Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Infostealer


  • Please log in to reply
3 replies to this topic

#1 ChinaPolly

ChinaPolly

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 15 June 2008 - 11:47 AM

Every few minutes, a Norton Antivirus window pops up with a warning about an infection at C\WINDOWS\system32\d32dx9.sys with an infection type of Infostealer. It ays it was deleted, but the window continually pops up. I am running Chinese version of Windows XP, so some of the logfile is in Chinese language. Below are my DSS logs.

Thank you for your help.

Polly

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-16 00:22:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-06-15 16:22:51 UTC - RP109 - Deckard's System Scanner Restore Point
4: 2008-06-15 13:06:16 UTC - RP108 - Installed SUPERAntiSpyware Free Edition
3: 2008-06-14 03:43:16 UTC - RP107 - Software Distribution Service 3.0
2: 2008-06-12 09:32:45 UTC - RP106 - Software Distribution Service 3.0
1: 2008-06-12 09:29:30 UTC - RP105 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:24:41, on 2008-6-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\8.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\软件包\迅雷\Program\Thunder5.exe
C:\Program Files\Tudou\飞速Tudou\TudouVa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\TDDOWNLOAD\dss.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

F2 - REG:system.ini: Shell=Explorer.exe,,,8.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\软件包\迅雷\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\软件包\迅雷\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN 工具栏 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\zh-cn\msntb.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Thunder] "D:\软件包\迅雷\Thunder.exe" /s
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll,Rundll32 R
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\飞速Tudou\TudouVa.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Startup: QQ游戏启动加速程序.lnk = C:\Program Files\Tencent\QQGame\Accel.exe
O4 - Startup: 启动飞速土豆.lnk = ?
O8 - Extra context menu item: 使用迅雷下载 - D:\软件包\迅雷\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\软件包\迅雷\Program\getallurl.htm
O8 - Extra context menu item: 在Foxmail中添加该RSS频道/频道组 - res://C:\WINDOWS\system32\fmrsslink.dll/201
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\软件包\迅雷\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\软件包\迅雷\Thunder.exe
O9 - Extra button: 联想 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TBH] 中文搜搜
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lfy-polly.spaces.live.com/PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1479D8F-F1E5-4392-99AE-FB8CAB8BE3AC}: NameServer = 202.96.134.133,202.96.128.86
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: nhmxcjkl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: 自动 LiveUpdate 调度程序 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 8795 bytes

-- File Associations -----------------------------------------------------------

.chm - chm.file - shell\open\command - "hh.exe" %1
.ini - inifile - shell\open\command - C:\WINDOWS\System32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 HiddFldy - c:\windows\system32\d32dx9.sys (file missing)
S3 CapFilt - c:\windows\system32\drivers\capfilt.sys <Not Verified; ensurebit; ensurebit CapFilt>
S3 IIS Manager - c:\docume~1\owner~1.len\locals~1\temp\1.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 UTSCSI (USBest Service Zero) - c:\windows\system32\utscsi.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: BisonCam, NB Pro
Device ID: USB\VID_0402&PID_5602\5&2FEFE41E&0&8
Manufacturer: WebCam
Name: BisonCam, NB Pro
PNP Device ID: USB\VID_0402&PID_5602\5&2FEFE41E&0&8
Service: Cam5603D


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 00:23:12 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-06-13 20:20:04 500 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - 扫描我的电脑.job
2008-04-24 09:23:36 452 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - 扫描我的电脑 - Owner.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-15 23:58:52 0 d-------- C:\Program Files\Trend Micro
2008-06-15 23:45:56 0 d-------- C:\Documents and Settings\Owner.LENOVO-F0B846B3\Application Data\Malwarebytes
2008-06-15 23:45:32 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-15 23:45:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 21:06:32 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-15 21:06:18 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-15 21:06:18 0 d-------- C:\Documents and Settings\Owner.LENOVO-F0B846B3\Application Data\SUPERAntiSpyware.com
2008-06-15 21:05:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 10:10:36 0 d--hs---- C:\FOUND.002
2008-06-13 20:17:08 0 d-------- C:\WINDOWS\FoxmailUpdate
2008-06-12 17:31:37 4079 --a------ C:\WINDOWS\system32\24.exe
2008-06-12 17:31:34 4079 --a------ C:\WINDOWS\system32\23.exe
2008-06-12 17:31:22 4079 --a------ C:\WINDOWS\system32\22.exe
2008-06-12 17:30:51 4077 --a------ C:\WINDOWS\system32\21.exe
2008-06-12 17:30:51 4078 --a------ C:\WINDOWS\system32\20.exe
2008-06-12 17:30:50 4077 --a------ C:\WINDOWS\system32\19.exe
2008-06-12 17:30:28 4077 --a------ C:\WINDOWS\system32\18.exe
2008-06-12 17:30:28 4077 --a------ C:\WINDOWS\system32\17.exe
2008-06-12 17:30:26 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-06-12 17:30:26 4077 --a------ C:\WINDOWS\system32\15.exe
2008-06-12 17:30:16 4078 --a------ C:\WINDOWS\system32\13.exe
2008-06-12 17:30:13 4077 --a------ C:\WINDOWS\system32\12.exe
2008-06-12 17:30:11 8399 --a------ C:\WINDOWS\system32\11.exe
2008-06-12 17:30:10 21222 --a------ C:\WINDOWS\system32\10.exe
2008-06-12 17:30:08 21358 --a------ C:\WINDOWS\system32\9.exe
2008-06-12 17:30:05 27980 --a------ C:\WINDOWS\system32\8.exe
2008-06-12 17:30:05 4078 --a------ C:\WINDOWS\system32\7.exe
2008-06-12 17:29:46 4078 --a------ C:\WINDOWS\system32\6.exe
2008-06-12 17:29:45 4077 --a------ C:\WINDOWS\system32\5.exe
2008-06-12 17:29:44 4077 --a------ C:\WINDOWS\system32\4.exe
2008-06-12 17:29:44 4078 --a------ C:\WINDOWS\system32\3.exe
2008-06-12 17:29:41 17037 --a------ C:\WINDOWS\system32\2.exe
2008-06-12 17:29:38 8397 --a------ C:\WINDOWS\system32\1.exe
2008-06-12 17:29:32 8397 --a------ C:\WINDOWS\system32\0.exe
2008-06-12 17:29:09 4077 --a------ C:\WINDOWS\system32\updatax.exe
2008-06-12 17:28:50 136 --a------ C:\_uninsep.bat
2008-06-12 00:26:59 0 d-------- C:\Program Files\51


-- Find3M Report ---------------------------------------------------------------

2008-06-16 00:21:30 2737 --a------ C:\WINDOWS\system32\cid_store.dat
2008-04-24 18:07:40 0 d-------- C:\Program Files\Common Files\Thunder Network
2008-04-10 08:31:34 122416 --a------ C:\WINDOWS\system32\prfh0804.dat
2008-04-10 08:31:34 45214 --a------ C:\WINDOWS\system32\prfc0804.dat
2008-04-01 16:21:42 0 --a------ C:\WINDOWS\system32\UTSCSI.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
2008-06-12 19:12 726336 --a------ C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-17 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 20:00]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 00:29]
"nwiz"="nwiz.exe" [2005-07-21 00:29 C:\WINDOWS\system32\nwiz.exe]
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2005-12-08 02:48]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:13 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-12 15:13 C:\WINDOWS\SOUNDMAN.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-05-19 18:49]
"Thunder"="D:\软件包\迅雷\Thunder.exe" [2008-01-15 15:42]
"stup.exe"="C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll" [2008-06-10 17:42]
"IMSCMig"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2003-07-14 22:57]
"AASecuUFD"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 12:00]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-03-24 16:25]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-11 21:47]
"TudouVAStart"="C:\Program Files\Tudou\飞速Tudou\TudouVa.exe" [2008-04-28 22:03]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe,,,8.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rav.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMon.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavMonD.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavTask.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwstub.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.exe]
Debugger=TASKMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SmartUp.exe]
Debugger=TASKMAN.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec762978-fac7-11dc-b897-00166f56b575}]
AutoRun\command- G:\USBNB.exe




-- End of Deckard's System Scanner: finished at 2008-06-16 00:29:05 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 511.42 MiB / 154.65 MiB
Pagefile Memory (total/avail): 1249.63 MiB / 818.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.09 MiB

C: is Fixed (FAT32) - 14.64 GiB total, 2.46 GiB free.
D: is Fixed (NTFS) - 37.12 GiB total, 11.96 GiB free.
E: is CDROM (No Media)
F: is Removable (FAT32)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST960812A - 53.86 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 14.65 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 39.16 GiB - D:
\PARTITION2 - Unknown - 47.07 MiB

\\.\PHYSICALDRIVE1 - GENERIC USB DISK DEVICE USB Device - 1992.44 MiB - 1 partition
\PARTITION0 (bootable) - Unknown - 1998.25 MiB - F:

\\.\PHYSICALDRIVE2 - USB 2.0 SD/MMC Reader USB Device - 949.15 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 952.81 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: Norton AntiVirus v2004 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\软件包\\迅雷\\Program\\Thunder5.exe"="D:\\软件包\\迅雷\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\TDdownload\\onlineinstall.exe"="C:\\TDdownload\\onlineinstall.exe:*:Enabled:QQ在线安装"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"="C:\\Program Files\\Tencent\\QQ\\QQ.exe:*:Enabled:QQ"
"C:\\Program Files\\Tudou\\飞速Tudou\\TudouVa.exe"="C:\\Program Files\\Tudou\\飞速Tudou\\TudouVa.exe:*:Enabled:飞速Tudou"
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"="C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe:*:Disabled:QzoneClient1.3Beta04 V01.3.104.021"
"C:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe"="C:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe:*:Disabled:QQ宠物启动程序"
"C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"="C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe:*:Enabled:QQUpdate"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\桌面\\简体中文版IPMsgCHS206\\IPMSG.exe"="C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\桌面\\简体中文版IPMsgCHS206\\IPMSG.exe:*:Enabled:飞鸽传书"
"C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"="C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe:*:Enabled:Kingsoft PowerWord"
"C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"="C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe:*:Enabled:Kingsoft PowerWord Online Update"
"C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\Local Settings\\Temp\\Rar$EX00.563\\PDF修改文件\\PDFEdit.exe"="C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\Local Settings\\Temp\\Rar$EX00.563\\PDF修改文件\\PDFEdit.exe:*:Enabled:Foxit PDF Editor,第一个真正的 PDF 文件编辑器!"
"C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\Local Settings\\Temp\\Rar$EX41.5141\\PDF修改文件\\PDFEdit.exe"="C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\Local Settings\\Temp\\Rar$EX41.5141\\PDF修改文件\\PDFEdit.exe:*:Enabled:Foxit PDF Editor,第一个真正的 PDF 文件编辑器!"
"C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe"="C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe:*:Enabled:QzoneMusic2.0Beta12Build140"
"C:\\Program Files\\Tencent\\QQGame\\QQGameDl.exe"="C:\\Program Files\\Tencent\\QQGame\\QQGameDl.exe:*:Enabled:QQGameDl"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:TOM-Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Owner.LENOVO-F0B846B3\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LENOVO-F0B846B3
ComSpec=C:\WINDOWS\system32\cmd.exe
DAPPLAYER_HOME=D:\软件包\迅雷\Components\DownAndPlay
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.LENOVO-F0B846B3
LOGONSERVER=\\LENOVO-F0B846B3
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNER~1.LEN\LOCALS~1\Temp
THUNDER_HOME=D:\软件包\迅雷\Program\
TMP=C:\DOCUME~1\OWNER~1.LEN\LOCALS~1\Temp
USERDOMAIN=LENOVO-F0B846B3
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.LENOVO-F0B846B3
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner.LENOVO-F0B846B3 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
51客户端上传工具 1.1.0.0 --> C:\Program Files\51\Uploader\uninst.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0 - Chinese Simplified --> MsiExec.exe /I{AC76BA86-7AD7-2052-7B44-000000000001}
Agere Systems AC'97 Modem --> agrsmdel
BisonCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A57592C-FF92-4083-97A9-92783BD5AFB4}\Setup.exe" -l0x804
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
EasyCapture2.0 --> C:\Program Files\Lenovo\EasyCapture\Uninstall.exe
Foxmail 6.5 --> D:\软件包\foxmail\unins000.exe
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
KTP Ware PS/2-WDM 5.0.1.9 --> rundll32.exe "C:\Program Files\Elantech\KTUninst.dll",KTech_Uninstall 0
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110804-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
MSN 工具栏 --> C:\Program Files\MSN Toolbar\01.01.2607.0\zh-cn\mtbs.exe c
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
Norton AntiVirus 2004 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2004 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Power2Go 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
QQ2008 贺岁版 --> C:\Program Files\Tencent\QQ\uninst.exe
QQ工具栏 --> RUNDLL32.EXE C:\PROGRA~1\Tencent\QQTOOL~1\IEBar.dll,UnInstall
QQ聊天室 --> "C:\Program Files\Tencent\QQChat\uninstall.exe"
QQ游戏 --> C:\Program Files\Tencent\QQGAME\Uninstall.EXE
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x804 REMOVE
Skype? 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec 脚本禁止安装程序 --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Windows Live Messenger --> MsiExec.exe /I{D7A2654B-BE52-489F-8FCD-EFCC67FDF007}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows XP (KB941569) 安全更新 --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB903235) --> "C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944533) --> "C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB947864) --> "C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB950759) --> "C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Windows XP 更新 (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP 更新 (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP 更新 (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP 更新 (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP 更新 (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP 更新 (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP 更新 (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP 更新 (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP 更新 (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP 更新 (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Windows XP 更新 (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Windows XP 修补程序包 - KB834707 --> C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB867282 --> C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB873333 --> C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB886677 --> C:\WINDOWS\$NtUninstallKB886677$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB890047 --> C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB890175 --> C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP 修补程序包 - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP 修补程序包 - KB894194 --> C:\WINDOWS\$NtUninstallKB894194$\spuninst\spuninst.exe
WinRAR 压缩文件管理器 --> d:\Program Files\WinRAR\uninstall.exe
金山词霸2007 --> "C:\Program Files\Kingsoft\Powerword 2007\unins000.exe"
腾讯中文搜搜 --> Rundll32.exe C:\WINDOWS\system32\Scrax1.dll,Uninstall
万能输入法 --> C:\Program Files\ShiQiang\Uninst.exe
鑫网通达信行情 --> C:\WINDOWS\TdxUnInstall.exe c:\jcb_gx\
迅雷5 --> "D:\软件包\迅雷\unins000.exe"
中文 (简体) - 万能输入法 --> C:\Program Files\ShiQiang\wnime\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2303 / Warning
Event Submitted/Written: 06/15/2008 11:37:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows 不能卸载您的类注册文件 - 还有别的应用程序或服务在使用它。此文件将在不再被使用时卸载。

Event Record #/Type2247 / Error
Event Submitted/Written: 06/12/2008 05:31:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
错误应用程序 24.exe,版本 0.0.0.0,错误模块 24.exe,版本 0.0.0.0,错误地址 0x0000d31b。
正在处理 [24.exe!ws!] 的特定媒体事件

Event Record #/Type2246 / Error
Event Submitted/Written: 06/12/2008 05:31:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
错误应用程序 23.exe,版本 0.0.0.0,错误模块 23.exe,版本 0.0.0.0,错误地址 0x0000d22b。
正在处理 [23.exe!ws!] 的特定媒体事件

Event Record #/Type2245 / Error
Event Submitted/Written: 06/12/2008 05:31:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
错误应用程序 22.exe,版本 0.0.0.0,错误模块 22.exe,版本 0.0.0.0,错误地址 0x000157df。
正在处理 [22.exe!ws!] 的特定媒体事件

Event Record #/Type2244 / Error
Event Submitted/Written: 06/12/2008 05:30:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
错误应用程序 21.exe,版本 0.0.0.0,错误模块 21.exe,版本 0.0.0.0,错误地址 0x0000e6f3。
正在处理 [21.exe!ws!] 的特定媒体事件



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10731 / Error
Event Submitted/Written: 06/15/2008 11:41:48 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context 为 C:\Program Files\Tudou\飞速Tudou\MFC80.DLL 失败。
参考错误消息: L.

Event Record #/Type10730 / Error
Event Submitted/Written: 06/15/2008 11:41:48 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly 为 Microsoft.VC80.MFCLOC 失败。
参考错误消息: 参照的汇编没有安装在系统上。
.

Event Record #/Type10729 / Error
Event Submitted/Written: 06/15/2008 11:41:48 PM
Event ID/Source: 32 / SideBySide
Event Description:
找不到附属汇编 Microsoft.VC80.MFCLOC,上一个错误是 参照的汇编没有安装在系统上。

Event Record #/Type10728 / Error
Event Submitted/Written: 06/15/2008 11:41:48 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context 为 C:\Program Files\Tudou\飞速Tudou\MFC80.DLL 失败。
参考错误消息: L.

Event Record #/Type10727 / Error
Event Submitted/Written: 06/15/2008 11:41:48 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly 为 Microsoft.VC80.MFCLOC 失败。
参考错误消息: 参照的汇编没有安装在系统上。
.



-- End of Deckard's System Scanner: finished at 2008-06-16 00:29:05 ------------

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 15 June 2008 - 03:12 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
You have quite a heavily infected computer, it is likely that we will need to perform a few scans before you will be completely clean from malware, so please bear with me.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ChinaPolly

ChinaPolly
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 16 June 2008 - 08:16 AM

Good morning Charles,

Thank you for the fast reply. I have run the Combofix program and am including the log below, along with a new Hijack this log.

Polly


ComboFix 08-06-15.4 - Owner 2008-06-16 21:03:13.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.936.1.2052.18.235 [GMT 8:00]
執行位置: C:\Documents and Settings\Owner.LENOVO-F0B846B3\桌面\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.LENOVO-F0B846B3\Favorites\链接

.
(((((((((((((((((((((((((((( 2008-05-16 - 2008-06-16 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-06-16 20:31 . 2008-06-16 20:31 <DIR> d--hs---- C:\FOUND.004
2008-06-16 15:59 . 2008-06-16 15:59 <DIR> d--hs---- C:\FOUND.003
2008-06-16 00:22 . 2008-06-16 00:22 <DIR> d-------- C:\Deckard
2008-06-15 23:58 . 2008-06-15 23:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 23:45 . 2008-06-15 23:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 23:45 . 2008-06-15 23:45 <DIR> d-------- C:\Documents and Settings\Owner.LENOVO-F0B846B3\Application Data\Malwarebytes
2008-06-15 23:45 . 2008-06-15 23:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-15 23:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 23:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 21:06 . 2008-06-15 21:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-15 21:06 . 2008-06-15 21:06 <DIR> d-------- C:\Documents and Settings\Owner.LENOVO-F0B846B3\Application Data\SUPERAntiSpyware.com
2008-06-15 21:06 . 2008-06-15 21:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-15 21:05 . 2008-06-15 21:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 10:10 . 2008-06-14 10:10 <DIR> d--hs---- C:\FOUND.002
2008-06-13 20:17 . 2008-06-13 20:17 <DIR> d-------- C:\WINDOWS\FoxmailUpdate
2008-06-12 17:29 . 2008-06-12 17:29 4,077 --a------ C:\WINDOWS\system32\updatax.exe
2008-06-12 17:29 . 2008-06-12 17:29 1,216 --a------ C:\WINDOWS\system32\WIN.INI
2008-06-12 03:02 . 2008-04-14 23:51 269,824 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 03:02 . 2008-04-14 23:51 269,824 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 00:26 . 2008-06-12 00:27 <DIR> d-------- C:\Program Files\51
2008-06-07 17:15 . 2008-06-05 09:12 193,856 --a------ C:\WINDOWS\system32\Scrax1.dll
2008-06-04 22:47 . 2001-08-31 16:03 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-06-04 22:47 . 2001-08-31 16:02 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-06-04 22:47 . 2001-08-31 15:47 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-05-18 21:19 . 2001-08-31 16:03 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-18 21:18 . 2004-08-16 16:39 158,720 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-18 21:18 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:14 1,269,760 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:14 1,269,760 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 10:07 --------- d-----w C:\Program Files\Common Files\Thunder Network
2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-04-10 00:31 1,606 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:49 158,496 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:03 1,844,864 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2004-03-29 16:28 1,295,872 ----a-w C:\Program Files\Media player classic.exe
2004-08-17 04:00 21,222 --sh--w C:\WINDOWS\system32\kcomi32.exe
2004-08-08 09:30 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 09:30 15,656 --sh--w C:\WINDOWS\system32\lpmxajkl.exe
.

------- Sigcheck -------

2007-10-31 01:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2004-08-17 12:00 359040 c1783498edb152656303b5d5bcabd86c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-26 03:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-16_14.36.37.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 06:31:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 12:55:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-16 06:23:16 2,389 ----a-w C:\WINDOWS\system32\cid_store.dat
+ 2008-06-16 07:48:24 2,276 ----a-w C:\WINDOWS\system32\cid_store.dat
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95}]
2008-06-12 19:12 726336 --a------ C:\Program Files\Tencent\QQToolbar\IEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{29CF293A-1E7D-4069-9E11-E39698D0AF95}"= "C:\Program Files\Tencent\QQToolbar\IEBar.dll" [2008-06-12 19:12 726336]

[HKEY_CLASSES_ROOT\clsid\{29cf293a-1e7d-4069-9e11-e39698d0af95}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 12:00 15360]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-03-24 16:25 1994752]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-11 21:47 68856]
"TudouVAStart"="C:\Program Files\Tudou\飞速Tudou\TudouVa.exe" [2008-04-28 22:03 995328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-17 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 20:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 00:29 7118848]
"nwiz"="nwiz.exe" [2005-07-21 00:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [2005-12-08 02:48 512000]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:13 88358 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-12 15:13 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-05-19 18:49 71328]
"Thunder"="D:\软件包\迅雷\Thunder.exe" [2008-01-15 15:42 40960]
"stup.exe"="C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll" [2008-06-10 17:42 177472]
"IMSCMig"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2003-07-14 22:57 13368]
"AASecuUFD"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 12:00 15360]

C:\Documents and Settings\new\「开始」菜单\程序\启动\
QQ游戏启动加速程序.lnk - C:\Program Files\Tencent\QQGame\Accel.exe [2007-11-02 16:50:07 42392]

C:\Documents and Settings\Owner.LENOVO-F0B846B3\「开始」菜单\程序\启动\
腾讯QQ.lnk - C:\Program Files\Tencent\QQ\QQ.exe [2008-02-19 14:15:10 1922384]
QQ游戏启动加速程序.lnk - C:\Program Files\Tencent\QQGame\Accel.exe [2007-11-02 16:50:07 42392]
启动飞速土豆.lnk - C:\Program Files\Tudou\飞速Tudou\TudouVa.exe [2007-12-03 13:13:56 995328]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\软件包\\迅雷\\Program\\Thunder5.exe"=
"C:\\TDdownload\\onlineinstall.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\\Program Files\\Tudou\\飞速Tudou\\TudouVa.exe"=
"C:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Documents and Settings\\Owner.LENOVO-F0B846B3\\桌面\\简体中文版IPMsgCHS206\\IPMSG.exe"=
"C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=
"C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=
"C:\\Program Files\\Tencent\\QQ\\QzoneMusic.exe"=
"C:\\Program Files\\Tencent\\QQGame\\QQGameDl.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 自动 LiveUpdate 调度程序;自动 LiveUpdate 调度程序;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-10-12 11:31]
R3 Ktp;Elantech Touchpad;C:\WINDOWS\system32\DRIVERS\Ktp.sys [2005-11-29 11:33]
S2 HiddFldy;HiddFldy;C:\WINDOWS\system32\d32dx9.sys []
S3 CapFilt;CapFilt;C:\WINDOWS\system32\drivers\CapFilt.sys [2008-02-21 22:51]
S3 IIS Manager ;IIS Manager ;C:\DOCUME~1\OWNER~1.LEN\LOCALS~1\Temp\1.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec762978-fac7-11dc-b897-00166f56b575}]
\Shell\AutoRun\command - G:\USBNB.exe

.
排程工作資料夾的內容
"2008-06-13 12:20:04 C:\WINDOWS\Tasks\Norton AntiVirus - 扫描我的电脑.job"
- C:\PROGRA~1\NORTON~1\Navw32.exep/task:
"2008-06-16 13:03:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-04-24 01:23:36 C:\WINDOWS\Tasks\Norton AntiVirus - 扫描我的电脑 - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exep/task:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 21:05:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序 ...

掃描隱藏的進程 ...

掃描隱藏的檔案 ...

掃描完成
隱藏檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\IIS Manager ]
"ImagePath"="\??\C:\DOCUME~1\OWNER~1.LEN\LOCALS~1\Temp\1.tmp"
.
完成時間: 2008-06-16 21:05:42
ComboFix-quarantined-files.txt 2008-06-16 13:05:38

17 个目录 2,895,593,472 可用字节
28 个目录 2,920,693,760 可用字节

177 --- E O F --- 2008-06-15 17:44:13


________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:54, on 2008-6-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\软件包\迅雷\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\软件包\迅雷\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN 工具栏 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\zh-cn\msntb.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Thunder] "D:\软件包\迅雷\Thunder.exe" /s
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll,Rundll32 R
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\飞速Tudou\TudouVa.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Startup: QQ游戏启动加速程序.lnk = C:\Program Files\Tencent\QQGame\Accel.exe
O4 - Startup: 启动飞速土豆.lnk = ?
O8 - Extra context menu item: 使用迅雷下载 - D:\软件包\迅雷\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\软件包\迅雷\Program\getallurl.htm
O8 - Extra context menu item: 在Foxmail中添加该RSS频道/频道组 - res://C:\WINDOWS\system32\fmrsslink.dll/201
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\软件包\迅雷\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\软件包\迅雷\Thunder.exe
O9 - Extra button: 联想 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lfy-polly.spaces.live.com/PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1479D8F-F1E5-4392-99AE-FB8CAB8BE3AC}: NameServer = 202.96.134.133,202.96.128.86
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: nhmxcjkl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)
O23 - Service: 自动 LiveUpdate 调度程序 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 8434 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 16 June 2008 - 03:45 PM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users