Hi, it seems I've been infected with a virus named winupgro.exe recently. I don't know if it disabled my network or just a hardware failure but the network died a few hours after I got infected. This is really a coincidence! The network icon in system tray is still connected but when I double-click it there's no IP address, no subnet masks etc; when I click 'Repair', Windows issues a message: "Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed" I'm posting this from another computer (I got 2 computer and this one's network still works) I've read another posts related to this virus. The post told sth about Combofix. I downloaded it and run. The virus seems disappeared afterward, but the internet still doesn't work. This is my log from Combofix: ComboFix 09-01-21.04 - KVL 2009-01-24 21:25:00.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1647 [GMT 7:00] Running from: c:\documents and settings\KVL\Desktop\abc.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\1doc2pdf.dll c:\documents and settings\All Users\Application Data\pdfdoc2.dll c:\documents and settings\KVL\Application Data\drivers\downld c:\documents and settings\KVL\Application Data\drivers\downld\1186593.exe c:\documents and settings\KVL\Application Data\drivers\downld\1190531.exe c:\documents and settings\KVL\Application Data\drivers\downld\1190546.exe c:\documents and settings\KVL\Application Data\drivers\downld\1207156.exe c:\documents and settings\KVL\Application Data\drivers\downld\1212953.exe c:\documents and settings\KVL\Application Data\drivers\downld\1212984.exe c:\documents and settings\KVL\Application Data\drivers\downld\1307484.exe c:\documents and settings\KVL\Application Data\drivers\downld\1317546.exe c:\documents and settings\KVL\Application Data\drivers\downld\1318906.exe c:\documents and settings\KVL\Application Data\drivers\downld\1322109.exe c:\documents and settings\KVL\Application Data\drivers\downld\1331156.exe c:\documents and settings\KVL\Application Data\drivers\downld\1332703.exe c:\documents and settings\KVL\Application Data\drivers\downld\13703468.exe c:\documents and settings\KVL\Application Data\drivers\downld\13705343.exe c:\documents and settings\KVL\Application Data\drivers\downld\1475906.exe c:\documents and settings\KVL\Application Data\drivers\downld\1480984.exe c:\documents and settings\KVL\Application Data\drivers\downld\1482703.exe c:\documents and settings\KVL\Application Data\drivers\downld\1539312.exe c:\documents and settings\KVL\Application Data\drivers\downld\1861750.exe c:\documents and settings\KVL\Application Data\drivers\downld\2078390.exe c:\documents and settings\KVL\Application Data\drivers\downld\2089140.exe c:\documents and settings\KVL\Application Data\drivers\downld\471859.exe c:\documents and settings\KVL\Application Data\drivers\downld\473109.exe c:\documents and settings\KVL\Application Data\drivers\downld\473125.exe c:\documents and settings\KVL\Application Data\drivers\downld\616093.exe c:\documents and settings\KVL\Application Data\drivers\downld\619296.exe c:\documents and settings\KVL\Application Data\drivers\downld\620218.exe c:\documents and settings\KVL\Application Data\drivers\downld\696937.exe c:\documents and settings\KVL\Application Data\drivers\downld\773000.exe c:\documents and settings\KVL\Application Data\drivers\srosa.sys c:\documents and settings\KVL\Application Data\drivers\srosa2.sys c:\documents and settings\KVL\Application Data\drivers\winupgro.exe c:\documents and settings\KVL\Application Data\m c:\documents and settings\KVL\Application Data\m\data.oct c:\documents and settings\KVL\Application Data\m\flec006.exe c:\documents and settings\KVL\Application Data\m\list.oct c:\documents and settings\KVL\Application Data\m\shared\[mobile game] Need for speed carbon motorola v3 multilanguage_adapted_adapted.zip c:\documents and settings\KVL\Application Data\m\shared\[PocketPC].Symantec.Antivirus.for.Handhelds.2004.v3.0.0.194.PalmOS.PPC.Retail-CSCPDA.zip c:\documents and settings\KVL\Application Data\m\shared\1 2 3 Web Protect 1.8C.zip c:\documents and settings\KVL\Application Data\m\shared\3D Alien Babies c:\documents and settings\KVL\Application Data\m\shared\3D Browser Pro 6.1.zip c:\documents and settings\KVL\Application Data\m\shared\3MB Mpeg Encoder 1.00.zip c:\documents and settings\KVL\Application Data\m\shared\A RobFantastic MP3 Encoder 2.0.zip c:\documents and settings\KVL\Application Data\m\shared\AdsenseTray 1.1.zip c:\documents and settings\KVL\Application Data\m\shared\Advanced Pic Hunter 3.5.zip c:\documents and settings\KVL\Application Data\m\shared\Afree AVI FLV MPEG WMV ASF MP4 to MOV Converter 5.1.zip c:\documents and settings\KVL\Application Data\m\shared\Aitor 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Bart Moonwalks 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\BinViewer 2.0.3.18.zip c:\documents and settings\KVL\Application Data\m\shared\Bitmap to Html table convertor 0.92.zip c:\documents and settings\KVL\Application Data\m\shared\Bodie's Splitter 1.02.zip c:\documents and settings\KVL\Application Data\m\shared\Calculate My Loan 1.00 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\CGPWord 2.0.zip c:\documents and settings\KVL\Application Data\m\shared\CopyQueue 1.0.1.40.zip c:\documents and settings\KVL\Application Data\m\shared\Cracks & Keys - Avast! 4 X Professional Edition Repack Crk.zip c:\documents and settings\KVL\Application Data\m\shared\CSC Date Calculator 2.1.zip c:\documents and settings\KVL\Application Data\m\shared\Cyber AVI Converter 2.0.0.1.zip c:\documents and settings\KVL\Application Data\m\shared\DataProspector 3.1.zip c:\documents and settings\KVL\Application Data\m\shared\Design Waveform 1.zip c:\documents and settings\KVL\Application Data\m\shared\Deskman Pro 8.1.1.zip c:\documents and settings\KVL\Application Data\m\shared\Easy DV to DVD 1.3.7.1121.zip c:\documents and settings\KVL\Application Data\m\shared\Easy Exchange Administrator 3.29.zip c:\documents and settings\KVL\Application Data\m\shared\eBook Fixer 2.0.zip c:\documents and settings\KVL\Application Data\m\shared\eDocOrganizer 3.0.1.zip c:\documents and settings\KVL\Application Data\m\shared\Emsa EZ Encryption Tool 1.0.46.zip c:\documents and settings\KVL\Application Data\m\shared\ewido.anti-malware.zip c:\documents and settings\KVL\Application Data\m\shared\F-Prot.AntiVirus.v3.14.MultiUser.WinAll-UnderPl.(ed2klinks.com).zip c:\documents and settings\KVL\Application Data\m\shared\facedesk 0.7.zip c:\documents and settings\KVL\Application Data\m\shared\Fiat.Panda.-.Seat.Marbella.zip c:\documents and settings\KVL\Application Data\m\shared\Financial Advisor 2.71.zip c:\documents and settings\KVL\Application Data\m\shared\Fire Messenger 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Fireplace 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\FLAV PSP Video Converter 2.58.15.zip c:\documents and settings\KVL\Application Data\m\shared\Flobo Hard Disk Repair 1.5.zip c:\documents and settings\KVL\Application Data\m\shared\Flowers Pack2 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Folder Iconizer 1.4.zip c:\documents and settings\KVL\Application Data\m\shared\Forecasters Horoscopes 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\FoxPro2MSSQL Pro 1.0.2.zip c:\documents and settings\KVL\Application Data\m\shared\FreeSysInfo 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\FzCalc 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\Glarysoft Process Manager 1.4.zip c:\documents and settings\KVL\Application Data\m\shared\Green Reporter 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\Handy Tweakers 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\iDo Wedding Couple Edition 9.5b.zip c:\documents and settings\KVL\Application Data\m\shared\iFind 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\ImageMove 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\IMITATION 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\Ipodelite Video To iPhone Converter 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Joboshare DVD to iPod Converter 2.3.9.1117.zip c:\documents and settings\KVL\Application Data\m\shared\k5nCal 0.9.6.zip c:\documents and settings\KVL\Application Data\m\shared\KansasCity.com 1.0.0.zip c:\documents and settings\KVL\Application Data\m\shared\Karen's Registry Pruner 2.5.zip c:\documents and settings\KVL\Application Data\m\shared\Kaspersky.6.e.Internet.Securiy.6.ITA_OK.zip c:\documents and settings\KVL\Application Data\m\shared\Kaspersky.Anti-Hacker.v1.9.36.Beta.FR.Incl-Key.zip c:\documents and settings\KVL\Application Data\m\shared\Katie Holmes Screensaver5.zip c:\documents and settings\KVL\Application Data\m\shared\kBilling 2.8.1.zip c:\documents and settings\KVL\Application Data\m\shared\Keyboard Method 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\KNOCKS RibbonControls 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Lanovision 0.9.8.9 Beta.zip c:\documents and settings\KVL\Application Data\m\shared\Lenogo DVD to Zune Converter 6.5.zip c:\documents and settings\KVL\Application Data\m\shared\LibZIP 2.6.zip c:\documents and settings\KVL\Application Data\m\shared\LingvoSoft Learning PhraseBook 2007 Portuguese - Finnish 2.2.75.zip c:\documents and settings\KVL\Application Data\m\shared\Local IP & Host 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\MB Free Numerology Pro Software 1.75.zip c:\documents and settings\KVL\Application Data\m\shared\McAfee.VirusScan.2006.(v10.0).&.Firewall.Plus.2006.(v7.0).Enterprise.zip c:\documents and settings\KVL\Application Data\m\shared\MegaFix 1.1.zip c:\documents and settings\KVL\Application Data\m\shared\Microsoft Windows XP Plus! Service Pack 1.zip c:\documents and settings\KVL\Application Data\m\shared\MP3 Space Maker Pro 1.3.5.zip c:\documents and settings\KVL\Application Data\m\shared\Name Code 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Navibar 0.10.3.zip c:\documents and settings\KVL\Application Data\m\shared\New Jersey Realty Transfer Fee 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\New Utilities 2.5.zip c:\documents and settings\KVL\Application Data\m\shared\Notches Toolbar 0.7.5.zip c:\documents and settings\KVL\Application Data\m\shared\NuGenVizDOC 1.6.1.7.zip c:\documents and settings\KVL\Application Data\m\shared\O3Spaces Workplace 2.3.zip c:\documents and settings\KVL\Application Data\m\shared\Object FIX ZIP 1.7.zip c:\documents and settings\KVL\Application Data\m\shared\OEAPI 3.2.3.zip c:\documents and settings\KVL\Application Data\m\shared\OJOsoft Audio Converter 2.5.1.1121.zip c:\documents and settings\KVL\Application Data\m\shared\P2P Messenger .NET 4.0.3.zip c:\documents and settings\KVL\Application Data\m\shared\pdf-FieldMerge 5.0.3.zip c:\documents and settings\KVL\Application Data\m\shared\Personal GlucoseTracker 3.0.0.1.zip c:\documents and settings\KVL\Application Data\m\shared\PerspectiveGrid 1.3.1.zip c:\documents and settings\KVL\Application Data\m\shared\Photo to Sketch Pro 3.51.zip c:\documents and settings\KVL\Application Data\m\shared\Portable Sveglia 2.1.zip c:\documents and settings\KVL\Application Data\m\shared\Pro FileSender 1.0.0.6.zip c:\documents and settings\KVL\Application Data\m\shared\Radar Catalunya 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Reveal 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\Runecats Explorer Pro 1.4.zip c:\documents and settings\KVL\Application Data\m\shared\Schoolremote Studio 3.2.2.91.zip c:\documents and settings\KVL\Application Data\m\shared\Shinimegami Media Player SDK 2.0.0.5.zip c:\documents and settings\KVL\Application Data\m\shared\Shrila Prabhupada 1965 Screensaver 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Simnor Padlock 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Snow Viewer 2.0.zip c:\documents and settings\KVL\Application Data\m\shared\Software Toolbar Icons 2008.1.zip c:\documents and settings\KVL\Application Data\m\shared\Sony Cinescore 1.0b build 177.zip c:\documents and settings\KVL\Application Data\m\shared\SophoS.Antivirus.V3.94.NTW2KXP.Multilanguage-FeDEX.zip c:\documents and settings\KVL\Application Data\m\shared\Spherical to cubic to spherical conversion 1.1.zip c:\documents and settings\KVL\Application Data\m\shared\State Flags 1.01.zip c:\documents and settings\KVL\Application Data\m\shared\Surf Buddy 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\System Spyware Interrogator 3.1.26.zip c:\documents and settings\KVL\Application Data\m\shared\TalkMail 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\TEMPLATE 98.233.zip c:\documents and settings\KVL\Application Data\m\shared\The Pastor's Study 6.6.zip c:\documents and settings\KVL\Application Data\m\shared\Transparent Scroll Bars Active X Control 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\TRasMonitor 1.1.zip c:\documents and settings\KVL\Application Data\m\shared\Trellian FTP 3.01.003.1789.zip c:\documents and settings\KVL\Application Data\m\shared\UninstallDummy! 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\Valve World icon pack.zip c:\documents and settings\KVL\Application Data\m\shared\Virtual Drive Creator 3.189.zip c:\documents and settings\KVL\Application Data\m\shared\Virtual Engine Calculator 2.20.zip c:\documents and settings\KVL\Application Data\m\shared\Voodoo Chat Skin Editor 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\WAP Proof 2008 Pro 4.3.0327.zip c:\documents and settings\KVL\Application Data\m\shared\WebMonit 1.5.zip c:\documents and settings\KVL\Application Data\m\shared\Winamp TV Plugin Lite 1.9 lite 13.zip c:\documents and settings\KVL\Application Data\m\shared\Windows CleanUp! 4.52.zip c:\documents and settings\KVL\Application Data\m\shared\WindVisible 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\Wivisoft iPod video converter 1.2.zip c:\documents and settings\KVL\Application Data\m\shared\wx12Ton 1.1.0 RC1.zip c:\documents and settings\KVL\Application Data\m\shared\X2 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\XC Connect 3.2.003.zip c:\documents and settings\KVL\Application Data\m\shared\xCAT - WinAmp OSD Control 1.00.zip c:\documents and settings\KVL\Application Data\m\shared\Your Moon Sign 1.0.zip c:\documents and settings\KVL\Application Data\m\shared\ZenCommander 1.8.0.0.zip c:\documents and settings\KVL\Application Data\m\srvlist.oct c:\documents and settings\KVL\Application Data\WinRAR\Themes\Desktop_.ini c:\program files\WinRAR\Desktop_.ini c:\program files\WinRAR\Formats\Desktop_.ini c:\program files\WinRAR\Themes\Desktop_.ini c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013 c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe c:\windows\kdcoms.dll c:\windows\system32\Cache c:\windows\system32\mdelk.exe c:\windows\system32\system.exe c:\windows\system32\wintems.exe c:\windows\userinit.exe D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SROSA -------\Legacy_SROSA -------\Legacy_IPRIP -------\Service_Iprip ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-01-23 12:22 . 2009-01-23 12:22 <DIR> d-------- c:\program files\Visual Assist X 2009-01-23 12:21 . 2009-01-24 21:26 <DIR> d--h----- c:\documents and settings\KVL\Application Data\drivers 2009-01-23 11:33 . 2009-01-23 11:34 <DIR> d-------- c:\documents and settings\KVL\.designer 2009-01-23 11:18 . 2009-01-23 11:18 <DIR> d-------- C:\MinGW 2009-01-23 11:08 . 2009-01-23 11:08 <DIR> d-------- C:\Qt 2009-01-21 23:27 . 2001-11-08 02:27 237,568 --a------ c:\windows\system32\glut32.dll 2009-01-15 00:32 . 2009-01-15 00:32 <DIR> d-------- c:\documents and settings\KVL\Application Data\CyberLink 2009-01-15 00:32 . 2009-01-15 00:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink 2009-01-15 00:31 . 2001-03-08 18:30 24,064 --------- c:\windows\system32\msxml3a.dll 2009-01-15 00:30 . 2009-01-15 00:31 <DIR> d-------- c:\program files\CyberLink 2009-01-10 16:18 . 2009-01-10 16:18 <DIR> d-------- c:\program files\Common Files\Protexis 2009-01-10 16:15 . 2009-01-10 16:15 <DIR> d-------- c:\program files\Corel 2009-01-09 00:44 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll 2009-01-09 00:44 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll 2009-01-09 00:44 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll 2009-01-09 00:43 . 2007-07-20 00:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll 2009-01-09 00:43 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll 2009-01-09 00:43 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll 2009-01-09 00:43 . 2006-07-28 09:30 236,824 --a------ c:\windows\system32\xactengine2_3.dll 2009-01-09 00:43 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll 2009-01-09 00:43 . 2006-07-28 09:30 62,744 --a------ c:\windows\system32\xinput1_2.dll 2009-01-09 00:39 . 2009-01-09 00:39 <DIR> d-------- c:\windows\Logs 2009-01-09 00:34 . 2008-10-30 11:57 3,851,784 --a------ c:\windows\system32\d3dx9_39.dll 2009-01-08 13:19 . 2009-01-08 15:53 <DIR> d-------- c:\documents and settings\KVL\Application Data\Vinagame 2009-01-08 13:19 . 2009-01-08 15:53 <DIR> d-------- c:\documents and settings\KVL\Application Data\Tencent 2009-01-08 13:18 . 2009-01-08 13:18 <DIR> d-------- c:\program files\VinaGame 2009-01-08 13:18 . 2009-01-08 13:18 <DIR> d-------- c:\program files\Common Files\Tencent 2009-01-04 01:37 . 2009-01-04 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy 2008-12-31 22:37 . 2008-12-31 23:31 <DIR> d-------- c:\windows\SxsCaPendDel 2008-12-31 22:10 . 2008-12-31 22:10 <DIR> d-------- c:\program files\Microsoft Device Emulator 2008-12-31 22:08 . 2008-12-31 22:09 <DIR> d-------- c:\program files\Windows Mobile 5.0 SDK R2 2008-12-31 22:07 . 2008-12-31 22:07 <DIR> d-------- c:\program files\Microsoft Synchronization Services 2008-12-31 22:07 . 2008-12-31 22:07 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition 2008-12-31 22:00 . 2008-12-31 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\PreEmptive Solutions 2008-12-31 21:52 . 2008-12-31 22:49 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0 2008-12-31 21:52 . 2008-12-31 21:52 <DIR> d-------- c:\program files\Microsoft SDKs 2008-12-31 21:50 . 2008-12-31 21:51 <DIR> d-------- c:\program files\Microsoft Web Designer Tools 2008-12-31 21:50 . 2008-12-31 21:50 <DIR> dr-h----- C:\MSOCache 2008-12-31 21:48 . 2008-12-31 22:38 <DIR> d-------- c:\windows\system32\XPSViewer 2008-12-31 21:48 . 2008-12-31 21:48 <DIR> d-------- c:\program files\Reference Assemblies 2008-12-31 21:47 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll 2008-12-31 21:43 . 2008-12-31 21:43 <DIR> d-------- c:\program files\MSXML 6.0 2008-12-30 17:22 . 2004-08-25 13:14 1,097,728 --a------ c:\windows\system32\NeroIPP.dll 2008-12-30 17:22 . 2004-08-26 12:09 983,040 --a------ c:\windows\system32\aacenc32.dll 2008-12-30 17:19 . 2009-01-24 21:25 <DIR> dr-hs---- C:\RESTORE 2008-12-29 17:46 . 2008-12-29 17:46 <DIR> d-------- c:\program files\Lingoes 2008-12-29 17:46 . 2008-12-29 17:46 <DIR> d-------- c:\documents and settings\KVL\Application Data\Lingoes 2008-12-26 15:17 . 2008-12-26 15:18 <DIR> d-------- C:\EngStd . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-24 14:31 --------- d-----w c:\program files\eMule 2009-01-24 05:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-17 03:24 --------- d-----w c:\program files\Garena 2009-01-14 17:30 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-14 16:02 --------- d-----w c:\documents and settings\KVL\Application Data\DMCache 2009-01-11 10:27 --------- d-----w c:\documents and settings\KVL\Application Data\VisualAssist 2009-01-11 04:03 88 --sh--r c:\documents and settings\All Users\Application Data\[u]0[/u]267603CF7.sys 2009-01-11 04:03 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2009-01-10 09:20 --------- d-----w c:\documents and settings\KVL\Application Data\Corel 2009-01-10 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Corel 2009-01-05 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-31 15:59 --------- d-----w c:\program files\Common Files\Merge Modules 2008-12-24 02:30 --------- d-----w c:\documents and settings\KVL\Application Data\Winamp 2008-12-22 17:04 --------- d-----w c:\program files\MSDN 2008-12-20 11:18 233,472 ----a-w c:\windows\XPva03.dll 2008-12-20 06:10 --------- d-----w c:\program files\JetAudio 2008-12-20 06:10 --------- d-----w c:\program files\Common Files\COWON 2008-12-20 06:09 --------- d-----w c:\documents and settings\KVL\Application Data\COWON 2008-12-20 05:52 --------- d-----w c:\documents and settings\KVL\Application Data\IDM 2008-12-19 08:06 --------- d-----w c:\program files\psconvert 2008-12-18 14:41 --------- d-----w c:\program files\TechSmith 2008-12-18 14:41 --------- d-----w c:\program files\Common Files\TechSmith Shared 2008-12-18 04:18 --------- d-----w c:\program files\Internet Download Manager 2008-12-16 21:18 704,512 ----a-w c:\windows\OnGameDownLoader.exe 2008-12-16 16:35 --------- d-----w c:\program files\Common Files\Macrovision Shared 2008-12-16 09:28 --------- d-----w c:\program files\Foxit Software 2008-12-16 04:23 24,576 ----a-w c:\windows\OnGameRegister.exe 2008-12-11 20:18 --------- d-----w c:\program files\Kaspersky Lab 2008-12-11 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-12-09 19:35 --------- d-----w c:\documents and settings\KVL\Application Data\Media Player Classic 2008-12-09 18:50 --------- d-----w c:\documents and settings\KVL\Application Data\Design Science 2008-12-09 16:17 --------- d-----w c:\program files\glassfish-v2ur2 2008-12-09 16:09 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2008-12-08 18:05 --------- d-----w c:\program files\NetBeans 6.5 2008-12-08 18:04 --------- d-----w c:\program files\glassfish-v3-prelude 2008-12-08 18:04 --------- d-----w c:\program files\Apache Software Foundation 2008-12-08 17:00 --------- d-----w c:\program files\MathType 2008-12-08 16:52 --------- d-----w c:\program files\Sun 2008-12-08 16:52 --------- d-----w c:\program files\Java 2008-12-08 15:40 --------- d-----w c:\program files\Yahoo! 2008-12-08 15:36 --------- d-----w c:\program files\MSECache 2008-12-08 15:36 --------- d-----w c:\program files\Microsoft Silverlight 2008-12-08 13:26 --------- d-----w c:\program files\BitComet 2008-12-07 12:40 --------- d-----w c:\program files\K-Lite Codec Pack 2008-12-07 11:58 --------- d---a-w c:\program files\UniKey 4.0 2008-12-07 07:38 --------- d-----w c:\program files\Common Files\Corel 2008-12-07 07:34 --------- d-----w c:\program files\Microsoft SQL Server 2008-12-07 07:33 --------- d-----w c:\program files\Microsoft.NET 2008-12-07 07:30 --------- d-----w c:\program files\Microsoft SQL Server 2005 Mobile Edition 2008-12-07 07:24 --------- d-----w c:\program files\MSBuild 2008-12-07 07:24 --------- d-----w c:\program files\Microsoft Visual Studio 8 2008-12-07 07:23 --------- d-----w c:\program files\HTML Help Workshop 2008-12-07 07:17 --------- d-----w c:\program files\Common Files\Business Objects 2008-12-07 07:15 --------- d-----w c:\program files\CE Remote Tools 2008-12-07 06:18 --------- d-----w c:\program files\Microsoft ActiveSync 2008-12-07 06:18 --------- d-----w c:\program files\Common Files\L&H 2008-12-07 06:11 --------- d-----w c:\program files\Common Files\LightScribe 2008-12-07 05:59 --------- d-----w c:\program files\DAEMON Tools Lite 2008-12-07 05:57 717,296 ----a-w c:\windows\system32\drivers\sptd.sys 2008-12-07 05:57 --------- d-----w c:\documents and settings\KVL\Application Data\DAEMON Tools 2008-12-07 05:39 --------- d-----w c:\program files\Winamp 2008-12-07 05:35 --------- d-----w c:\program files\CONEXANT 2008-12-07 05:33 --------- d-----w c:\program files\NetWaiting 2008-12-07 05:33 --------- d-----w c:\program files\Intel 2008-12-07 05:30 --------- d-----w c:\program files\Atheros 2008-12-07 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Atheros 2008-12-07 05:25 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-12-07 05:25 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf 2008-12-07 05:24 --------- d-----w c:\program files\Hewlett-Packard 2008-12-07 05:23 33,664 ----a-w c:\windows\system32\drivers\BCMWLNPF.SYS 2008-12-07 05:17 --------- d-----w c:\program files\Broadcom 2008-12-07 05:17 --------- d-----w c:\documents and settings\KVL\Application Data\InstallShield 2008-12-07 05:04 --------- d-----w c:\program files\Notepad++ 2008-12-07 05:04 --------- d-----w c:\documents and settings\KVL\Application Data\Notepad++ 2008-12-07 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2008-12-07 04:55 --------- d-----w c:\program files\[u]0[/u]10Editor 2008-12-07 04:52 --------- d-----w c:\program files\CCleaner 2008-12-07 04:33 --------- d-----w c:\program files\microsoft frontpage . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BitComet"="c:\program files\BitComet\BitComet.exe" [2008-08-22 2567992] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Lingoes"="c:\program files\Lingoes\Translator2\Lingoes.exe" [2008-12-30 2473984] "Yahoo! Pager"="y:\yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-09-13 4621816] "eMuleAutoStart"="c:\program files\eMule\emule.exe" [2008-08-02 5480448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3codec"= l3codecp.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] --a------ 2006-10-22 23:24 620152 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI] --a------ 2008-12-07 12:23 1499136 c:\windows\system32\WLTRAY.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-08-08 19:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan] --a------ 2008-07-30 11:33 932272 c:\program files\Internet Download Manager\IDMan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 08:07 208952 c:\windows\ime\IMJP8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-11-26 14:54 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut] --a------ 2006-05-18 11:29 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-10-18 15:27 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2004-08-04 08:07 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2004-08-04 08:07 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl] --a------ 2007-12-06 14:13 202032 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --------- 2005-12-07 22:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc] --a------ 2007-11-26 14:54 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-12-08 23:52 136600 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-09-13 14:17 4621816 y:\yahoo!\Messenger\YahooMessenger.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\eMule\\emule.exe"= "y:\\Yahoo!\\Messenger\\YahooMessenger.exe"= "y:\\Yahoo!\\Messenger\\YServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) "27020:TCP"= 27020:TCP:BitComet 27020 TCP "27020:UDP"= 27020:UDP:BitComet 27020 UDP "27684:TCP"= 27684:TCP:BitComet 27684 TCP "27684:UDP"= 27684:UDP:BitComet 27684 UDP [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys --> c:\windows\system32\XDva215.sys [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c3b6fdf-e9c4-11dd-8f69-001eec686387}] \Shell\AutoRun\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe \Shell\open\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a472613-89e1-11db-8ef7-001fe157b0d5}] \Shell\AutoRun\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe \Shell\open\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aff38751-ccbb-11dd-8f0c-001fe157b0d5}] \shell\explore\Command - E:\forever.exe \shell\open\Command - E:\forever.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd6ccc99-d65b-11dd-8f2b-001fe157b0d5}] \Shell\AutoRun\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe \Shell\open\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfced7ee-8cb6-11db-8f06-001fe157b0d5}] \Shell\AutoRun\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe \Shell\open\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {35A9D2C9-B3FF-472D-AF68-FA63AD28A7DD} - hxxp://www.ongame.com.vn/activeX/OnGameDownLoader.cab FF - ProfilePath - c:\documents and settings\KVL\Application Data\Mozilla\Firefox\Profiles\qqipnagg.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/ FF - component: c:\documents and settings\KVL\Application Data\IDM\idmmzcc2\components\idmmzcc.dll FF - component: c:\documents and settings\KVL\Application Data\Mozilla\Firefox\Profiles\qqipnagg.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-24 21:30:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(428) c:\windows\System32\BCMLogon.dll . r Running Proce . c:\windows\system32\WLTRYSVC.exe c:\windows\system32\BCMWLTRY.exe c:\windows\system32\netdde.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\windows\system32\tcpsvcs.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\tlntsvr.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\igfxsrvc.exe y:\yahoo!\MESSEN~1\Ymsgr_tray.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2009-01-24 21:37:43 - machine was rebooted [KVL] ComboFix-quarantined-files.txt 2009-01-24 14:37:40 Pre-Run: 7,869,444,096 bytes free Post-Run: 7,688,663,040 bytes free 501