Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection, Please Help


  • This topic is locked This topic is locked
25 replies to this topic

#1 audition

audition

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 26 May 2008 - 12:55 AM

Hello, everyone. I think my computer has been infected.
I get a message which is about "memory could not be read" when I start my computer.
I tried combofix before and it worked!
However, the message appears again after several days. And this time, I cannot turn on the automatic prevention of Norton Internet Security. There is a cross on the Norton icon beside the time. Also, it seems that I cannot browse the anti-virus websites like symantec, kasperskyand ewido.

I am from Hong Kong and using a computer in Chinese Language. The reports may contain some Chinese words. I am sorry about that.
I don't know how to solve the problem and so try get help from here.
Thank you very much and sorry for my poor English and the inconvenience caused when reading my reports.

Deckard's System Scanner v20071014.68
Run by user on 2008-05-26 13:04:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-05-26 05:04:15 UTC - RP19 - Deckard's System Scanner Restore Point
15: 2008-05-26 04:32:49 UTC - RP18 - Installed MySQL Connector Net 5.0.5
14: 2008-05-26 04:32:25 UTC - RP17 - Installed MySQL Tools for 5.0
13: 2008-05-26 04:31:49 UTC - RP16 - Installed MySQL Connector/ODBC 3.51
12: 2008-05-26 04:31:02 UTC - RP15 - Installed MySQL Server 5.0


-- First Restore Point --
1: 2008-05-25 20:19:49 UTC - RP4 - 系統檢查點


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.3 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 01:06:07, on 2008/5/26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\GridService\peer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Documents and Settings\user\桌面\dss.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [ClubBox] nwiz.exe /install
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent2\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/...cab/eWinCtl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} (InstallHelper Class) - http://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/147f98ffeffb7b...RdxIE601_tw.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192295777281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} (PhotoUploadCtrl Control) - http://qz-photo.qq.com/qzone_v4/QzoneMediaTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 12664 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - c:\program files\tencent\qq\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 npkycryp - c:\program files\tencent\qq\npkycryp.sys (file missing)
S3 snpstd (VideoCAM Eye) - c:\windows\system32\drivers\snpstd.sys (file missing)
S3 usbbus (LGE Mobile Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys (file missing)
S3 USBModem (LGE Mobile USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 20:39:52 498 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - user.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 12:31:02 0 d-------- C:\Program Files\MySQL
2008-05-26 12:18:55 16636 --a------ C:\WINDOWS\hosts
2008-05-26 10:56:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-26 10:56:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-26 10:56:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 10:56:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 10:56:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 10:56:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-26 10:56:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-26 10:56:55 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-26 04:50:15 17055 --a------ C:\blok.exe
2008-05-25 17:32:24 0 dr-h----- C:\Documents and Settings\user\Recent
2008-05-18 18:55:15 0 d-------- C:\UFI_Backup
2008-05-16 19:38:33 16636 --a------ C:\WINDOWS\system32\drivers\hosts
2008-05-13 21:57:44 0 d-------- C:\Program Files\7-Zip
2008-05-13 21:06:01 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR
2008-05-13 20:02:19 0 d-------- C:\Program Files\Apple Software Update
2008-05-13 20:02:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 04:32:43 0 d-------- C:\CheckOut
2008-04-29 19:24:19 685568 --a------ C:\killer_rodog.exe <KILLER~1.EXE> <Not Verified; ; Killer.exe>
2008-04-28 23:47:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-28 22:38:13 73728 --a------ C:\WINDOWS\antiRK.dll <Not Verified; 奇虎网; 360安全?士文件粉碎模块>
2008-04-28 08:14:24 0 d-------- C:\imgGrab 0504


-- Find3M Report ---------------------------------------------------------------

2008-05-26 13:05:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-26 12:38:11 0 d-------- C:\Documents and Settings\user\Application Data\MySQL
2008-05-26 12:32:59 240182 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-26 12:32:59 76820 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-26 11:03:42 0 d-------- C:\Program Files\Common Files
2008-05-26 03:53:38 0 d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-05-26 03:53:28 0 d-------- C:\Program Files\Norton Internet Security
2008-05-25 18:55:35 0 d-------- C:\Program Files\eMule
2008-05-19 16:51:16 0 d-------- C:\Program Files\360safe
2008-05-13 20:47:57 0 d-------- C:\Documents and Settings\user\Application Data\MegauploadToolbar
2008-05-13 20:05:33 0 d-------- C:\Program Files\QuickTime
2008-05-13 17:30:06 0 d-------- C:\Documents and Settings\user\Application Data\360Safe
2008-05-12 00:30:40 0 d-------- C:\Program Files\ExtraPlayer
2008-05-12 00:19:09 644 --a------ C:\WINDOWS\system32\cid_store.dat
2008-05-12 00:17:00 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-04-28 23:48:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-10 01:52:48 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2008-04-08 23:10:56 0 d-------- C:\Program Files\Trend Micro
2008-04-07 22:09:18 0 d-------- C:\Program Files\Google
2008-04-04 14:38:54 0 d-------- C:\Program Files\MegauploadToolbar
2008-04-01 22:07:02 1531904 -ra------ C:\WINDOWS\system32\clubbox.exe <Not Verified; Nowcom, Co. LTD.; CLUBBOX File Transfer Manager V2>
2008-04-01 22:06:30 155648 -ra------ C:\WINDOWS\system32\downengine.dll <Not Verified; (?)???; ClubBox>
2008-03-27 20:31:48 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-03-27 20:28:23 0 d-------- C:\Program Files\Thunder Network
2008-02-26 00:24:40 159744 -ra------ C:\WINDOWS\system32\fscagent.exe <Not Verified; Nowcom Co., Ltd.; FSCAgent>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008/02/12 上午 01:10]
"SoundMan"="SOUNDMAN.EXE" [2004/08/30 下午 01:48 C:\WINDOWS\SOUNDMAN.EXE]
"snpstd"="C:\WINDOWS\vsnpstd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008/03/28 下午 11:37]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"nwiz"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006/01/17 上午 10:19]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001/09/05 下午 08:00]
"Grid Service"="C:\Program Files\GridService\peer.exe" [2007/12/14 下午 04:22]
"ClubBox"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006/05/19 下午 06:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008/01/11 下午 10:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008/04/04 下午 02:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2001/09/05 下午 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Shell"="C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\WINDOWS\TEMP\dat54.tmp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56256ba0-945b-11dc-acb2-00508d7a8158}]
AutoRun\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
open\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe

*Newly Created Service* - MYSQL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com

525 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 13:06:54 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: AMD Athlon™ XP 2500+
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 511.48 MiB / 206.76 MiB
Pagefile Memory (total/avail): 1250.07 MiB / 953.58 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.43 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.09 GiB total, 2.3 GiB free.
D: is Fixed (FAT32) - 57.22 GiB total, 13.61 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 146.48 GiB total, 47.85 GiB free.
H: is Fixed (NTFS) - 151.61 GiB total, 118.1 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 2 partitions
\PARTITION0 (bootable) - 可安裝的檔案系統 - 19.09 GiB - C:
\PARTITION1 - Unknown - 57.24 GiB - D:

\\.\PHYSICALDRIVE1 - WDC WD32 01ABYS-01B9A SCSI Disk Device - 298.09 GiB - 2 partitions
\PARTITION0 - 可安裝的檔案系統 - 146.48 GiB - G:
\PARTITION1 - 可安裝的檔案系統 - 151.61 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v2005 (Symantec Corporation)
AV: Norton Internet Security v2005 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Foxy\\Foxy.exe"="C:\\Program Files\\Foxy\\Foxy.exe:*:Enabled:Foxy"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-ND76JHN6V0
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-ND76JHN6V0
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\EPSON\Utility Suite\Copy Utility;C:\Program Files\Java\jdk1.5.0_09\bin;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-ND76JHN6V0
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
▲麩敃芶Season2◎諦誧傷假蚾最唗 --> C:\PROGRA~1\9you\麩敃芶~1\UNWISE.EXE C:\PROGRA~1\9you\麩敃芶~1\INSTALL.LOG
▲敃V1.7◎絿㜢翋最宒假娊 --> \UNWISE.EXE C:\DOCUME~1\user\桌面\1CD-NO~1\1CD-NO~1\
360安全?士 --> C:\Program Files\360safe\uninst.exe
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CC_ccProxyExt --> MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}
eMule VeryCD唳 --> C:\Program Files\eMule\uninstall.exe
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x404 Uninstall
EPSON印表機軟體 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Foxy v1.9.7 --> "C:\Program Files\Foxy\unins000.exe"
G-TECH WebCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF79EFA-3F63-43BC-88EE-0157CE50F1B1}\setup.exe" -l0x404 -removeonly
Gameone --> C:\Program Files\InstallShield Installation Information\{860D3152-6E51-4E4F-A589-64C373097622}\setup.exe -runfromtemp -l0x0404 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Development Kit 5.0 Update 9 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150090}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
K-Lite Codec Pack 3.2.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\System32\KASPER~1\KASPER~1\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft AppLocale --> MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ\install.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110404-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510404-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ\setup.exe
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Web Developer 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Web Developer 2005 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2005 Express Edition - ENU --> MsiExec.exe /X{221125DC-6A40-4900-B844-591F5E1195B0}
Microsoft Windows Application Compatibility Database --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
MiniQQLive --> "C:\Program Files\Tencent\QQLive\MiniQQLiveUninstall.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS HKSCS-2001 Support --> RunDll32.exe advpack.dll,LaunchINFSection hkscs2001.inf,Uninstall
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MySQL Connector Net 5.0.5 --> MsiExec.exe /I{5FD88490-011C-4DF1-B886-F298D955171B}
MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{9A854ED3-C3B1-493D-8104-C4B5AC459B7A}
MySQL Server 5.0 --> MsiExec.exe /I{2FEB25F8-C3CB-49A2-AE79-DE17FFAFB5D9}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Net Transport 1.94.281 --> "C:\Program Files\Xi\NetTransport 2\unins000.exe"
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Power MP3 WMA Converter 2006, (ver 3.51) --> "C:\Program Files\Power MP3 WMA Converter\unins000.exe"
QQ2006 Beta2 --> C:\Program Files\Tencent2\QQ\uninst.exe
QQLive 3.5 --> "C:\Program Files\Tencent\QQLive\uninstall.exe"
QQ游? --> C:\Program Files\Tencent\QQGame\Uninstall.EXE
QQ繁體新斗地主 --> C:\PROGRA~1\Tencent\QQGame\newddz\UNWISE.EXE C:\PROGRA~1\Tencent\QQGame\newddz\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RaySource 2.0.10.7348 --> C:\Program Files\RaySource\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Tencent Media Player by Viewpoint --> C:\Program Files\Tencent\Viewpoint Media Player\mtsAxInstaller.exe /u
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Unlocker 1.8.3 --> C:\Program Files\Unlocker\uninst.exe
Windows Live installer --> MsiExec.exe /X{97898768-B0A7-4529-82D8-96925BD906EA}
Windows Live Messenger --> MsiExec.exe /X{6560D90C-5223-49A3-B78C-A48C31EAEC56}
Windows Live 登入小幫手 --> MsiExec.exe /I{CB5EA99C-8A5B-49F2-9A1A-2EF78BE4DB41}
WinRAR 壓縮工具 --> C:\Program Files\WinRAR\uninstall.exe
μTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
迅雷5 --> "C:\Program Files\Thunder Network\Thunder\unins000.exe"
超級兔子魔法設定 --> C:\PROGRA~1\SUPERR~1\magicset\UNWISE.EXE C:\PROGRA~1\SUPERR~1\magicset\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type24439 / Error
Event Submitted/Written: 05/26/2008 00:32:59 PM
Event ID/Source: 3001 / LoadPerf
Event Description:
3866

Event Record #/Type24438 / Warning
Event Submitted/Written: 05/26/2008 00:32:59 PM
Event ID/Source: 2006 / LoadPerf
Event Description:
效能登錄的 LastCounter 和 LastHelp 值已經損毀,需要
更新。資料區段中第一個和第二個 DWORD
是原始值,而區段中第三個和第四個 DWORD
是更新後的新值。

Event Record #/Type24350 / Success
Event Submitted/Written: 05/26/2008 04:34:15 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type24123 / Success
Event Submitted/Written: 05/24/2008 09:40:15 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type24011 / Success
Event Submitted/Written: 05/24/2008 11:46:15 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type47599 / Error
Event Submitted/Written: 05/25/2008 02:07:34 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
LiveUpdate 服務無法啟動,因為發生下列錯誤:
%%1053

Event Record #/Type47598 / Error
Event Submitted/Written: 05/25/2008 02:07:28 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
LiveUpdate 服務連線的等候逾時 (30000 毫秒)。

Event Record #/Type47597 / Error
Event Submitted/Written: 05/25/2008 02:07:28 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM 遇到錯誤 "%%1053",是當嘗試啟動服務 LiveUpdate 而引數為 "",
為了執行伺服器:
{03E0E6C2-363B-11D3-B536-00902771A435} 之時

Event Record #/Type47546 / Error
Event Submitted/Written: 05/24/2008 09:09:36 PM
Event ID/Source: 10010 / DCOM
Event Description:
伺服器 {F3A614DC-ABE0-11D2-A441-00C04F795683} 沒有在指定的等候逾時內登錄 DCOM。

Event Record #/Type47301 / Error
Event Submitted/Written: 05/23/2008 03:08:17 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM 遇到錯誤 "%%1084",是當嘗試啟動服務 EventSystem 而引數為 "",
為了執行伺服器:
{1BE1F766-5536-11D1-B726-00C04FB926AF} 之時



-- End of Deckard's System Scanner: finished at 2008-05-26 13:06:54 ------------

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:32 AM

Posted 25 June 2008 - 05:18 AM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.



click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt


Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 25 June 2008 - 10:05 AM

Hello. Thanks for your reply.
You don't need to feel sorry for the delay. I know you all are so busy and I really appreciate your help.


Here's the main.txt


Deckard's System Scanner v20071014.68
Run by user on 2008-06-25 23:10:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-06-25 15:10:46 UTC - RP42 - Deckard's System Scanner Restore Point
38: 2008-06-25 11:10:16 UTC - RP41 - 系統檢查點
37: 2008-06-24 10:43:07 UTC - RP40 - 系統檢查點
36: 2008-06-22 16:53:35 UTC - RP39 - 系統檢查點
35: 2008-06-20 19:46:44 UTC - RP38 - Removed MySQL Server 5.0


-- First Restore Point --
1: 2008-05-25 20:19:49 UTC - RP4 - 系統檢查點


Performed disk cleanup.

System Drive C: has 1.44 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 11:10:52, on 2008/6/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\user\桌面\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [ClubBox] nwiz.exe /install
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvGraphicsInterface] C:\winhost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &U妏蚚馨譙儂け狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent2\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/...cab/eWinCtl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} (InstallHelper Class) - http://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/147f98ffeffb7b...RdxIE601_tw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192295777281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} (PhotoUploadCtrl Control) - http://qz-photo.qq.com/qzone_v4/QzoneMediaTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 13287 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - c:\program files\tencent\qq\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys <Not Verified; AhnLab, Inc.; AhnLab, Inc.>
S3 npkycryp - c:\program files\tencent\qq\npkycryp.sys (file missing)
S3 snpstd (VideoCAM Eye) - c:\windows\system32\drivers\snpstd.sys (file missing)
S3 usbbus (LGE Mobile Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys (file missing)
S3 USBModem (LGE Mobile USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 3456)
2003-02-21 04:42:22 348160 -ra------ C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2006-12-01 22:54:32 626688 --a------ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual StudioR 2005>
2006-01-17 10:19:44 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-03-26 20:14:36 57344 --a------ C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll <Not Verified; Thunder Networking Technologies,LTD; DsBho Dynamic Link Library>
2008-03-26 20:14:36 122880 --a------ C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll <Not Verified; Thunder Networking Technologies,LTD; DataProcessor Dynamic Link Library>
2003-03-18 22:14:52 499712 -ra------ C:\WINDOWS\system32\msvcp71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2003-03-18 21:05:50 89088 -ra------ C:\WINDOWS\system32\atl71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2004-07-19 21:16:48 49152 --a------ C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll <Not Verified; Xi; Net Transport IE Helper Module>
2006-05-06 21:29:21 8704 --a------ C:\Program Files\Unlocker\UnlockerCOM.dll
2007-09-25 17:51:06 129024 --a------ C:\Program Files\WinRAR\RarExt.dll
2007-12-06 16:32:58 69632 --a------ C:\Program Files\7-Zip\7-zip.dll <Not Verified; Igor Pavlov; 7-Zip>


-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 20:39:52 498 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - user.job


-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-25 22:20:30 0 d-------- C:\Program Files\Trend Micro
2008-06-25 14:06:49 448384 --a------ C:\WINDOWS\system32\drivers\EagleNt.sys <Not Verified; AhnLab, Inc.; AhnLab, Inc.>
2008-06-24 13:31:51 0 dr-h----- C:\Documents and Settings\user\Recent
2008-06-24 13:28:43 17055 --a------ C:\runmgr.exe
2008-06-17 00:55:42 0 d-------- C:\FSMWebSite
2008-06-08 20:10:52 0 d-------- C:\Program Files\NamiRobot
2008-06-03 21:30:38 1540096 -ra------ C:\WINDOWS\system32\clubbox.exe <Not Verified; Nowcom, Co. LTD.; CLUBBOX File Transfer Manager V2>
2008-05-28 17:27:58 16751 --a------ C:\WINDOWS\system32\drivers\hosts
2008-05-28 17:27:58 16751 --a------ C:\WINDOWS\hosts
2008-05-27 21:07:18 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-27 20:34:57 0 d-------- C:\UFI_Backup
2008-05-26 12:31:02 0 d-------- C:\Program Files\MySQL


-- Find3M Report ---------------------------------------------------------------

2008-06-25 21:21:31 0 d-------- C:\Program Files\Common Files
2008-06-25 14:12:21 0 d-------- C:\Program Files\eMule
2008-06-25 11:16:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-24 00:11:11 400 --a------ C:\WINDOWS\system32\cid_store.dat
2008-06-24 00:10:27 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-06-22 22:31:15 0 d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-06-17 08:13:56 0 d-------- C:\Documents and Settings\user\Application Data\MySQL
2008-06-12 01:03:59 0 d-------- C:\Program Files\Norton Internet Security
2008-06-10 15:39:13 0 d-------- C:\Program Files\ExtraPlayer
2008-06-09 18:41:59 0 d-------- C:\Documents and Settings\user\Application Data\360Safe
2008-06-09 18:41:41 0 d-------- C:\Program Files\360safe
2008-06-04 17:29:47 0 d-------- C:\Documents and Settings\user\Application Data\MegauploadToolbar
2008-06-02 16:33:36 0 d-------- C:\Program Files\Foxy
2008-05-26 12:32:59 240182 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-26 12:32:59 76820 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-13 21:57:46 0 d-------- C:\Program Files\7-Zip
2008-05-13 21:06:01 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR
2008-05-13 20:05:33 0 d-------- C:\Program Files\QuickTime
2008-05-13 20:02:21 0 d-------- C:\Program Files\Apple Software Update
2008-04-29 19:27:37 73728 --a------ C:\WINDOWS\antiRK.dll <Not Verified; 奇虎网; 360安全?士文件粉碎模块>
2008-04-29 19:24:34 685568 --a------ C:\killer_rodog.exe <KILLER~1.EXE> <Not Verified; ; Killer.exe>
2008-04-28 23:48:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-01 22:06:30 155648 -ra------ C:\WINDOWS\system32\downengine.dll <Not Verified; (?)???; ClubBox>
2008-03-27 20:31:48 20 --a------ C:\WINDOWS\system32\pub_store.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008/02/12 上午 01:10]
"SoundMan"="SOUNDMAN.EXE" [2004/08/30 下午 01:48 C:\WINDOWS\SOUNDMAN.EXE]
"snpstd"="C:\WINDOWS\vsnpstd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008/03/28 下午 11:37]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"nwiz"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006/01/17 上午 10:19]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001/09/05 下午 08:00]
"Grid Service"="C:\Program Files\GridService\peer.exe" [2007/12/14 下午 04:22]
"ClubBox"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006/05/19 下午 06:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008/01/11 下午 10:16]
"NvGraphicsInterface"="C:\winhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008/04/04 下午 02:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2001/09/05 下午 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Shell"="C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\WINDOWS\TEMP\dat54.tmp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a70331e-6b47-11db-a8bf-00508d7a8158}]
AutoRun\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
open\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6173b824-3eef-11dd-83a8-00508d7a8158}]
AutoRun\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
open\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{774cad9c-3a82-11dd-83a3-00508d7a8158}]
AutoRun\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe
open\command- I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sic32.exe



-- End of Deckard's System Scanner: finished at 2008-06-25 23:12:12 ------------

Edited by audition, 25 June 2008 - 10:13 AM.


#4 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 25 June 2008 - 10:14 AM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: AMD Athlon™ XP 2500+
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 511.48 MiB / 181.98 MiB
Pagefile Memory (total/avail): 1250.07 MiB / 849.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.51 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.09 GiB total, 1.44 GiB free.
D: is Fixed (FAT32) - 57.22 GiB total, 10.37 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 146.48 GiB total, 39.83 GiB free.
H: is Fixed (NTFS) - 151.61 GiB total, 111.29 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 2 partitions
\PARTITION0 (bootable) - 可安裝的檔案系統 - 19.09 GiB - C:
\PARTITION1 - Unknown - 57.24 GiB - D:

\\.\PHYSICALDRIVE1 - WDC WD32 01ABYS-01B9A SCSI Disk Device - 298.09 GiB - 2 partitions
\PARTITION0 - 可安裝的檔案系統 - 146.48 GiB - G:
\PARTITION1 - 可安裝的檔案系統 - 151.61 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v2005 (Symantec Corporation)
AV: Norton Internet Security v2005 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Foxy\\Foxy.exe"="C:\\Program Files\\Foxy\\Foxy.exe:*:Enabled:Foxy"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"c:\\winhost.exe"="C:\\winhost.exe:*:Enabled:@xpsp2res.dll,-22005"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-ND76JHN6V0
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-ND76JHN6V0
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\EPSON\Utility Suite\Copy Utility;C:\Program Files\Java\jdk1.5.0_09\bin;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-ND76JHN6V0
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
▲麩敃芶Season2◎諦誧傷假蚾最唗 --> C:\PROGRA~1\9you\麩敃芶~1\UNWISE.EXE C:\PROGRA~1\9you\麩敃芶~1\INSTALL.LOG
▲敃V1.7◎絿㜢翋最宒假娊 --> \UNWISE.EXE C:\DOCUME~1\user\桌面\1CD-NO~1\1CD-NO~1\
360安全?士 --> C:\Program Files\360safe\uninst.exe
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CC_ccProxyExt --> MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}
eMule VeryCD唳 --> C:\Program Files\eMule\uninstall.exe
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x404 Uninstall
EPSON印表機軟體 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Foxy v1.9.8 --> "C:\Program Files\Foxy\unins000.exe"
G-TECH WebCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF79EFA-3F63-43BC-88EE-0157CE50F1B1}\setup.exe" -l0x404 -removeonly
Gameone --> C:\Program Files\InstallShield Installation Information\{860D3152-6E51-4E4F-A589-64C373097622}\setup.exe -runfromtemp -l0x0404 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Development Kit 5.0 Update 9 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150090}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
K-Lite Codec Pack 3.2.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\System32\KASPER~1\KASPER~1\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft AppLocale --> MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ\install.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110404-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510404-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ\setup.exe
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Web Developer 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Web Developer 2005 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2005 Express Edition - ENU --> MsiExec.exe /X{221125DC-6A40-4900-B844-591F5E1195B0}
Microsoft Windows Application Compatibility Database --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
MiniQQLive --> "C:\Program Files\Tencent\QQLive\MiniQQLiveUninstall.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS HKSCS-2001 Support --> RunDll32.exe advpack.dll,LaunchINFSection hkscs2001.inf,Uninstall
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Net Transport 1.94.281 --> "C:\Program Files\Xi\NetTransport 2\unins000.exe"
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Power MP3 WMA Converter 2006, (ver 3.51) --> "C:\Program Files\Power MP3 WMA Converter\unins000.exe"
QQ2006 Beta2 --> C:\Program Files\Tencent2\QQ\uninst.exe
QQLive 3.5 --> "C:\Program Files\Tencent\QQLive\uninstall.exe"
QQ游? --> C:\Program Files\Tencent\QQGame\Uninstall.EXE
QQ繁體新斗地主 --> C:\PROGRA~1\Tencent\QQGame\newddz\UNWISE.EXE C:\PROGRA~1\Tencent\QQGame\newddz\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RaySource 2.0.10.7348 --> C:\Program Files\RaySource\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Tencent Media Player by Viewpoint --> C:\Program Files\Tencent\Viewpoint Media Player\mtsAxInstaller.exe /u
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Unlocker 1.8.3 --> C:\Program Files\Unlocker\uninst.exe
Windows Live installer --> MsiExec.exe /X{97898768-B0A7-4529-82D8-96925BD906EA}
Windows Live Messenger --> MsiExec.exe /X{6560D90C-5223-49A3-B78C-A48C31EAEC56}
Windows Live 登入小幫手 --> MsiExec.exe /I{CB5EA99C-8A5B-49F2-9A1A-2EF78BE4DB41}
WinRAR 壓縮工具 --> C:\Program Files\WinRAR\uninstall.exe
μTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
迅雷5 --> "C:\Program Files\Thunder Network\Thunder\unins000.exe"
超級兔子魔法設定 --> C:\PROGRA~1\SUPERR~1\magicset\UNWISE.EXE C:\PROGRA~1\SUPERR~1\magicset\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type26438 / Success
Event Submitted/Written: 06/25/2008 02:00:07 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26269 / Success
Event Submitted/Written: 06/21/2008 08:24:38 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26196 / Success
Event Submitted/Written: 06/21/2008 00:29:38 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26151 / Success
Event Submitted/Written: 06/19/2008 09:13:04 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26109 / Error
Event Submitted/Written: 06/17/2008 01:11:07 AM
Event ID/Source: 1000 / VS Setup Watson Report
Event Description:
setup.exe0.0.0.04333dd07setup.exe0.0.0.04333dd07000044ffa



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type50089 / Error
Event Submitted/Written: 06/23/2008 01:09:07 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Universal Plug and Play Device Host 服務依存的 SSDP Discovery Service 服務因為發生下列錯誤而無法啟動:
%%1058

Event Record #/Type50061 / Error
Event Submitted/Written: 06/22/2008 09:44:39 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Universal Plug and Play Device Host 服務依存的 SSDP Discovery Service 服務因為發生下列錯誤而無法啟動:
%%1058

Event Record #/Type50037 / Error
Event Submitted/Written: 06/22/2008 09:45:14 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Universal Plug and Play Device Host 服務依存的 SSDP Discovery Service 服務因為發生下列錯誤而無法啟動:
%%1058

Event Record #/Type50017 / Error
Event Submitted/Written: 06/22/2008 03:43:16 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Universal Plug and Play Device Host 服務依存的 SSDP Discovery Service 服務因為發生下列錯誤而無法啟動:
%%1058

Event Record #/Type50016 / Error
Event Submitted/Written: 06/22/2008 03:43:16 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Universal Plug and Play Device Host 服務依存的 SSDP Discovery Service 服務因為發生下列錯誤而無法啟動:
%%1058



-- End of Deckard's System Scanner: finished at 2008-06-25 23:12:12 ------------

#5 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 25 June 2008 - 09:20 PM

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 26, 2008 01:52:32
Records in database: 884692


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 75569
Threat name 4
Infected objects 4
Suspicious objects 0
Duration of the scan 02:01:23

File name Threat name Threats count
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B9D380F.sys Infected: Trojan-Downloader.Win32.Agent.mzm 1

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BA03D17.exe Infected: Trojan.Win32.Pakes.cvl 1

C:\runmgr.exe Infected: Trojan.Win32.Qhost.ara 1

C:\WINDOWS\system32\drivers\etc\hosts.20080602-190953.backup Infected: Trojan.Win32.Qhost.aei 1

The selected area was scanned.



Thanks a lot.

Edited by audition, 26 June 2008 - 06:19 AM.


#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:32 AM

Posted 27 June 2008 - 06:21 PM

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


#7 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 27 June 2008 - 09:26 PM

Hello.
Here's the combofix log, Thank you .

ComboFix 08-06-20.4 - user 2008-06-28 10:19:07.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.221 [GMT 8:00]
執行位置?: C:\Documents and Settings\user\桌面\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts

.
(((((((((((((((((((((((((((( 2008-05-28 - 2008-06-28 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-26 21:16 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\981260a.dll
2008-06-26 21:16 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\2ca864d7.dll
2008-06-25 22:43 . 2008-06-25 22:43 <DIR> d-------- C:\Deckard
2008-06-25 22:20 . 2008-06-25 22:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 11:15 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\e61e049.dll
2008-06-25 11:15 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\ae99e1e.dll
2008-06-25 00:58 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\32e4cb50.dll
2008-06-25 00:58 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\2a34d1e.dll
2008-06-24 13:28 . 2008-06-28 09:45 17,055 --a------ C:\runmgr.exe
2008-06-24 01:08 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\b69a1a8.dll
2008-06-24 01:08 . 2004-08-04 00:47 1,689,088 --a------ C:\WINDOWS\system32\1d0239c0.dll
2008-06-17 01:12 . 2008-06-17 01:12 304,529 --a------ C:\FSMWebSite.rar
2008-06-17 00:55 . 2008-06-17 08:10 <DIR> d-------- C:\FSMWebSite
2008-06-12 01:05 . 2008-06-12 01:05 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-08 20:10 . 2008-06-08 20:10 <DIR> d-------- C:\Program Files\NamiRobot
2008-06-03 21:30 . 2008-06-03 21:30 1,540,096 -ra------ C:\WINDOWS\system32\clubbox.exe
2008-05-28 17:27 . 2008-06-28 09:45 16,751 --a------ C:\WINDOWS\system32\drivers\hosts

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 02:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-28 02:07 --------- d-----w C:\Program Files\eMule
2008-06-24 11:32 3,413 ----a-w C:\WINDOWS\system32\fscflist.ini.tmp
2008-06-22 14:31 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-06-17 00:13 --------- d-----w C:\Documents and Settings\user\Application Data\MySQL
2008-06-11 17:03 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-10 07:39 --------- d-----w C:\Program Files\ExtraPlayer
2008-06-09 10:41 --------- d-----w C:\Program Files\360safe
2008-06-09 10:41 --------- d-----w C:\Documents and Settings\user\Application Data\360Safe
2008-06-09 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\360safe
2008-06-04 09:29 --------- d-----w C:\Documents and Settings\user\Application Data\MegauploadToolbar
2008-06-02 08:33 --------- d-----w C:\Program Files\Foxy
2008-05-26 04:32 3,290 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-05-26 04:32 --------- d-----w C:\Program Files\MySQL
2008-05-13 13:57 --------- d-----w C:\Program Files\7-Zip
2008-05-13 12:05 --------- d-----w C:\Program Files\QuickTime
2008-05-13 12:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-13 12:02 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-29 11:27 73,728 ----a-w C:\WINDOWS\antiRK.dll
2008-04-29 11:24 685,568 ----a-w C:\killer_rodog.exe
2008-04-28 15:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-09 08:36 16,384 ----a-w C:\WINDOWS\system32\ProtoDrv.sys
2008-04-01 14:06 155,648 ----a-r C:\WINDOWS\system32\downengine.dll
2008-02-11 19:49 37,979 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 07:57 455 ----a-w C:\Program Files\layout.bin
2008-01-24 07:53 552,214 ----a-w C:\Program Files\ISSetup.dll
2008-01-24 07:53 486 ----a-w C:\Program Files\setup.ini
2008-01-24 07:53 389,143 ----a-w C:\Program Files\data1.cab
2008-01-24 07:53 220,203 ----a-w C:\Program Files\setup.inx
2008-01-24 07:53 107,226 ----a-w C:\Program Files\data1.hdr
2007-02-28 19:02 472,576 ----a-w C:\Program Files\dxsetup.exe
2006-12-10 02:52 78 ----a-w C:\Program Files\csx.vbs
2006-05-24 04:10 455,600 ----a-w C:\Program Files\setup.exe
2006-05-17 03:21 385,968 ----a-w C:\Program Files\_Setup.dll
2004-07-22 02:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-19 14:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-19 14:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 06:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 01:13 703,080 ----a-w C:\Program Files\BDA.cab
2004-07-09 01:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2004-07-08 20:08 2,242,560 ----a-w C:\Program Files\dsetup32.dll
2004-07-08 19:03 62,976 ----a-w C:\Program Files\DSETUP.dll
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{08EE0CA4-6C3A-4319-BFBB-A1B7EBAE0F57}.dat
2007-04-11 11:09 32 --sha-w C:\WINDOWS\{4835B602-00E6-4AC7-BBD4-F772D5E0D0CD}.dat
2007-08-23 06:53 32 --sha-w C:\WINDOWS\{80AD5AE7-4E3E-435F-88F6-CB016DA2905D}.dat
2007-04-11 10:59 32 --sha-w C:\WINDOWS\{848027D2-5429-4A6F-A44D-6519BD964D3A}.dat
2007-04-11 10:51 32 --sha-w C:\WINDOWS\{9235E4CD-06A9-46EE-923A-862C241B3E4C}.dat
2007-04-11 11:00 32 --sha-w C:\WINDOWS\{D95950D8-1F12-4C31-A73F-8FBA8187218F}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{E3044C53-DC28-4463-B943-1CDC6022E778}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{E5F0EA77-C5A3-4098-9F39-C0B7DF5E0E42}.dat
2007-08-23 05:47 32 --sha-w C:\WINDOWS\{E9C68D6F-0D9B-4C3F-85C5-B5772161263F}.dat
2007-04-11 11:00 32 --sha-w C:\WINDOWS\system32\{06D85DE0-2CE0-4C20-9702-EE736CFE5EC7}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{23433DB6-3867-4F04-BA0D-E4D78A81984F}.dat
2007-04-11 10:51 32 --sha-w C:\WINDOWS\system32\{72C954AC-C98D-4BD0-A2DF-C3E825F4DE23}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{AF22B7C0-E2D6-41AF-9C2B-8E4BECF0ABAC}.dat
2007-04-11 10:59 32 --sha-w C:\WINDOWS\system32\{B277162F-6D20-4385-8E86-EAF46B927C7D}.dat
2007-08-23 06:53 32 --sha-w C:\WINDOWS\system32\{C389C80E-590A-4C70-822F-33DF34685723}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{D45BD62C-2D2D-4F53-B45A-C367A44FC865}.dat
2007-04-11 11:09 32 --sha-w C:\WINDOWS\system32\{DFFF5399-C92E-479E-B708-B056F683D54B}.dat
2007-08-23 05:47 32 --sha-w C:\WINDOWS\system32\{E6DCA3DE-BE7B-4210-B0C7-518D450CB5E9}.dat
.

------- Sigcheck -------

2001-09-05 20:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 14:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\SoftwareDistribution\Download\024288edc8c4f8c963bc1fed0d7174ee\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys

2001-09-05 20:00 13312 559f356b0a0b0bb0d663fd3ce8ef0c48 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:47 15360 3bcef6b66827ec0b9923d20e62d067ba C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 15:47 15360 3bcef6b66827ec0b9923d20e62d067ba C:\WINDOWS\SoftwareDistribution\Download\024288edc8c4f8c963bc1fed0d7174ee\ctfmon.exe
2001-09-05 20:00 13312 559f356b0a0b0bb0d663fd3ce8ef0c48 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-26_10.59.24.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-26 04:32:53 262,144 ------w C:\WINDOWS\assembly\temp\Q59DHLOSWZ\MySql.Data.dll
+ 2008-05-27 13:10:48 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-05-27 13:10:49 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-05-27 13:10:49 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-05-27 13:10:53 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 07:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 07:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-05-27 13:10:54 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-05-27 13:10:50 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 07:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-05-26 02:42:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 01:40:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 18:52:54 528,384 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\aspxdemo\064a10c7\75379bbf\assembly\dl3\85a668e4\00ddee99_32e9c201\AspxDemo.DLL
+ 2008-06-15 14:08:50 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\charts\3558dabd\656a8cad\App_Web_hhhujo1z.dll
+ 2008-06-15 08:11:49 274,432 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Code.qagywzuh.dll
+ 2008-06-15 08:11:50 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_global.asax.cwpjsibv.dll
+ 2008-06-15 08:11:41 4,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_GlobalResources.8hlp70wp.dll
+ 2008-06-15 08:11:55 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_acceptedpayment.ascx.b7661b20.uwxxobfl.dll
+ 2008-06-15 08:12:09 12,288 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_adcontainer.ascx.b7661b20.feyw7vn9.dll
+ 2008-06-15 08:11:56 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_cataloglist.ascx.b7661b20.zc_tdgkj.dll
+ 2008-06-15 08:11:56 6,144 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_mainnavigation.ascx.b7661b20.w8fncxnv.dll
+ 2008-06-15 08:15:55 10,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_minicart.ascx.b7661b20.61qimlix.dll
+ 2008-06-15 08:12:09 5,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_paragraph.ascx.c46acc31.hbbztwkw.dll
+ 2008-06-15 08:11:57 8,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_productsummarydisplay.ascx.d1003923.qjekzzpy.dll
+ 2008-06-15 08:11:53 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_recentcategories.ascx.b7661b20.rmhr2p7k.dll
+ 2008-06-15 08:11:54 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_recentproductsviewed.ascx.b7661b20.xqb-ccbo.dll
+ 2008-06-15 08:11:52 16,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_Web_site.master.cdcab7d2.7ocknj0_.dll
+ 2008-06-15 08:11:46 204,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\App_WebReferences.vtyvhgz7.dll
- 2007-11-08 15:38:22 147,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\03826ee8\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Logging.DLL
+ 2008-06-15 08:11:37 147,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\03826ee8\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Logging.DLL
- 2007-11-08 15:38:21 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\0c1eda8f\0058f925_0687c701\MagicAjax.DLL
+ 2008-06-15 08:11:36 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\0c1eda8f\0058f925_0687c701\MagicAjax.DLL
- 2007-11-08 15:38:22 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\11775404\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.DLL
+ 2008-06-15 08:11:37 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\11775404\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.DLL
- 2007-11-08 15:38:19 389,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\23d82bc8\00852a27_0687c701\AtlasControlToolkit.DLL
+ 2008-06-15 08:11:35 389,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\23d82bc8\00852a27_0687c701\AtlasControlToolkit.DLL
- 2007-11-08 15:38:20 344,064 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\4f3b9f3b\00852a27_0687c701\eWorld.UI.DLL
+ 2008-06-15 08:11:35 344,064 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\4f3b9f3b\00852a27_0687c701\eWorld.UI.DLL
- 2007-11-08 15:38:23 1,945,600 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\5b1b9902\00b25b28_0687c701\Microsoft.Web.Atlas.DLL
+ 2008-06-15 08:11:37 1,945,600 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\5b1b9902\00b25b28_0687c701\Microsoft.Web.Atlas.DLL
- 2007-11-08 15:38:23 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\65c7d004\00852a27_0687c701\Xpdt.Web.UI.Ratings.DLL
+ 2008-06-15 08:11:38 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\65c7d004\00852a27_0687c701\Xpdt.Web.UI.Ratings.DLL
- 2007-11-08 15:38:22 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\80db9dbd\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Logging.Database.DLL
+ 2008-06-15 08:11:37 13,312 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\80db9dbd\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Logging.Database.DLL
- 2007-11-08 15:38:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\8cbab11e\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Caching.DLL
+ 2008-06-15 08:11:36 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\8cbab11e\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Caching.DLL
- 2007-11-08 15:38:21 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\9a87c696\0046f3ee_4c7bc701\GCheckout.DLL
+ 2008-06-15 08:11:36 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\9a87c696\0046f3ee_4c7bc701\GCheckout.DLL
- 2007-11-08 15:38:23 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\a045473a\00852a27_0687c701\SubSonic.DLL
+ 2008-06-15 08:11:38 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\a045473a\00852a27_0687c701\SubSonic.DLL
- 2007-11-08 15:38:19 1,196,032 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\a6155b8f\00df8c29_0687c701\ComponentArt.Web.UI.DLL
+ 2008-06-15 08:11:35 1,196,032 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\a6155b8f\00df8c29_0687c701\ComponentArt.Web.UI.DLL
- 2007-11-08 15:38:22 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\af673eae\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Data.DLL
+ 2008-06-15 08:11:37 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\af673eae\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Data.DLL
- 2007-11-08 15:38:22 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\bc306577\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Common.DLL
+ 2008-06-15 08:11:37 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\bc306577\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.Common.DLL
- 2007-11-08 15:38:20 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\bc7ef9bb\00b25b28_0687c701\FreetextBox.DLL
+ 2008-06-15 08:11:36 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\bc7ef9bb\00b25b28_0687c701\FreetextBox.DLL
- 2007-11-08 15:38:22 61,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\da4e8417\0058f925_0687c701\Microsoft.Practices.ObjectBuilder.DLL
+ 2008-06-15 08:11:37 61,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\da4e8417\0058f925_0687c701\Microsoft.Practices.ObjectBuilder.DLL
- 2007-11-08 15:38:21 56,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\e5e37ece\002bc824_0687c701\Microsoft.AtlasControlExtender.DLL
+ 2008-06-15 08:11:36 56,120 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\e5e37ece\002bc824_0687c701\Microsoft.AtlasControlExtender.DLL
- 2007-11-08 15:38:22 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\f4723c29\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.DLL
+ 2008-06-15 08:11:37 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\commerce.web\584f1547\e90f9acb\assembly\dl3\f4723c29\0058f925_0687c701\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.DLL
+ 2008-06-17 00:10:44 122,880 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\9b4c9c4e\79b74672\App_Web_3yqzgzsr.dll
+ 2008-06-17 00:04:41 19,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\9b4c9c4e\79b74672\App_Web_cgceimtl.dll
+ 2008-06-17 00:03:44 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\9b4c9c4e\79b74672\App_Web_masterpage.master.cdcab7d2.j6dwvf4h.dll
+ 2008-06-16 03:13:23 9,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\f2028415\80f42dae\App_Web_errort2.aspx.cdcab7d2.f5nhn81x.dll
+ 2008-06-16 23:58:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\f2028415\80f42dae\App_Web_masterpage.master.cdcab7d2.lp1lwc0h.dll
+ 2008-06-16 04:30:32 19,456 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\f2028415\80f42dae\App_Web_qry5h82z.dll
+ 2008-06-16 23:59:58 118,784 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\fsmwebsite\f2028415\80f42dae\App_Web_szdu3rvs.dll
+ 2008-06-13 21:49:07 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\smwebsite\3a17c44c\5d6c0fcd\App_Web_-nakc0am.dll
+ 2008-06-13 21:49:19 10,752 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\smwebsite\3a17c44c\5d6c0fcd\App_Web_cart.aspx.cdcab7d2.jwrengzm.dll
+ 2008-06-13 21:49:11 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\smwebsite\3a17c44c\5d6c0fcd\App_Web_default2.aspx.cdcab7d2.yai_midy.dll
+ 2008-06-15 19:21:28 12,288 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\website3\d4ad02e2\1ca36343\App_Web_bargraph.aspx.cdcab7d2.cv7lafbt.dll
- 2000-08-31 00:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 00:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\14740530.dll
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\1537a171.dll
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\191b17c0.dll
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\2a81b7c.dll
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\8a5b3e0.dll
+ 2004-08-03 16:47:38 1,689,088 ----a-w C:\WINDOWS\system32\dc8c16.dll
- 2008-04-17 14:57:13 126,912 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-25 06:09:17 123,728 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-05-18 11:40:10 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-25 16:43:47 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-05-25 20:51:24 58,776 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-20 19:46:14 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-25 20:51:24 392,758 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-20 19:46:14 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-25 20:51:24 76,640 ----a-w C:\WINDOWS\system32\prfc0404.dat
+ 2008-05-26 04:32:59 76,820 ----a-w C:\WINDOWS\system32\prfc0404.dat
- 2008-05-25 20:51:24 239,720 ----a-w C:\WINDOWS\system32\prfh0404.dat
+ 2008-05-26 04:32:59 240,182 ----a-w C:\WINDOWS\system32\prfh0404.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 14:43 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2001-09-05 20:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-12 01:10 100056]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2003-07-14 22:57 95296]
"nwiz"="nwiz.exe" [2006-01-17 10:19 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-01-17 10:19 7323648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2001-09-05 20:00 208949]
"Grid Service"="C:\Program Files\GridService\peer.exe" [2007-12-14 16:22 840192]
"ClubBox"="nwiz.exe" [2006-01-17 10:19 1519616 C:\WINDOWS\system32\nwiz.exe]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2003-07-14 22:57 63040]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-05-19 18:07 59040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvGraphicsInterface"="C:\winhost.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-05 20:00 13312]
"Shell"="C:\WINDOWS\system32\shell32.dll" [2004-08-04 00:47 8244224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 npkycryp;npkycryp;C:\Program Files\Tencent\QQ\npkycryp.sys []
S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s816mgmt.sys [2007-06-19 09:51]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\WINDOWS\system32\DRIVERS\s816nd5.sys [2007-06-19 09:51]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s816obex.sys [2007-06-19 09:51]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\WINDOWS\system32\DRIVERS\s816unic.sys [2007-06-19 09:51]
S3 VM30xx86;Vimicro USB PC Camera (ZC030x);C:\WINDOWS\system32\Drivers\vm30xx86.sys [2007-01-29 19:20]

.
排程工作資料夾的內容
"2008-02-22 12:39:52 C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - user.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 10:21:00
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\?悐 L i v e U p d a t e  zhV]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
.
完成時間?: 2008-06-28 10:21:48
ComboFix-quarantined-files.txt 2008-06-28 02:21:41
ComboFix2.txt 2008-05-26 02:59:39
ComboFix3.txt 2008-05-25 20:09:06

14 個目錄 837,386,240 位元組可用
17 個目錄 875,569,152 位元組可用

307

#8 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 27 June 2008 - 09:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 10:27:11, on 2008/6/28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\GridService\peer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [ClubBox] nwiz.exe /install
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvGraphicsInterface] C:\winhost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &U妏蚚馨譙儂け狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent2\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/...cab/eWinCtl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} (InstallHelper Class) - http://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/147f98ffeffb7b...RdxIE601_tw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192295777281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} (PhotoUploadCtrl Control) - http://qz-photo.qq.com/qzone_v4/QzoneMediaTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 13112 bytes

#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:32 AM

Posted 28 June 2008 - 06:38 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\981260a.dll
C:\WINDOWS\system32\2ca864d7.dll
C:\WINDOWS\system32\e61e049.dll
C:\WINDOWS\system32\ae99e1e.dll
C:\WINDOWS\system32\32e4cb50.dll
C:\WINDOWS\system32\2a34d1e.dll
C:\runmgr.exe
C:\WINDOWS\system32\b69a1a8.dll
C:\WINDOWS\system32\1d0239c0.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvGraphicsInterface"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also please do the following
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#10 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 29 June 2008 - 12:09 AM

Hello again. Thanks for your reply.
Here's the combofix log.

ComboFix 08-06-20.4 - user 2008-06-29 0:41:58.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.246 [GMT 8:00]
執行位置?: C:\Documents and Settings\user\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\桌面\CFScript.txt
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\runmgr.exe
C:\WINDOWS\system32\1d0239c0.dll
C:\WINDOWS\system32\2a34d1e.dll
C:\WINDOWS\system32\2ca864d7.dll
C:\WINDOWS\system32\32e4cb50.dll
C:\WINDOWS\system32\981260a.dll
C:\WINDOWS\system32\ae99e1e.dll
C:\WINDOWS\system32\b69a1a8.dll
C:\WINDOWS\system32\e61e049.dll
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\runmgr.exe
C:\WINDOWS\system32\1d0239c0.dll
C:\WINDOWS\system32\2a34d1e.dll
C:\WINDOWS\system32\2ca864d7.dll
C:\WINDOWS\system32\32e4cb50.dll
C:\WINDOWS\system32\981260a.dll
C:\WINDOWS\system32\ae99e1e.dll
C:\WINDOWS\system32\b69a1a8.dll
C:\WINDOWS\system32\e61e049.dll

.
(((((((((((((((((((((((((((( 2008-05-28 - 2008-06-28 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-25 22:43 . 2008-06-25 22:43 <DIR> d-------- C:\Deckard
2008-06-25 22:20 . 2008-06-25 22:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 01:12 . 2008-06-17 01:12 304,529 --a------ C:\FSMWebSite.rar
2008-06-17 00:55 . 2008-06-17 08:10 <DIR> d-------- C:\FSMWebSite
2008-06-12 01:05 . 2008-06-12 01:05 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-08 20:10 . 2008-06-08 20:10 <DIR> d-------- C:\Program Files\NamiRobot
2008-06-03 21:30 . 2008-06-03 21:30 1,540,096 -ra------ C:\WINDOWS\system32\clubbox.exe
2008-05-28 17:27 . 2008-06-28 09:45 16,751 --a------ C:\WINDOWS\system32\drivers\hosts

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 16:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-28 02:30 --------- d-----w C:\Program Files\eMule
2008-06-24 11:32 3,413 ----a-w C:\WINDOWS\system32\fscflist.ini.tmp
2008-06-22 14:31 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-06-17 00:13 --------- d-----w C:\Documents and Settings\user\Application Data\MySQL
2008-06-11 17:03 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-10 07:39 --------- d-----w C:\Program Files\ExtraPlayer
2008-06-09 10:41 --------- d-----w C:\Program Files\360safe
2008-06-09 10:41 --------- d-----w C:\Documents and Settings\user\Application Data\360Safe
2008-06-09 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\360safe
2008-06-04 09:29 --------- d-----w C:\Documents and Settings\user\Application Data\MegauploadToolbar
2008-06-02 08:33 --------- d-----w C:\Program Files\Foxy
2008-05-26 04:32 3,290 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-05-26 04:32 --------- d-----w C:\Program Files\MySQL
2008-05-13 13:57 --------- d-----w C:\Program Files\7-Zip
2008-05-13 12:05 --------- d-----w C:\Program Files\QuickTime
2008-05-13 12:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-13 12:02 --------- d-----w C:\Program Files\Apple Software Update
2008-05-13 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-29 11:27 73,728 ----a-w C:\WINDOWS\antiRK.dll
2008-04-29 11:24 685,568 ----a-w C:\killer_rodog.exe
2008-04-28 15:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-09 08:36 16,384 ----a-w C:\WINDOWS\system32\ProtoDrv.sys
2008-04-01 14:06 155,648 ----a-r C:\WINDOWS\system32\downengine.dll
2008-02-11 19:49 37,979 ----a-w C:\Program Files\INSTALL.LOG
2008-01-24 07:57 455 ----a-w C:\Program Files\layout.bin
2008-01-24 07:53 552,214 ----a-w C:\Program Files\ISSetup.dll
2008-01-24 07:53 486 ----a-w C:\Program Files\setup.ini
2008-01-24 07:53 389,143 ----a-w C:\Program Files\data1.cab
2008-01-24 07:53 220,203 ----a-w C:\Program Files\setup.inx
2008-01-24 07:53 107,226 ----a-w C:\Program Files\data1.hdr
2007-02-28 19:02 472,576 ----a-w C:\Program Files\dxsetup.exe
2006-12-10 02:52 78 ----a-w C:\Program Files\csx.vbs
2006-05-24 04:10 455,600 ----a-w C:\Program Files\setup.exe
2006-05-17 03:21 385,968 ----a-w C:\Program Files\_Setup.dll
2004-07-22 02:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-19 14:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-19 14:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 06:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 01:13 703,080 ----a-w C:\Program Files\BDA.cab
2004-07-09 01:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2004-07-08 20:08 2,242,560 ----a-w C:\Program Files\dsetup32.dll
2004-07-08 19:03 62,976 ----a-w C:\Program Files\DSETUP.dll
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{08EE0CA4-6C3A-4319-BFBB-A1B7EBAE0F57}.dat
2007-04-11 11:09 32 --sha-w C:\WINDOWS\{4835B602-00E6-4AC7-BBD4-F772D5E0D0CD}.dat
2007-08-23 06:53 32 --sha-w C:\WINDOWS\{80AD5AE7-4E3E-435F-88F6-CB016DA2905D}.dat
2007-04-11 10:59 32 --sha-w C:\WINDOWS\{848027D2-5429-4A6F-A44D-6519BD964D3A}.dat
2007-04-11 10:51 32 --sha-w C:\WINDOWS\{9235E4CD-06A9-46EE-923A-862C241B3E4C}.dat
2007-04-11 11:00 32 --sha-w C:\WINDOWS\{D95950D8-1F12-4C31-A73F-8FBA8187218F}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{E3044C53-DC28-4463-B943-1CDC6022E778}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\{E5F0EA77-C5A3-4098-9F39-C0B7DF5E0E42}.dat
2007-08-23 05:47 32 --sha-w C:\WINDOWS\{E9C68D6F-0D9B-4C3F-85C5-B5772161263F}.dat
2007-04-11 11:00 32 --sha-w C:\WINDOWS\system32\{06D85DE0-2CE0-4C20-9702-EE736CFE5EC7}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{23433DB6-3867-4F04-BA0D-E4D78A81984F}.dat
2007-04-11 10:51 32 --sha-w C:\WINDOWS\system32\{72C954AC-C98D-4BD0-A2DF-C3E825F4DE23}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{AF22B7C0-E2D6-41AF-9C2B-8E4BECF0ABAC}.dat
2007-04-11 10:59 32 --sha-w C:\WINDOWS\system32\{B277162F-6D20-4385-8E86-EAF46B927C7D}.dat
2007-08-23 06:53 32 --sha-w C:\WINDOWS\system32\{C389C80E-590A-4C70-822F-33DF34685723}.dat
2007-04-11 10:52 32 --sha-w C:\WINDOWS\system32\{D45BD62C-2D2D-4F53-B45A-C367A44FC865}.dat
2007-04-11 11:09 32 --sha-w C:\WINDOWS\system32\{DFFF5399-C92E-479E-B708-B056F683D54B}.dat
2007-08-23 05:47 32 --sha-w C:\WINDOWS\system32\{E6DCA3DE-BE7B-4210-B0C7-518D450CB5E9}.dat
.

------- Sigcheck -------

2001-09-05 20:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 14:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\SoftwareDistribution\Download\024288edc8c4f8c963bc1fed0d7174ee\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys

2001-09-05 20:00 13312 559f356b0a0b0bb0d663fd3ce8ef0c48 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:47 15360 3bcef6b66827ec0b9923d20e62d067ba C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 15:47 15360 3bcef6b66827ec0b9923d20e62d067ba C:\WINDOWS\SoftwareDistribution\Download\024288edc8c4f8c963bc1fed0d7174ee\ctfmon.exe
2001-09-05 20:00 13312 559f356b0a0b0bb0d663fd3ce8ef0c48 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-28_10.21.32.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 01:40:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-28 16:32:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 14:43 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2001-09-05 20:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-12 01:10 100056]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2003-07-14 22:57 95296]
"nwiz"="nwiz.exe" [2006-01-17 10:19 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-01-17 10:19 7323648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2001-09-05 20:00 208949]
"Grid Service"="C:\Program Files\GridService\peer.exe" [2007-12-14 16:22 840192]
"ClubBox"="nwiz.exe" [2006-01-17 10:19 1519616 C:\WINDOWS\system32\nwiz.exe]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2003-07-14 22:57 63040]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-05-19 18:07 59040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-05 20:00 13312]
"Shell"="C:\WINDOWS\system32\shell32.dll" [2004-08-04 00:47 8244224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Foxy\\Foxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

R2 自動 LiveUpdate 排程器;自動 LiveUpdate 排程器;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-20 18:44]
S3 npkycryp;npkycryp;C:\Program Files\Tencent\QQ\npkycryp.sys []
S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s816mgmt.sys [2007-06-19 09:51]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\WINDOWS\system32\DRIVERS\s816nd5.sys [2007-06-19 09:51]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s816obex.sys [2007-06-19 09:51]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\WINDOWS\system32\DRIVERS\s816unic.sys [2007-06-19 09:51]
S3 VM30xx86;Vimicro USB PC Camera (ZC030x);C:\WINDOWS\system32\Drivers\vm30xx86.sys [2007-01-29 19:20]

.
排程工作資料夾的內容
"2008-02-22 12:39:52 C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - user.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 00:44:00
Windows 5.1.2600 Service Pack 2 NTFS

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\?悐 L i v e U p d a t e  zhV]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
.
完成時間?: 2008-06-29 0:44:43
ComboFix-quarantined-files.txt 2008-06-28 16:44:39
ComboFix2.txt 2008-06-28 02:21:49
ComboFix3.txt 2008-05-26 02:59:39
ComboFix4.txt 2008-05-25 20:09:06

14 個目錄 856,862,720 位元組可用
16 個目錄 836,575,232 位元組可用

223

#11 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 29 June 2008 - 12:12 AM

Scanning Report
Sunday, June 29, 2008 01:01:59 - 03:21:20
Computer name: USER-ND76JHN6V0
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ G:\ H:\


--------------------------------------------------------------------------------

Result: 6 malware found
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Agent.mzm (virus)
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NORTON ANTIVIRUS\QUARANTINE\3B9D380F.SYS (Renamed & Submitted)
Trojan.Win32.Pakes.cvl (virus)
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NORTON ANTIVIRUS\QUARANTINE\4BA03D17.EXE (Renamed & Submitted)
Vundo.gen38 (virus)
C:\WINDOWS\FIHIJL.INI (Submitted)
C:\WINDOWS\GIKKLM.INI (Submitted)
C:\WINDOWS\PRRTTV.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 53780
System: 4364
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 2
Deleted: 0
None: 4
Submitted: 5
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-06-28
F-Secure AVP: 7.0.171, 2008-06-27
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


Thanks again. :thumbsup:

#12 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:32 AM

Posted 29 June 2008 - 08:03 AM

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

#13 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 29 June 2008 - 01:06 PM

Hello. The problem comes again and I find that the file C:\runmgr.exe is still there. What can I do?

Deckard's System Scanner v20071014.68
Run by user on 2008-06-30 01:59:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2008-06-29 18:00:05 UTC - RP46 - Deckard's System Scanner Restore Point
35: 2008-06-28 16:41:46 UTC - RP45 - ComboFix created restore point
34: 2008-06-28 02:18:46 UTC - RP44 - ComboFix created restore point
33: 2008-06-27 14:47:33 UTC - RP43 - 系統檢查點
32: 2008-06-25 15:10:46 UTC - RP42 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-05-26 04:19:59 UTC - RP11 - Installed MySQL Server 5.0


Performed disk cleanup.

System Drive C: has 1.17 GiB (less than 15%) free.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 02:00:22, on 2008/6/30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\GridService\peer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\桌面\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [ClubBox] nwiz.exe /install
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &U妏蚚馨譙儂け狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O8 - Extra context menu item: Foxy 更 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent2\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent2\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent2\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent2\QQ\SendMMS.htm
O9 - Extra button: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 運行迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/...cab/eWinCtl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} (InstallHelper Class) - http://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/147f98ffeffb7b...RdxIE601_tw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192295777281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {A96C48EA-AA88-4BBD-B58C-7B41146A6EAC} (PhotoUploadCtrl Control) - http://qz-photo.qq.com/qzone_v4/QzoneMediaTools.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 13265 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - c:\program files\tencent\qq\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 npkycryp - c:\program files\tencent\qq\npkycryp.sys (file missing)
S3 snpstd (VideoCAM Eye) - c:\windows\system32\drivers\snpstd.sys (file missing)
S3 usbbus (LGE Mobile Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys (file missing)
S3 USBModem (LGE Mobile USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 3552)
2003-02-21 04:42:22 348160 -ra------ C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2008-03-26 20:14:36 57344 --a------ C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll <Not Verified; Thunder Networking Technologies,LTD; DsBho Dynamic Link Library>
2008-03-26 20:14:36 122880 --a------ C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll <Not Verified; Thunder Networking Technologies,LTD; DataProcessor Dynamic Link Library>
2003-03-18 22:14:52 499712 -ra------ C:\WINDOWS\system32\msvcp71.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual Studio .NET>
2006-12-01 22:54:32 626688 --a------ C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll <Not Verified; Microsoft Corporation; MicrosoftR Visual StudioR 2005>


-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 20:39:52 498 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - 掃描我的電腦 - user.job


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-29 13:51:19 16751 --a------ C:\WINDOWS\hosts
2008-06-29 13:51:18 17055 --a------ C:\runmgr.exe
2008-06-29 13:37:26 0 dr-h----- C:\Documents and Settings\user\Recent
2008-06-29 00:57:29 0 d-------- C:\fsaua.data
2008-06-28 10:18:40 68096 --a------ C:\WINDOWS\zip.exe
2008-06-28 10:18:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-28 10:18:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-28 10:18:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-28 10:18:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-28 10:18:40 98816 --a------ C:\WINDOWS\sed.exe
2008-06-28 10:18:40 80412 --a------ C:\WINDOWS\grep.exe
2008-06-28 10:18:40 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-25 22:20:30 0 d-------- C:\Program Files\Trend Micro
2008-06-17 00:55:42 0 d-------- C:\FSMWebSite
2008-06-08 20:10:52 0 d-------- C:\Program Files\NamiRobot
2008-06-03 21:30:38 1540096 -ra------ C:\WINDOWS\system32\clubbox.exe <Not Verified; Nowcom, Co. LTD.; CLUBBOX File Transfer Manager V2>


-- Find3M Report ---------------------------------------------------------------

2008-06-30 01:57:02 0 d-------- C:\Program Files\Common Files
2008-06-30 01:55:23 0 d-------- C:\Documents and Settings\user\Application Data\uTorrent
2008-06-30 00:56:40 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-06-29 23:16:17 0 d-------- C:\Program Files\eMule
2008-06-29 12:38:14 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-27 14:57:12 463 --a------ C:\WINDOWS\system32\cid_store.dat
2008-06-17 08:13:56 0 d-------- C:\Documents and Settings\user\Application Data\MySQL
2008-06-12 01:03:59 0 d-------- C:\Program Files\Norton Internet Security
2008-06-10 15:39:13 0 d-------- C:\Program Files\ExtraPlayer
2008-06-09 18:41:59 0 d-------- C:\Documents and Settings\user\Application Data\360Safe
2008-06-09 18:41:41 0 d-------- C:\Program Files\360safe
2008-06-04 17:29:47 0 d-------- C:\Documents and Settings\user\Application Data\MegauploadToolbar
2008-06-02 16:33:36 0 d-------- C:\Program Files\Foxy
2008-05-26 12:32:59 240182 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-26 12:32:59 76820 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-26 12:32:50 0 d-------- C:\Program Files\MySQL
2008-05-13 21:57:46 0 d-------- C:\Program Files\7-Zip
2008-05-13 21:06:01 0 d-------- C:\Documents and Settings\user\Application Data\WinRAR
2008-05-13 20:05:33 0 d-------- C:\Program Files\QuickTime
2008-05-13 20:02:21 0 d-------- C:\Program Files\Apple Software Update
2008-04-29 19:27:37 73728 --a------ C:\WINDOWS\antiRK.dll <Not Verified; 奇虎网; 360安全?士文件粉碎模块>
2008-04-29 19:24:34 685568 --a------ C:\killer_rodog.exe <KILLER~1.EXE> <Not Verified; ; Killer.exe>
2008-04-01 22:06:30 155648 -ra------ C:\WINDOWS\system32\downengine.dll <Not Verified; (?)???; ClubBox>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008/02/12 上午 01:10]
"SoundMan"="SOUNDMAN.EXE" [2004/08/30 下午 01:48 C:\WINDOWS\SOUNDMAN.EXE]
"snpstd"="C:\WINDOWS\vsnpstd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008/03/28 下午 11:37]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"nwiz"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006/01/17 上午 10:19]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001/09/05 下午 08:00]
"Grid Service"="C:\Program Files\GridService\peer.exe" [2007/12/14 下午 04:22]
"ClubBox"="nwiz.exe" [2006/01/17 上午 10:19 C:\WINDOWS\system32\nwiz.exe]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006/05/19 下午 06:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008/01/11 下午 10:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008/04/04 下午 02:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2001/09/05 下午 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Shell"="C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\WINDOWS\TEMP\dat54.tmp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe



-- End of Deckard's System Scanner: finished at 2008-06-30 02:01:49 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: AMD Athlon™ XP 2500+
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 511.48 MiB / 192.11 MiB
Pagefile Memory (total/avail): 1250.07 MiB / 895.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.43 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.09 GiB total, 1.17 GiB free.
D: is Fixed (FAT32) - 57.22 GiB total, 9.31 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 146.48 GiB total, 39.66 GiB free.
H: is Fixed (NTFS) - 151.61 GiB total, 109.53 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 2 partitions
\PARTITION0 (bootable) - 可安裝的檔案系統 - 19.09 GiB - C:
\PARTITION1 - Unknown - 57.24 GiB - D:

\\.\PHYSICALDRIVE1 - WDC WD32 01ABYS-01B9A SCSI Disk Device - 298.09 GiB - 2 partitions
\PARTITION0 - 可安裝的檔案系統 - 146.48 GiB - G:
\PARTITION1 - 可安裝的檔案系統 - 151.61 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: Norton Internet Security v2005 (Symantec Corporation)
AV: Norton Internet Security v2005 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Foxy\\Foxy.exe"="C:\\Program Files\\Foxy\\Foxy.exe:*:Enabled:Foxy"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-ND76JHN6V0
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-ND76JHN6V0
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\EPSON\Utility Suite\Copy Utility;C:\Program Files\Java\jdk1.5.0_09\bin;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-ND76JHN6V0
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
▲麩敃芶Season2◎諦誧傷假蚾最唗 --> C:\PROGRA~1\9you\麩敃芶~1\UNWISE.EXE C:\PROGRA~1\9you\麩敃芶~1\INSTALL.LOG
▲敃V1.7◎絿㜢翋最宒假娊 --> \UNWISE.EXE C:\DOCUME~1\user\桌面\1CD-NO~1\1CD-NO~1\
360安全?士 --> C:\Program Files\360safe\uninst.exe
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 - Chinese Traditional --> MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CC_ccProxyExt --> MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}
eMule VeryCD唳 --> C:\Program Files\eMule\uninstall.exe
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x404 Uninstall
EPSON印表機軟體 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Foxy v1.9.8 --> "C:\Program Files\Foxy\unins000.exe"
G-TECH WebCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF79EFA-3F63-43BC-88EE-0157CE50F1B1}\setup.exe" -l0x404 -removeonly
Gameone --> C:\Program Files\InstallShield Installation Information\{860D3152-6E51-4E4F-A589-64C373097622}\setup.exe -runfromtemp -l0x0404 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Development Kit 5.0 Update 9 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150090}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
K-Lite Codec Pack 3.2.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\System32\KASPER~1\KASPER~1\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft AppLocale --> MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express 㙉 - 羉砰いゅ\install.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110404-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510404-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express 㙉 - 羉砰いゅ\setup.exe
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Web Developer 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Web Developer 2005 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2005 Express Edition - ENU --> MsiExec.exe /X{221125DC-6A40-4900-B844-591F5E1195B0}
Microsoft Windows Application Compatibility Database --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
MiniQQLive --> "C:\Program Files\Tencent\QQLive\MiniQQLiveUninstall.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS HKSCS-2001 Support --> RunDll32.exe advpack.dll,LaunchINFSection hkscs2001.inf,Uninstall
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Net Transport 1.94.281 --> "C:\Program Files\Xi\NetTransport 2\unins000.exe"
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Power MP3 WMA Converter 2006, (ver 3.51) --> "C:\Program Files\Power MP3 WMA Converter\unins000.exe"
QQ2006 Beta2 --> C:\Program Files\Tencent2\QQ\uninst.exe
QQLive 3.5 --> "C:\Program Files\Tencent\QQLive\uninstall.exe"
QQ游? --> C:\Program Files\Tencent\QQGame\Uninstall.EXE
QQ繁體新斗地主 --> C:\PROGRA~1\Tencent\QQGame\newddz\UNWISE.EXE C:\PROGRA~1\Tencent\QQGame\newddz\INSTALL.LOG
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RaySource 2.0.10.7348 --> C:\Program Files\RaySource\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Tencent Media Player by Viewpoint --> C:\Program Files\Tencent\Viewpoint Media Player\mtsAxInstaller.exe /u
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Unlocker 1.8.3 --> C:\Program Files\Unlocker\uninst.exe
Windows Live installer --> MsiExec.exe /X{97898768-B0A7-4529-82D8-96925BD906EA}
Windows Live Messenger --> MsiExec.exe /X{6560D90C-5223-49A3-B78C-A48C31EAEC56}
Windows Live 登入小幫手 --> MsiExec.exe /I{CB5EA99C-8A5B-49F2-9A1A-2EF78BE4DB41}
WinRAR 壓縮工具 --> C:\Program Files\WinRAR\uninstall.exe
μTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
迅雷5 --> "C:\Program Files\Thunder Network\Thunder\unins000.exe"
超級兔子魔法設定 --> C:\PROGRA~1\SUPERR~1\magicset\UNWISE.EXE C:\PROGRA~1\SUPERR~1\magicset\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type26714 / Success
Event Submitted/Written: 06/29/2008 11:50:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26574 / Success
Event Submitted/Written: 06/26/2008 09:05:51 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26438 / Success
Event Submitted/Written: 06/25/2008 02:00:07 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26269 / Success
Event Submitted/Written: 06/21/2008 08:24:38 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type26196 / Success
Event Submitted/Written: 06/21/2008 00:29:38 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type50536 / Error
Event Submitted/Written: 06/29/2008 03:24:10 PM
Event ID/Source: 10010 / DCOM
Event Description:
伺服器 {F3A614DC-ABE0-11D2-A441-00C04F795683} 沒有在指定的等候逾時內登錄 DCOM。

Event Record #/Type50511 / Error
Event Submitted/Written: 06/29/2008 01:13:17 AM
Event ID/Source: 1 / F-Secure Standalone Minifilter
Event Description:
\Device\HarddiskVolume3\Docum...f

Event Record #/Type50510 / Error
Event Submitted/Written: 06/29/2008 01:11:39 AM
Event ID/Source: 1 / F-Secure Standalone Minifilter
Event Description:
\Device\HarddiskVolume3\Docume...

Event Record #/Type50509 / Error
Event Submitted/Written: 06/29/2008 01:03:44 AM
Event ID/Source: 1 / F-Secure Standalone Minifilter
Event Description:
\Device\HarddiskVolume3\Docu...fs

Event Record #/Type50361 / Warning
Event Submitted/Written: 06/26/2008 10:51:25 PM
Event ID/Source: 1007 / Dhcp
Event Description:
您的電腦已自動設定網路位址為 00508D7A8158 的網路卡的 IP 位址。
目前使用的 IP 位址是 169.254.116.111。



-- End of Deckard's System Scanner: finished at 2008-06-30 02:01:49 ------------

#14 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:32 AM

Posted 01 July 2008 - 08:40 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\runmgr.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Next

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Rescan with DSS and post back the log from it as well please

#15 audition

audition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 02 July 2008 - 12:06 PM

Hello.

OTMoveIt2 Result:

C:\runmgr.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07032008_004352



I can't perform MBAM scan. It shows a message of error 6 during the scan and then it closes automatically.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users