Computer freezes at startup

Hi, I have post a topic at Am I infected? What do I do? and was advised by moderator (garmanma) to post here with a HJT log. The topic can be view at http://www.bleepingcomputer.com/forums/t/197193/computer-is-very-slow-when-connected-to-internet/.

My comp is currently running on windows xp professional. The problem with my comp is that when I startup in normal mode connected to the internet, the comp will become very slow that it hangs. The startup bar will have no response and I am not able to open any applications. My comp works fine when it is not connected to the internet.

I had done an ad-aware scan, avast! Antivirus free ver. scan and a ccleaner scan. When i run the avast, there is virus detected and i chose move to chest. I had also clear all my temporary internet file, cookies etc. I had also run a MBAM and DrWeb CureIT.

Currently I'm using the comp in safe mode with networking.

My HTJ is as below (first time using HJT hope i did it correctly, i run it in safe mode with networking)


DDS (Ver_09-01-19.01) - NTFSx86 NETWORK
Run by Administrator at 10:45:54.61 on 01/25/2009 Sun
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.383.171 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Thunder Network\WebThunder\WebThunder.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
BHO: WebThunder Browser Helper: {00000aaa-a363-466e-bef5-9bb68697aa7f} - c:\program files\thunder network\webthunder\WebThunderBHO_Now.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPS Accelerator] c:\program files\ppstream\ppsap.exe
mRun: [TrackPointSrv] tp4mon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WebThunder] c:\program files\thunder network\webthunder\WebThunder.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pps.lnk - c:\program files\ppstream\PPStream.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: UseFlashGet - c:\program files\flashget network\flashget\GetUrl.htm
IE: UseFlashGetDownloadAllLink - c:\program files\flashget network\flashget\GetAllUrl.htm
IE: ê1ó?WEB??à×???? - c:\program files\thunder network\webthunder\GetUrl.htm
IE: ê1ó?WEB??à×????è?2?á′?ó - c:\program files\thunder network\webthunder\GetAllUrl.htm
IE: {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} - hxxp://photo.163.com/163Uploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9z3yj8sz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S0 stxlbou;stxlbou;c:\windows\system32\drivers\bnbyd.sys --> c:\windows\system32\drivers\bnbyd.sys [?]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-8-23 11520]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-31 111184]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-8-23 4224]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-31 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-31 352920]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-31 20560]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-31 155160]
S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2009-01-24 20:19 22,016 a------- c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-24 09:37 --d----- c:\documents and settings\administrator\DoctorWeb
2009-01-23 17:21 244 a---h--- C:\sqmnoopt00.sqm
2009-01-23 17:21 232 a---h--- C:\sqmdata00.sqm
2009-01-22 22:15 --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-22 22:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 22:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 22:15 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 22:15 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-22 19:57 --d----- c:\windows\pss
2009-01-22 19:01 3,739 a------- c:\windows\imsins.BAK
2009-01-12 23:01 --d----- c:\program files\mxzy
2009-01-06 22:19 --d----- c:\program files\common files\Symantec Shared

==================== Find3M ====================

2009-01-25 10:42 16,201 a------- c:\windows\system32\cid_store.dat

============= FINISH: 10:46:31.82 ===============

Attached Files

•  Attach.txt   6.48KB   38 downloads

Hello raynleila Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.







Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Thanks,



thewall

Hi, thanks for replying. I've try scanning with Kaspersky WebScanner but was unable to proceed. When i clicked on Kaspersky Online Scanner, there is a blank pop-up and then the whole explorer closes by itself. I tried a few times and it's still the same.

Did you disable your Avast antivirus and try it?


AVAST
Right click on the avast! icon in system tray (looks like this: ) and choose (Stop On-Access Protection)


I also need to know if you installed WebThunder on your machine and if so about how long ago? The entry and Info on it is below. Based on what I have I am going to go ahead and give you a heads-up because it may take a day or so to put together a fix and get one of the coaches to approve it.

I am trying to find out more about this particular entry but I want you to read the information provided located toward the bottom of the page in the provided link. Right now from what I see I would treat the security of the computer as being compromised. I would not use it for any banking or personal business transactions and would go to a clean computer and change any passwords I had used on this one. The link says this infection can log your keystrokes and although there are sometimes files that are similar to legitimate ones until we can learn more I would not take any chances.

mRun: [WebThunder] c:\program files\thunder network\webthunder\WebThunder.exe


WebThunder.exe

Hi, as i am unable to connect to internet in normal mode (the computer will hang when i'm connected to internet), ii try to access the Kaspersky Online Scanner using safe mode with networking. i am able to see the avast! icon when in normal mode but not in safe mode so i'm not sure how to disable your Avast antivirus in safe mode.

I have WebThunder installed but not sure how long it has been. I will try to remove it now.

Can you go into normal mode and disable the Avast and then switch back to Safe Mode and try it? If you can't don't worry a lot right now about it, I am working up a fix for you but as I stated earlier it may take a day or so to get them checked and get back with you.

I try to disable the avast but still cannot. I will just wait for your fix then.

Edited by raynleila, 02 February 2009 - 03:01 AM.

Here's what we need to do:



I have four programs listed below for uninstalling. I know the PPStream is bad and the one below it seems to be tied in with it. The next two I have listed because they appear to be bad. Unless you know they are good and want to keep them I would suggest including them when uninstalling.


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

PPStream

PPSÍøÂçµçÊÓ

WEB??¨¤¡Á

жÔØ¿áÎÒÒôÀÖºÐ


Additional instructions can be found here if needed




Although ComboFix can be run in Safe Mode with networking it is not the preferable way to do it. While using Safe Mode with Networking the computer is unprotected and especially vulnerable to becoming more infected. If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.

Instructions for using a Flash Drive are Here if needed.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System. There will be one for your XP Professional on the page.




Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instructions can be found HERE.

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.



Along with the ComboFix log please provide me with another run of DDS like you did the first time.

Hi, i did the combofix and dds in normal mode but not connected to internet cause when connected to internet my desktop will not load. When i run the combox fix, there is a part where it ask to download Microsoft Recovery Console but i was unable to download because i was not connected to internet. Is there a need for me to run the combo fix again in safe mode with networking?

Another problem is the my combofix is in chinese, i don't have the cd so i can't change it back to english. if there is any part that you need translation, please tell me.

The combofix result:

ComboFix 09-02-02.04 - Administrator 2009-02-04 16:16:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.383.134 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* 成功创造新还原点

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\BITS
c:\documents and settings\Administrator\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator\Application Data\BITS\ProxyList.ini
c:\documents and settings\All Users\Application Data\FlashGetBHO
c:\documents and settings\All Users\Application Data\FlashGetBHO\FlashGetBHO.dll
c:\documents and settings\All Users\Application Data\FlashGetBHO\FlvDetector.exe
c:\documents and settings\All Users\Application Data\FlashGetBHO\FlvDetector.ini
c:\documents and settings\All Users\Application Data\FlashGetBHO\LiveQuery.exe
c:\documents and settings\All Users\Application Data\FlashGetBHO\LiveQuery.ini
c:\documents and settings\All Users\Application Data\FlashGetBHO\LiveSupport.exe
c:\documents and settings\All Users\Application Data\FlashGetBHO\zlib.dll
c:\program files\FlashGet Network
c:\program files\FlashGet Network\Flashget\?粀?
c:\program files\FlashGet Network\Flashget\Bhocfg.ini
c:\program files\FlashGet Network\Flashget\caption.ini
c:\program files\FlashGet Network\Flashget\dbtrans_verbose.log
c:\program files\FlashGet Network\Flashget\fgoption.ini
c:\program files\FlashGet Network\Flashget\Flvdetector.htm
c:\program files\FlashGet Network\Flashget\FlvDetector.ini
c:\program files\FlashGet Network\Flashget\InmediaInfo.ini
c:\program files\FlashGet Network\Flashget\JCCHS.INI
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\0.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\1.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\10.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\11.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\12.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\13.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\14.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\15.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\16.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\17.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\18.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\19.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\2.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\20.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\21.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\3.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\4.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\5.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\6.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\7.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\8.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\9.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\nologin.bmp
c:\program files\FlashGet Network\Flashget\P2PCfg.ini
c:\program files\FlashGet Network\Flashget\p2spmgr.ini
c:\program files\FlashGet Network\Flashget\P4PClientInfo.ini
c:\program files\FlashGet Network\Flashget\p4spmgr.ini
c:\program files\FlashGet Network\Flashget\Profiles\config.dat
c:\program files\FlashGet Network\Flashget\Profiles\tasks.dat
c:\program files\FlashGet Network\Flashget\StatInfo.ini
c:\program files\FlashGet Network\Flashget\transaction.log
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\admshare.dat

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Legacy_WINHOST32SVR
-------\Legacy_WINSPOOLSVC


((((((((((((((((((((((((( 2009-01-04 至 2009-02-04 的新的档案 )))))))))))))))))))))))))))))))
.

2009-02-04 15:59 . 2009-02-04 15:59 <DIR> d-------- c:\program files\KWMUSIC
2009-02-02 21:39 . 2009-02-02 21:39 244 --ah----- C:\sqmnoopt03.sqm
2009-02-02 21:39 . 2009-02-02 21:39 232 --ah----- C:\sqmdata03.sqm
2009-01-28 22:31 . 2009-01-28 22:31 0 --a------ c:\windows\ViDown.INI
2009-01-27 19:17 . 2009-01-27 19:17 244 --ah----- C:\sqmnoopt02.sqm
2009-01-27 19:17 . 2009-01-27 19:17 232 --ah----- C:\sqmdata02.sqm
2009-01-26 17:49 . 2009-01-26 17:49 244 --ah----- C:\sqmnoopt01.sqm
2009-01-26 17:49 . 2009-01-26 17:49 232 --ah----- C:\sqmdata01.sqm
2009-01-24 20:19 . 2004-08-03 23:00 22,016 --a------ c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-24 09:37 . 2009-01-24 10:00 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-01-23 17:21 . 2009-01-23 17:21 244 --ah----- C:\sqmnoopt00.sqm
2009-01-23 17:21 . 2009-01-23 17:21 232 --ah----- C:\sqmdata00.sqm
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-22 22:15 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 22:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-22 19:01 . 2009-01-22 19:02 3,739 --a------ c:\windows\imsins.BAK
2009-01-12 23:01 . 2009-01-21 22:37 <DIR> d-------- c:\program files\mxzy
2009-01-06 22:19 . 2009-01-23 01:16 <DIR> d-------- c:\program files\Common Files\Symantec Shared

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 07:57 --------- d-----w c:\program files\PPStream
2009-02-04 07:57 --------- d-----w c:\documents and settings\Administrator\Application Data\PPStream
2009-01-24 07:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-22 16:47 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-31 11:28 --------- d-----w c:\program files\Alwil Software
2008-12-05 12:57 --------- d-----w c:\program files\NJStar Communicator
2008-12-05 12:57 --------- d-----w c:\documents and settings\Administrator\Application Data\NJStar
2008-07-04 02:33 24,576 ----a-w c:\program files\mozilla firefox\components\CheckTudouVa.dll
2008-07-01 09:40 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-16 294912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-13 185896]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-05 143360]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 c:\windows\system32\tp4mon.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"LTWinModem1"="ltmsg.exe" [2001-04-03 c:\windows\system32\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-07-05 00:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-08-23 11520]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-31 111184]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-08-23 4224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-31 20560]
S0 stxlbou;stxlbou;c:\windows\system32\drivers\bnbyd.sys --> c:\windows\system32\drivers\bnbyd.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efca6df0-7a58-11dd-983c-00d059cd9070}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
‘计划任务’ 文件夹 里的内容

2008-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_05\bin\jusched.exe
HKU-Default-Run-TaskSwitchXP - c:\program files\TaskSwitchXP\TaskSwitchXP.exe
HKU-Default-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe


.
------- 而外的扫描 -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} - hxxp://photo.163.com/163Uploader.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9z3yj8sz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.
.
------- 文件类型 -------
.
inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 16:26:06
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\KMPlayer\KMP2.0\EqulizerList\*`鏴髼PN]
"0"=dword:0000000f
"1"=dword:0000000f
"2"=dword:0000000a
"3"=dword:fffffffb
"4"=dword:fffffff1
"5"=dword:ffffffe7
"6"=dword:fffffff1
"7"=dword:fffffffb
"8"=dword:0000000a
"9"=dword:0000001e

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ff譥?a *lx豽Hr]
"Order"=hex:08,00,00,00,02,00,00,00,80,01,00,00,01,00,00,00,03,00,00,00,7e,00,
00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ff譥?a *lx豽Hr]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conime.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
完成时间: 2009-02-04 16:30:59 - 电脑已重新启动 [Administrator]
ComboFix-quarantined-files.txt 2009-02-04 08:30:55

Pre-Run: 21,240,532,992 bytes free
Post-Run: 22,056,382,464 bytes free

277 --- E O F --- 2009-01-21 14:19:20




The DDS report:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Administrator at 16:34:49.00 on 02/04/2009 Wed
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.383.149 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] tp4mon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} - hxxp://photo.163.com/163Uploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9z3yj8sz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-8-23 11520]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-31 111184]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-8-23 4224]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-31 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-31 352920]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-31 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-31 155160]
R4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S0 stxlbou;stxlbou;c:\windows\system32\drivers\bnbyd.sys --> c:\windows\system32\drivers\bnbyd.sys [?]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2009-02-04 16:15 161,792 a------- c:\windows\SWREG.exe
2009-02-04 16:15 98,816 a------- c:\windows\sed.exe
2009-02-04 15:59 <DIR> --d----- c:\program files\KWMUSIC
2009-02-02 21:39 244 a---h--- C:\sqmnoopt03.sqm
2009-02-02 21:39 232 a---h--- C:\sqmdata03.sqm
2009-01-28 22:31 0 a------- c:\windows\ViDown.INI
2009-01-27 19:17 244 a---h--- C:\sqmnoopt02.sqm
2009-01-27 19:17 232 a---h--- C:\sqmdata02.sqm
2009-01-26 17:49 244 a---h--- C:\sqmnoopt01.sqm
2009-01-26 17:49 232 a---h--- C:\sqmdata01.sqm
2009-01-24 20:19 22,016 a------- c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-24 09:37 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-01-23 17:21 244 a---h--- C:\sqmnoopt00.sqm
2009-01-23 17:21 232 a---h--- C:\sqmdata00.sqm
2009-01-22 22:15 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-22 22:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 22:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 22:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-22 19:57 <DIR> --d----- c:\windows\pss
2009-01-22 19:01 3,739 a------- c:\windows\imsins.BAK
2009-01-12 23:01 <DIR> --d----- c:\program files\mxzy
2009-01-06 22:19 <DIR> --d----- c:\program files\common files\Symantec Shared

==================== Find3M ====================

2009-01-28 22:24 16,589 a------- c:\windows\system32\cid_store.dat

============= FINISH: 16:35:10.50 ===============

Bear with me I am having to do some checking concerning a few of the entries showing up in the ComboFix text. I will get back as quickly as possible.

Edited by thewall, 05 February 2009 - 08:42 AM.

Sure, no problem. Thanks for your help.

Let's see if we can make some headway.


Here's what we need to do next:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tasks\Norton Security Scan for Administrator.job
c:\program files\Norton Security Scan\Nss.exe
c:\windows\system32\drivers\bnbyd.sys
Folder::
c:\program files\PPStream
c:\documents and settings\Administrator\Application Data\PPStream
c:\program files\Common Files\Symantec Shared
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"=-
"nlhr"=-
"tscuninstall"=-
Driver::
stxlbou
Firefox::
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9z3yj8sz.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





There are a few files I would like to have looked at.


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\program files\mozilla firefox\components\CheckTudouVa.dll
Click Submit.
Please post the results of this scan to this thread.

Do the same for c:\program files\mozilla firefox\components\NsThunderLoader.dll
And c:\windows\system32\cid_store.dat



Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\program files\mozilla firefox\components\CheckTudouVa.dll
Click Send.
Do the same for c:\program files\mozilla firefox\components\NsThunderLoader.dll
And c:\windows\system32\cid_store.dat


Please post the results of this scan to this thread.





Do you know what the following folder I highlighted is? The research I did was not conclusive and I wanted check with you.

c:\program files\mxzy






Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





Your Avast is showing up as being disabled. See if you can reenable it by right clicking on the icon which should be on your tray and starting on-access protection.





When completed please post the following:

• ComboFix.txt log
• Jotti results
• Any info on the mxzy folder you may have
• Results of trying to reenable anti-virus

Here's the combofix log
ComboFix 09-02-02.04 - Administrator 2009-02-07 15:57:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.383.124 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* 成功创造新还原点

注意 - 这台电脑没有安装恢复控制台 ！！

FILE ::
c:\program files\Norton Security Scan\Nss.exe
c:\windows\system32\drivers\bnbyd.sys
c:\windows\Tasks\Norton Security Scan for Administrator.job
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\PPStream
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Akon - Right Now(Na Na Na).lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Amorphis - Day Of Your Beliefs.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Britney Spears - Piece Of Me.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Britney Spears - Womanizer.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Christina Aguilera - Beautiful.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Christina Aguilera - Lady Marmalade.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Coldplay - Death And All His Friends.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Coldplay - Lovers In Japan_Reign Of Love.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Craig David - Let Her Go.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\David Usher - Kill The Lights.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Family Force 5 - Share It With Me.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Gareth Gates - Anyone Of Us (Stupid Mistake).lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Gnarls Barkley - Crazy.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\HIM - In Joy And Sorrow.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Jack Johnson - Sitting, Waiting, Wishing.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Jay Sean - Stolen.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Keane - Try Again.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Keane - You Haven't Told Me Anything.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Lostprophets - Rooftops (A Liberation Broadcast).lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Morningwood - New York Girls.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Oasis - I'm Outta Time.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Taylor Swift - Love Story.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\the strokes - You Only Live Once.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Theory of a Deadman - All Or Nothing.lrc
c:\documents and settings\Administrator\Application Data\PPStream\lrc\Timbaland - Apologise (Feat. One Republic).lrc
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20081217.021\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090106.004\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\hh
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\definfo.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\usage.dat
c:\program files\PPStream
c:\program files\PPStream\codec\Codec Analyzer.xml
c:\program files\PPStream\codec\ffdshowwmv.reg
c:\program files\PPStream\codec\WMA2.xml
c:\program files\PPStream\codec\WMADMOD.dll
c:\program files\PPStream\codec\WMADMOD.dll.old
c:\program files\PPStream\codec\wmv.zip
c:\program files\PPStream\codec\WMV3.xml
c:\program files\PPStream\codec\WMVDECOD.dll
c:\program files\PPStream\codec\WMVDECOD.dll.old
c:\program files\PPStream\update\ppstreamsetup_update1211v2.exe
c:\windows\Tasks\Norton Security Scan for Administrator.job

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_stxlbou


((((((((((((((((((((((((( 2009-01-07 至 2009-02-07 的新的档案 )))))))))))))))))))))))))))))))
.

2009-02-04 15:59 . 2009-02-04 15:59 <DIR> d-------- c:\program files\KWMUSIC
2009-02-02 21:39 . 2009-02-02 21:39 244 --ah----- C:\sqmnoopt03.sqm
2009-02-02 21:39 . 2009-02-02 21:39 232 --ah----- C:\sqmdata03.sqm
2009-01-28 22:31 . 2009-01-28 22:31 0 --a------ c:\windows\ViDown.INI
2009-01-27 19:17 . 2009-01-27 19:17 244 --ah----- C:\sqmnoopt02.sqm
2009-01-27 19:17 . 2009-01-27 19:17 232 --ah----- C:\sqmdata02.sqm
2009-01-26 17:49 . 2009-01-26 17:49 244 --ah----- C:\sqmnoopt01.sqm
2009-01-26 17:49 . 2009-01-26 17:49 232 --ah----- C:\sqmdata01.sqm
2009-01-24 20:19 . 2004-08-03 23:00 22,016 --a------ c:\windows\system32\drivers\MSIRCOMM.sys
2009-01-24 09:37 . 2009-01-24 10:00 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-01-23 17:21 . 2009-01-23 17:21 244 --ah----- C:\sqmnoopt00.sqm
2009-01-23 17:21 . 2009-01-23 17:21 232 --ah----- C:\sqmdata00.sqm
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-22 22:15 . 2009-01-22 22:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-22 22:15 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 22:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-22 19:01 . 2009-01-22 19:02 3,739 --a------ c:\windows\imsins.BAK
2009-01-12 23:01 . 2009-01-21 22:37 <DIR> d-------- c:\program files\mxzy

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 07:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-22 16:47 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-31 11:28 --------- d-----w c:\program files\Alwil Software
2008-07-04 02:33 24,576 ----a-w c:\program files\mozilla firefox\components\CheckTudouVa.dll
2008-07-01 09:40 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_16.29.42.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-07 08:03:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-16 294912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-13 185896]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-05 143360]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 c:\windows\system32\tp4mon.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"LTWinModem1"="ltmsg.exe" [2001-04-03 c:\windows\system32\ltmsg.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-07-05 00:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-08-23 11520]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-31 111184]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-08-23 4224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-31 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efca6df0-7a58-11dd-983c-00d059cd9070}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
‘计划任务’ 文件夹 里的内容

2008-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- 而外的扫描 -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8686F2A6-DC01-4E8F-BDE3-DCC7DBBAD6AE} - hxxp://photo.163.com/163Uploader.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9z3yj8sz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-07 16:05:39
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\KMPlayer\KMP2.0\EqulizerList\*`鏴髼PN]
"0"=dword:0000000f
"1"=dword:0000000f
"2"=dword:0000000a
"3"=dword:fffffffb
"4"=dword:fffffff1
"5"=dword:ffffffe7
"6"=dword:fffffff1
"7"=dword:fffffffb
"8"=dword:0000000a
"9"=dword:0000001e

[HKEY_USERS\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ff譥?a *lx豽Hr]
"Order"=hex:08,00,00,00,02,00,00,00,80,01,00,00,01,00,00,00,03,00,00,00,7e,00,
00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ff譥?a *lx豽Hr]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(780)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conime.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
完成时间: 2009-02-07 16:10:41 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-02-07 08:10:37
ComboFix2.txt 2009-02-04 08:31:02

Pre-Run: 21,443,084,288 bytes free
Post-Run: 21,591,564,288 bytes free

381 --- E O F --- 2009-01-21 14:19:20

The jotti report for c:\program files\mozilla firefox\components\CheckTudouVa.dll


Scan taken on 07 Feb 2009 08:29:34 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



The jotti report for c:\program files\mozilla firefox\components\NsThunderLoader.dll

Scan taken on 07 Feb 2009 08:35:19 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



The jotti report for c:\windows\system32\cid_store.dat

Scan taken on 07 Feb 2009 08:37:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



About the folder c:\program files\mxzy, it's the folder of a game that i used to install on my computer. There is 1 item in the folder now named STARSA01.SSS.


I disabled my avast for the combofix and was able to reenable it.

Two things I need:

Could you run me another DDS log

How is your computer running? Are you able to connect to the Internet in Normal Mode yet?