-11 20:11 53,248 ----a-w C:\Program Files\mozilla firefox\components\ThunderComponent.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 16:17 1830128]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2009-01-20 11:00 1451248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 02:42 212992]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 16:45 279912]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2007-04-10 16:46 709992]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE" [2003-07-14 05:57 95296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 03:34 16143872 C:\WINDOWS\RTHDCPL.exe]



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:14, on 2009-02-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Moyea\YouTube FLV Downloader\FLVDownloader.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] ; %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LifeCam] ; "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] ; C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://*.rising.com.cn
O15 - ESC Trusted Zone: https://*.update.microsoft.com
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - https://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - https://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {D82303B7-A754-4DCB-8AFC-8CF99435AACE} (KUpdateObj2 Class) - https://shadu.duba.net/html_v4/KOSInit.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 5248 bytes
Posted 2/4/2009 6:58 AM
#71953
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello HowardChu :smile:




How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/4/2009 11:19 PM
#71981
User avatar

HowardChu Member

Date Joined Nov 2016
Total Posts: 4
Hello Moderator, good to hear from you.
I think bullgard is great. I believe my computers will be run better now.

I noticed the PF Usage in windows task manager started from ~ 350 MB then gradually increases to 1 Gig (it takes a couple of hours to reach 1 Gig +).
then I just redo the process as suggested (ccleaner, superantispyware Hijackthis, combofix) again.
I felt there is something wrong yet Idon't know what's wrong.
Is the Hijackthis report looks normal to you??

Thanks for your help.
Posted 2/5/2009 6:09 AM
#71988
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hijackthis log looks clean ;-)




However, I suggest you run the below scantool -




Please download Malwarebytes' Anti-Malware:

https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



Please connect all your external hard drive/flash drive before running malwarebyte, if you have any





At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch





Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.


Copy and Paste that log into your next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/8/2009 1:44 AM
#72119
User avatar

HowardChu Member

Date Joined Nov 2016
Total Posts: 4
Hello Moderator,

Its Howard again.
I tried the suggestion and ran the mbam-setup.exe.
It did find extra 4 virus and cleaned for me. GREAT.

I was away to Canada for 2 days and came back to continue my cleaning processes.

the PF usage is still doing the similar thing. which is the PF usage started with 300+ MG. and it slowly
increase the PF Usage to 1.0+ GB. the CPU usage varied between 30 to 40% (about half of them is kernel usage).

When I first start the windows task manager, the CPU usage peaks to almost 100% then drop to 30%

Is there anything else that I can try it on?

Thanks for your help. It's being great. I can see that it is better than before, I just hope there are more to try.
Posted 2/8/2009 5:46 AM
#72131
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. How many ram are there in your computer ? and I assume you mean Pagefile = PF Usage

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 2/8/2009 6:12 AM
#72135
User avatar

HowardChu Member

Date Joined Nov 2016
Total Posts: 4
Yes, you are right. Pagefile = PF Usage
I have 1024 MB DDR2.
Gee that's not much.
Posted 2/8/2009 6:36 AM
#72137
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Not anymore. 2 or 3 GB should be better :smile:


Look here how to manage Pagefile -



https://www.petri.co.il/pagefile_optimization.htm



I also suggest you empty Pagefile-







Windows stores the memory swap in a file pagefile.sys. This memory is useful in particular when your memory RAM is saturated. The file can then be rather bulky and it is then possible, if you wish it, to empty the file swap by leaving Windows.

To empty the file of memory swap to the closing of Windows:


  1. Click Start menu and choose Run, then type regedit and click on OK.
  2. In the window regedit which opens, unroll the branch: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory Management
  3. Double-click on the ClearPageFileAtShutdown key and allot value 1 to this key.
    * Close and Reboot.

If you prefer, set the value back to 0

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Wednesday, August 10, 2022, 1:57 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
59 Guest(s), 0 Registered Member(s) are currently online.