Hi Experts,

Can somebody help me? Oracle disabled after ConbFix run, can not found it from Service list any more.

The log file is like below:

ComboFix 09-06-06.03 - j1008969 7/2009 Sun 21:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.3326.2743 [GMT 8:00]
执行位置: c:\documents and settings\j1008969\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Dr Watson\cpush.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\documents and settings\j1008969\Favorites\5173.com.url
c:\documents and settings\j1008969\Favorites\www.5173.com.url
c:\documents and settings\j1008969\Favorites\一起来音乐社区.url
c:\documents and settings\j1008969\Favorites\链接
c:\documents and settings\j1008969\Favorites\链接\BT @ China 联盟 - 发布总索引 - BT下载,bt联盟,bt论坛,bt影视下载,bt资源,bt软件,bt电影,电影下载,音乐下载,MP3下载,游戏下载,软件下载.url
c:\documents and settings\j1008969\Favorites\链接\gartner.com.url
c:\documents and settings\j1008969\Favorites\链接\Global IT Home Page.url
c:\documents and settings\j1008969\Favorites\链接\My Excite.url
c:\documents and settings\j1008969\Favorites\链接\My Oracle Home.url
c:\documents and settings\j1008969\Favorites\链接\OPN instance.url
c:\documents and settings\j1008969\Favorites\链接\Oracle Files Online.url
c:\documents and settings\j1008969\Favorites\链接\Oracle Global Printing.url
c:\documents and settings\j1008969\Favorites\链接\Oracle iSupport.url
c:\documents and settings\j1008969\Favorites\链接\SoGua.com 全球娱乐引擎！.url
c:\documents and settings\j1008969\Favorites\链接\个人所得税计算器.url
c:\documents and settings\j1008969\Favorites\链接\中华网信天邮 - 免费邮箱.url
c:\documents and settings\j1008969\Favorites\链接\中国南方航空股份公司 --- CSN 2003.url
c:\documents and settings\j1008969\Favorites\链接\中国工商银行新一代网上银行.url
c:\documents and settings\j1008969\Favorites\链接\免费 Hotmail.url
c:\documents and settings\j1008969\Favorites\链接\免费的HotMail.url
c:\documents and settings\j1008969\Favorites\链接\华夏旅游-TOM.url
c:\documents and settings\j1008969\Favorites\链接\情回中国.北美华人信息港 - 绿色网站,请不要涉及政治敏感话题和成人内容.url
c:\documents and settings\j1008969\Favorites\链接\招商银行 -- 欢迎来到招商银行主页！.url
c:\documents and settings\j1008969\Favorites\链接\招商银行信用卡网站.url
c:\documents and settings\j1008969\Favorites\链接\欢迎来到招商银行一网通主页!.url
c:\documents and settings\j1008969\Favorites\链接\欢迎访问上海图书馆上海科学技术情报研究所.url
c:\documents and settings\j1008969\Favorites\链接\猫扑.url
c:\documents and settings\j1008969\Favorites\链接\管理_技术_信息化_e-works中国制造业信息化门户.url
c:\documents and settings\j1008969\Favorites\链接\联华网上购物中心.url
c:\documents and settings\j1008969\Favorites\链接\自定义链接.url
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\__fdkfjfjgjitijk
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_inifid
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_inifiletime3
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_inimac
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\2001
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3003
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3014
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3017
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3023
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3024
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3029
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3030
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3039
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3041
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3043
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_KC\3065
c:\documents and settings\j1008969\Local Settings\Temporary Internet Files\_kdacoptfg
c:\program files\cnsload_1240800062289.tmp
c:\program files\Common Files\PushWare
c:\program files\Common Files\PushWare\Uninst.exe
c:\program files\Internet Explorer\IETimber
c:\program files\Internet Explorer\IETimber\IETimber.dll
c:\program files\Internet Explorer\IETimber\IP.dat
c:\program files\Internet Explorer\IETimber\uISGRLFile.dat
c:\program files\Internet Explorer\IETimber\Uninstall.exe
c:\windows\86d7b25a01.dll
c:\windows\dyloty\8858.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\7489.exe
c:\windows\system32\b06f282101.dll
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\Cache
c:\windows\system32\Com\Config.cfg
c:\windows\system32\lylk.dat
c:\windows\system32\mprmsgse.axz
c:\windows\system32\rgm.dll
c:\windows\system32\Web.ini
c:\windows\system32\wins\4616
c:\windows\system32\wins\4616\svchost.exe
c:\windows\system32\wins\ulqdlurey.dll

----- BITS: Possible infected sites -----

hxxp://az1sblddevcdm01
.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MTLRD
-------\Legacy_PROTECTOR
-------\Service_Apcdli
-------\Service_Protector


((((((((((((((((((((((((( 2009-05-07 至 2009-06-07 的新的档案 )))))))))))))))))))))))))))))))
.

2009-06-07 13:26 . 2009-06-07 13:26 53248 ----a-w- c:\temp\catchme.dll
2009-06-07 13:24 . 2009-06-07 13:24 16384 ----atw- c:\temp\Perflib_Perfdata_d14.dat
2009-06-07 13:23 . 2009-06-07 13:23 -------- d-----w- c:\temp\WPDNSE
2009-06-07 13:23 . 2009-06-07 13:23 16384 ----atw- c:\temp\Perflib_Perfdata_420.dat
2009-06-07 13:21 . 2009-06-07 13:21 60416 ----a-w- c:\temp\Perflib_Perfdata__755.dat
2009-06-07 13:02 . 2009-06-07 13:02 16384 ----atw- c:\temp\Perflib_Perfdata_c60.dat
2009-06-07 11:18 . 2009-06-07 11:18 40 ----a-w- c:\windows\tmp.dat
2009-06-07 11:18 . 2009-06-07 12:07 20781 ----a-w- c:\windows\system32\domspring.dat
2009-06-07 11:18 . 2009-06-07 11:18 375 ----a-w- c:\windows\system32\somarshal.dat
2009-06-07 11:18 . 2009-06-07 11:18 358912 ----a-w- c:\windows\system32\HtmlPeek.dll
2009-06-07 11:03 . 2009-06-07 12:03 0 ----a-w- c:\windows\system32\65237728.dat
2009-06-07 11:00 . 2009-06-07 11:00 170680 ----a-w- c:\windows\system32\aa3.exe
2009-06-07 11:00 . 2009-06-07 11:00 102 ----a-w- c:\windows\system32\sdsk88sdddf.dat
2009-06-07 11:00 . 2009-06-07 11:00 25088 ----a-w- c:\windows\system32\aa2.exe
2009-06-07 11:00 . 2009-06-07 11:00 144425 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Outlook Express\2301.exe
2009-06-07 11:00 . 2009-06-07 12:42 -------- d-----w- c:\windows\AMD
2009-06-07 11:00 . 2009-06-07 11:00 49664 ----a-w- c:\windows\system32\pbwkklh.exe
2009-06-07 11:00 . 2009-06-07 11:00 69632 ----a-w- c:\windows\system32\flymy.exe
2009-06-07 11:00 . 2009-06-07 11:00 25088 ----a-w- c:\windows\system32\dllcache\fly1727.dll
2009-06-07 11:00 . 2009-06-07 11:00 25088 ----a-w- c:\windows\system32\fly1727.dll
2009-06-07 11:00 . 2009-06-07 13:20 -------- d-----w- c:\temp\RarSFX0
2009-06-07 11:00 . 2009-06-07 11:00 630381 ----a-w- c:\documents and settings\j1008969\8888.exe
2009-06-07 07:11 . 2009-06-07 07:11 -------- d-----w- c:\temp\Word8.0
2009-06-07 05:21 . 2009-06-07 13:20 -------- d-sha-w- c:\windows\dyloty
2009-06-07 01:39 . 2009-06-07 13:20 -------- d-----w- c:\temp\Rar$DI00.703
2009-06-05 00:43 . 2009-06-07 13:20 -------- d-----w- c:\temp\plugtmp-7
2009-06-03 01:33 . 2009-06-03 01:33 -------- d-----w- c:\temp\plugtmp-6
2009-06-01 03:46 . 2009-06-01 03:48 -------- d-----w- c:\temp\plugtmp-5
2009-06-01 03:04 . 2009-06-07 13:20 -------- d-----w- c:\temp\MessengerPics
2009-06-01 01:55 . 2009-06-01 02:01 -------- d-----w- c:\windows\system32\aliedit
2009-05-30 23:58 . 2009-05-31 03:36 -------- d-----w- c:\temp\plugtmp-4
2009-05-30 15:40 . 2009-06-05 05:03 -------- d-----w- c:\program files\Foobar2000
2009-05-30 15:40 . 2009-06-07 13:20 -------- d-----w- c:\temp\nso9D.tmp
2009-05-30 13:09 . 2009-05-30 14:51 -------- d-----w- c:\temp\plugtmp-3
2009-05-30 02:51 . 2009-06-07 12:44 -------- d-----w- c:\program files\easyMule
2009-05-30 02:51 . 2009-06-07 13:20 -------- d-----w- c:\temp\easymule
2009-05-28 13:13 . 2009-05-28 13:13 -------- d-----w- c:\windows\EffectResources
2009-05-28 13:13 . 2006-08-18 08:58 49152 ----a-w- c:\windows\Domino.EXE
2009-05-28 13:13 . 2006-08-09 11:07 57344 ----a-w- c:\windows\Sti211.exe
2009-05-28 13:13 . 2000-10-31 04:00 307200 ----a-w- c:\windows\vidcap32.Exe
2009-05-28 13:13 . 2009-05-28 13:13 -------- d-----w- c:\windows\CatRoot
2009-05-28 13:13 . 2009-05-28 13:13 -------- d-----w- c:\program files\Vimicro
2009-05-28 04:02 . 2009-05-28 04:03 -------- d-----w- c:\program files\QuickTime
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\documents and settings\j1008969\Local Settings\Application Data\Apple
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\program files\Apple Software Update
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-28 04:02 . 2009-05-28 04:02 -------- d-----w- c:\documents and settings\j1008969\Local Settings\Application Data\Apple Computer
2009-05-28 03:49 . 2009-05-28 03:49 -------- d-----w- c:\temp\OIS
2009-05-27 10:19 . 2009-05-28 07:45 -------- d-----w- c:\temp\plugtmp-1
2009-05-26 15:44 . 2009-06-07 13:20 -------- d-----w- c:\temp\plugtmp
2009-05-26 13:09 . 2009-06-02 16:34 -------- d-----w- c:\temp\PLS-Recovery
2009-05-26 10:01 . 2009-06-07 02:40 -------- d-----w- c:\temp\msohtml1
2009-05-26 10:01 . 2009-05-26 10:01 -------- d-----w- c:\temp\msohtml
2009-05-26 09:20 . 2009-05-26 09:20 -------- d-----w- c:\temp\TestEngDat64
2009-05-25 06:34 . 2009-06-07 13:03 -------- d-----w- c:\temp\__SkypeIEToolbar_Cache
2009-05-25 06:28 . 2009-06-07 12:08 -------- d-----w- c:\temp\hsperfdata_j1008969
2009-05-25 03:25 . 2009-06-07 10:05 -------- d-----w- c:\temp\EScan
2009-05-25 02:54 . 2009-05-25 02:54 -------- d-----w- c:\temp\VBE
2009-05-22 05:06 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-05-22 05:06 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-05-22 05:06 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-05-22 05:06 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-05-22 05:05 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-05-22 05:05 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-05-20 10:12 . 2009-06-07 13:20 -------- d-----w- c:\temp\Excel8.0
2009-05-18 01:40 . 2009-06-07 13:20 -------- d-----w- c:\temp\plugtmp-2
2009-05-15 05:25 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-15 05:25 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-15 05:25 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-05-15 05:25 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-15 04:40 . 2009-05-15 04:40 3262 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{EC56BAC0-6B62-4F3B-8C25-70D6D214D9D0}\ARPPRODUCTICON.exe
2009-05-15 04:40 . 2009-05-15 04:40 -------- d-----w- c:\program files\pocketSoap
2009-05-15 04:40 . 2009-05-15 04:40 -------- d-----w- c:\program files\InterCall
2009-05-15 04:40 . 2009-05-15 04:40 -------- d-----w- c:\documents and settings\j1008969\Application Data\Collaboration Addin
2009-05-11 15:47 . 2009-05-11 15:47 31048 ------w- c:\documents and settings\j1008969\Application Data\Tencent\QQ\SafeBase\selfupdate.exe
2009-05-11 15:47 . 2009-05-11 15:47 -------- d-----w- c:\documents and settings\j1008969\Local Settings\Application Data\Tencent
2009-05-11 15:26 . 2009-05-11 15:26 18718 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2009-05-11 15:26 . 2009-05-11 15:26 18718 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
2009-05-11 15:26 . 2009-05-11 15:26 106496 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2009-05-11 15:26 . 2009-05-11 15:26 106496 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2009-05-11 15:26 . 2009-05-11 15:47 -------- d-----w- c:\documents and settings\j1008969\Application Data\Tencent

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 13:24 . 2008-06-27 19:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-06-07 13:23 . 2008-06-27 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-06-07 12:13 . 2008-06-27 18:06 -------- d-----w- c:\program files\Skype
2009-06-07 12:11 . 2009-03-11 10:04 -------- d-----w- c:\documents and settings\j1008969\Application Data\Skype
2009-06-07 11:00 . 2009-06-07 11:00 81920 ----a-w- c:\windows\Fonts\AD7D2AA5.DLL
2009-06-07 11:00 . 2009-06-07 11:00 30 ----a-w- c:\windows\Fonts\s3sds212.dat
2009-06-07 10:09 . 2009-03-24 14:23 -------- d-----w- c:\documents and settings\j1008969\Application Data\skypePM
2009-06-07 08:45 . 2009-03-24 02:00 -------- d-----w- c:\program files\Common Files\Shiqiang
2009-06-05 23:51 . 2008-06-19 14:12 111760 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-05 03:09 . 2007-01-09 10:53 -------- d-----w- c:\program files\SWIFT
2009-06-03 02:01 . 2009-03-17 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-02 16:34 . 2009-05-04 09:47 -------- d-----w- c:\program files\PLSQL Developer
2009-06-01 05:40 . 2009-06-01 05:40 226960 ----a-w- c:\documents and settings\j1008969\cnsload_1243834859418.tmp
2009-06-01 04:04 . 2009-06-01 04:04 226960 ------w- c:\documents and settings\j1008969\cnsload_1243829063285.tmp
2009-06-01 03:52 . 2006-11-13 11:43 13166 ----a-w- c:\windows\system32\nvModes.dat
2009-05-28 13:13 . 2006-11-13 11:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-20 02:07 . 2009-04-22 02:44 256 ----a-w- c:\windows\system32\pool.bin
2009-05-11 15:26 . 2009-03-29 07:38 106496 ----a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2009-05-11 15:26 . 2009-03-29 07:38 -------- d-----w- c:\program files\Tencent
2009-05-11 15:26 . 2009-03-29 07:38 -------- d-----w- c:\program files\Common Files\Tencent
2009-05-04 12:25 . 2009-05-04 09:47 -------- d-----w- c:\documents and settings\j1008969\Application Data\PLSQL Developer
2009-04-30 01:18 . 2009-04-23 08:56 -------- d-----w- c:\program files\中国移动随e行客户端软件
2009-04-27 02:41 . 2009-04-27 02:41 -------- d-----w- c:\program files\Common Files\Oracle
2009-04-25 13:05 . 2009-03-26 04:49 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-25 13:05 . 2008-01-02 09:11 -------- d-----w- c:\program files\Java
2009-04-25 13:04 . 2009-04-25 13:04 152576 ----a-w- c:\documents and settings\j1008969\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-22 02:45 . 2009-04-22 02:45 -------- d-----w- c:\documents and settings\j1008969\Application Data\Research In Motion
2009-04-19 04:18 . 2009-04-16 09:02 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-04-19 04:04 . 2009-04-19 04:04 -------- d-----w- c:\program files\Common Files\iGame
2009-04-19 04:04 . 2009-04-16 09:51 -------- d-----w- c:\program files\sina
2009-04-16 09:04 . 2009-04-16 09:03 -------- d-----w- c:\documents and settings\j1008969\Application Data\ACD Systems
2009-04-16 08:55 . 2009-04-16 08:55 -------- d-----w- c:\windows\Fonts\stfangso
2009-04-16 08:55 . 2009-04-16 08:55 -------- d-----w- c:\windows\Fonts\huawenlushu
2009-04-15 01:26 . 2009-03-11 10:04 -------- d-----w- c:\documents and settings\j1008969\Application Data\PDF reDirect
2009-04-09 04:03 . 2009-04-09 04:03 -------- d-----w- c:\documents and settings\j1008969\Application Data\webex
2009-04-05 09:57 . 2009-04-17 08:33 102400 ------w- c:\windows\system32\Unl.exe
2009-03-26 14:36 . 2003-03-18 22:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-03-26 05:07 . 2009-03-26 05:07 348160 -c--a-w- c:\documents and settings\j1008969\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-4bc6a7be-n\msvcr71.dll
2009-03-26 05:07 . 2009-03-26 05:07 503808 -c--a-w- c:\documents and settings\j1008969\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-4bc6a7be-n\msvcp71.dll
2009-03-26 05:07 . 2009-03-26 05:07 499712 -c--a-w- c:\documents and settings\j1008969\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-4bc6a7be-n\jmc.dll
2009-03-24 14:23 . 2009-03-24 14:23 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-03-23 14:45 . 2009-03-23 14:45 0 -c--a-w- c:\windows\nsreg.dat
2009-03-17 05:49 . 2009-03-17 05:49 2272 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-13 12:30 . 2008-06-27 18:25 81736 ----a-w- c:\windows\system32\lmdimon8.dll
2009-03-12 08:49 . 2009-03-12 08:49 9454 -c--a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{B5688129-7595-4E5B-9990-CEF981A31264}\_6FEFF9B68218417F98F549.exe
2009-03-12 08:49 . 2009-03-12 08:49 9454 -c--a-r- c:\documents and settings\j1008969\Application Data\Microsoft\Installer\{B5688129-7595-4E5B-9990-CEF981A31264}\_137869EA3A73403ED70C47.exe
2009-03-10 11:08 . 2004-08-11 17:14 88923 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-09 04:01 . 2009-04-09 04:01 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-09 04:01 . 2009-04-09 04:01 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-04-09 04:03 . 2009-04-09 04:03 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-05-19 01:35 . 2009-04-09 04:02 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

------- Sigcheck -------

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 05:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-05-15 05:24 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-19 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-30 44032]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-04-29 81920]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"NMGameX_AutoRun"="NMGameX.dll" - c:\windows\system32\NMGameX.dll [2006-07-10 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"360tray"="c:\windows\dyloty\spoolsv.vbs" [2009-05-09 134]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ArGoSoft Mail Server.lnk - c:\program files\ArGo Software Design\Mail Server\mailserver.exe [2007-8-3 1422848]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-12 2150400]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-10-10 1528880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-8915387-776344908-1874078741-75710\Scripts\Logon\0\0]
"Script"=trackit.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-8915387-776344908-1874078741-75710\Scripts\Logon\0\1]
"Script"=\\172.16.4.151\documents\jdahosts\striphosts.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"c:\\Program Files\\ArGo Software Design\\Mail Server\\mailserver.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\bea\\922\\jdk150_10\\bin\\java.exe"=
"c:\\bea\\922\\jdk150_10\\jre\\bin\\java.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=
"c:\\Program Files\\easyMule\\emule.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 kcvywnzhl;kcvywnzhl;c:\windows\system32\drivers\kcvywnzhl.sys [8/12/2004 1:00 AM 20800]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 8:00 PM 26624]
R1 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys [3/25/2009 10:44 PM 8192]
R2 CMB8100;CMB8100;c:\windows\system32\drivers\CertClient.dat [3/25/2009 2:32 PM 5120]
R2 CMBProtector;CMBProtector;c:\windows\system32\drivers\CMBProtector.dat [3/25/2009 2:32 PM 3584]
R2 CMBWPS;Cmb WebProtect Support;c:\program files\CMBCHINA\WebProtect\WPService.exe [4/1/2009 8:58 AM 232848]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR --> c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR [?]
R2 vmserverdWin32;VMware Registration Service;c:\program files\VMware\VMware Server\vmserverdWin32.exe [5/9/2008 9:05 PM 1650781]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/4/2006 7:19 AM 13592]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [3/25/2009 3:10 PM 6656]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 8:00 PM 2944]
S2 DC9B5D97;DC9B5D97;c:\windows\Fonts\AD7D2AA5.EXE -k --> c:\windows\Fonts\AD7D2AA5.EXE -k [?]
S3 GoogleDesktopManager-051608-133132;Google Desktop Manager 5.7.805.16405;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/28/2008 2:03 AM 29744]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S3 OracleOraDb10g_home1CMAdmin;OracleOraDb10g_home1CMAdmin;c:\oracle\product\10.2.0\db_1\BIN\CMADMIN.EXE [7/31/2007 1:05 AM 286720]
S3 OracleOraDb10g_home1CMan;OracleOraDb10g_home1CMan;c:\oracle\product\10.2.0\db_1\BIN\CMGW.EXE [7/31/2007 1:05 AM 69632]
S3 OracleServiceJDAS;OracleServiceJDAS;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE JDAS --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE JDAS [?]
S3 ScenarioServerFactory_jdas@LOCALHOST;Scenario Server Factory jdas@LOCALHOST;c:\jda\JDAv74\Sequencing\FactoryService.exe [1/2/2008 5:49 PM 61440]
S3 TransportTaskMaster;Transport Task Master;c:\jda\JDAv74_Trans\TransportServer\bin\nttask_master.exe [9/21/2007 3:07 PM 208896]
S3 Uniface9 URouter;Uniface9 URouter (c:\program files\Compuware\Uniface\bin\urouter.exe);c:\program files\Compuware\Uniface\bin\urouter.exe [10/3/2007 10:03 AM 18432]
S4 OracleJobSchedulerJDAS;OracleJobSchedulerJDAS;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe JDAS --> c:\oracle\product\10.2.0\db_1\Bin\extjob.exe JDAS [?]
UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - dsgrab_01c9c6e1b1cdae45
.
‘计划任务’ 文件夹 里的内容

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-06-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-06-07 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-06-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-06-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 14:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Explorer_Run-dbsol - c:\windows\system32\rgm.exe
SafeBoot-procexp90.Sys


.
------- 而外的扫描 -------
.
uStart Page = www.sl400.net/?2008017
mStart Page = hxxp://www.991.cn/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\Bin\AddEmotion.htm
Trusted Zone: boc.cn\ebs
Trusted Zone: corp.local
Trusted Zone: corp.local\*.jda
Trusted Zone: corp.local\dev
Trusted Zone: corp.local\jda
Trusted Zone: fidelity.com
Trusted Zone: fmr.com
Trusted Zone: jda.com
Trusted Zone: jdaconnectplus.com
Trusted Zone: jdalearn.com
Trusted Zone: manu.com
Trusted Zone: manu.com\www
Trusted Zone: md1prdhyp05
Trusted Zone: microsoft.com
Trusted Zone: unisys.com\eas01.spt
Trusted Zone: windowsupdate.com
TCP: {C383C24E-580E-4FA8-B53E-2FF25B438CE8} = 202.109.14.5 124.74.213.68
DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} - hxxps://img.alipay.com/download/1101/aliedit.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
FF - ProfilePath - c:\documents and settings\j1008969\Application Data\Mozilla\Firefox\Profiles\7r1l6ubg.default\
FF - prefs.js: browser.startup.homepage - hxxp://jnet.jda.corp.local/Pages/Default.aspx
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
.
------- 文件类型 -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 21:26
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CMB8100]
"ImagePath"="\??\c:\windows\system32\Drivers\CertClient.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CMBProtector]
"ImagePath"="\??\c:\windows\system32\Drivers\CMBProtector.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-8915387-776344908-1874078741-75710\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_USERS\S-1-5-21-8915387-776344908-1874078741-75710\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\*Nw峞g髼PN㏑Kb]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,12,02,00,00,01,00,00,00,04,00,00,00,80,00,
00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-8915387-776344908-1874078741-75710\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\-N齎鹹≧彇e*L垻[7b飠o忲N]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,10,01,00,00,01,00,00,00,02,00,00,00,84,00,
00,00,00,00,00,00,76,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,64,00,36,\

[HKEY_USERS\S-1-5-21-8915387-776344908-1874078741-75710\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\癳jmU*C*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,ea,00,00,00,01,00,00,00,02,00,00,00,68,00,
00,00,00,00,00,00,5a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,48,00,32,\

[HKEY_USERS\S-1-5-21-8915387-776344908-1874078741-75710\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\~伅媜忲N\Q*Q*J€)Y]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\DWRCS.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\conime.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\VMware\VMware Server\vmware-authd.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscript.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\DWRCST.exe
.
**************************************************************************
.
完成时间: 2009-06-07 21:39 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-06-07 13:39

Pre-Run: 26,027,966,464 bytes free
Post-Run: 25,355,063,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /3GB

494 --- E O F --- 2009-06-04 23:42

I doubt ComboFix has deleted some files which are mandatory for Oracle DB, i tried to use window restore tool, but it can not find the restore point ComboFix created. I also tried to enter the recovery console, but dont know what command I could use to recovery.

Thanks for your helps in advance.

ComboFix logs should not be posted outside the HijackThis forums and then only when asked. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff