Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine always pops up btcar.com


  • This topic is locked This topic is locked
13 replies to this topic

#1 sungohan

sungohan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 07 February 2009 - 07:11 PM

I got this problem several days ago.
After I searched something(using google, yahoo, or live search),
when I clicked any searched link, it always go to btcar.com or another garbage website.

IE and Firefox both have this problem.


Here is the log file(DDS.txt):


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 19:00:49.59 on 02/07/2009 Sat
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k TabletInputServiceGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k WlansvcGroup
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NMSAccessU.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\NetDrive\wdService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\TEMP\GH29EC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Google\Google Pinyin\googlepinyindaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k tapisrv
C:\Program Files\STerm2.549绿色版\sterm.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Windows\system32\conime.exe
C:\Program Files\ICCup\Launcher\launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = res://iesetup.dll/SoftAdmin.htm
uInternet Settings,ProxyServer = ftp=128.6.29.44:3128;http=128.6.29.44:3128;https=128.6.29.44:3128;socks=128.6.29.44:1080
uInternet Settings,ProxyOverride = 192.168.0.*;<local>
BHO: WebThunder Browser Helper: {00000aaa-a363-466e-bef5-9bb68697aa7f} - c:\program files\thunder network\webthunder\WebThunderBHO_Now.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: Lincmediaplayer: {fbaa6932-b59b-4854-8041-27a233394ba3} - c:\program files\linksador\lincmediaplayer\adxloader.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: N/A: {b6bb2c0a-8d74-4664-a1cd-103bd9a69de9} - c:\program files\linksador\lincmediaplayer\adxloader.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Actual Window Manager] "c:\program files\actual window manager\ActualWindowManagerCenter.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &使用快车(FlashGet)下载 - c:\program files\flashget\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\program files\flashget\jc_all.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: 使用WEB迅雷下载 - c:\program files\thunder network\webthunder\GetUrl.htm
IE: 使用WEB迅雷下载全部链接 - c:\program files\thunder network\webthunder\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
IE: {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - hxxp://www.pplive.com/zh-cn/other/live/install.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli RASSFM

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\tom online inc\tom live player\nptcast40.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

============= SERVICES / DRIVERS ===============

R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\system32\drivers\storflt.sys [2008-10-24 33280]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-10-25 143376]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-11-7 96016]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-11-7 41744]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2008-10-24 1382672]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-10-24 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-10-24 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-10-25 235536]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-10-24 53325]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\netdrive\rffsd.sys [2008-11-3 67032]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-10-24 488768]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-24 652552]
S0 sacdrv;sacdrv;c:\windows\system32\drivers\sacdrv.sys [2008-1-19 88632]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-6-13 225920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-19 21504]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\system32\rsopprov.exe [2008-1-19 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-1-19 21504]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\drivers\bxvbdx.sys [2008-1-19 396288]
S4 ioatdma;Intel® QuickData Technology Device;c:\windows\system32\drivers\qd26032.sys [2008-1-19 31232]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\system32\drivers\s3cap.sys [2008-10-24 5632]
S4 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2008-1-19 37320]
S4 vmbus;VMBus;c:\windows\system32\drivers\vmbus.sys [2008-1-19 185032]

============== File Associations ===============

txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-02-06 14:53 <DIR> --d----- c:\program files\Windows清理助手
2009-01-31 22:11 <DIR> --d----- c:\program files\FILE RECOVERY for Windows
2009-01-30 06:56 <DIR> --d----- c:\program files\VS竞技游戏平台
2009-01-28 13:51 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-28 13:51 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-28 13:51 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-28 13:51 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-28 13:51 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-28 13:51 11,264 a------- c:\windows\system32\icardres.dll
2009-01-28 13:51 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-28 13:51 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-28 13:49 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-28 13:49 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-28 13:49 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-28 13:49 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-28 13:49 83,968 a------- c:\windows\system32\mscories.dll
2009-01-28 09:15 <DIR> --d----- c:\users\admini~1\appdata\roaming\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\common files\ReliaSoft
2009-01-21 22:19 57 a------- c:\windows\system32\peer.ini
2009-01-21 22:17 <DIR> --d----- c:\program files\PPLive
2009-01-21 22:17 <DIR> --d----- c:\program files\common files\Synacast
2009-01-21 22:11 19 a------- c:\windows\powerlist.ini
2009-01-19 03:23 110 a------- c:\windows\system32\cid_store.dat
2009-01-19 03:23 20 a------- c:\windows\system32\pub_store.dat
2009-01-19 03:23 <DIR> --d----- c:\programdata\vucache
2009-01-19 03:23 <DIR> --d----- c:\progra~2\vucache
2009-01-19 03:23 <DIR> --d----- c:\programdata\Thunder Network
2009-01-19 03:23 <DIR> --d----- c:\program files\common files\Thunder Network
2009-01-19 03:23 <DIR> --d----- c:\progra~2\Thunder Network
2009-01-19 03:23 <DIR> --d----- c:\program files\Thunder Network
2009-01-17 22:18 <DIR> --d----- c:\users\admini~1\appdata\roaming\TaxCut
2009-01-17 22:16 <DIR> --d----- c:\program files\TaxCut08
2009-01-17 22:16 <DIR> --d----- c:\program files\PDF995
2009-01-17 22:13 <DIR> --d----- c:\programdata\TaxCut
2009-01-17 22:13 <DIR> --d----- c:\progra~2\TaxCut
2009-01-17 20:47 <DIR> --d----- C:\Download
2009-01-17 20:47 <DIR> --d----- c:\programdata\Grid
2009-01-17 20:47 <DIR> --d----- c:\program files\GridService
2009-01-17 20:47 <DIR> --d----- c:\progra~2\Grid
2009-01-17 20:47 <DIR> --d----- c:\program files\RaySource
2009-01-14 11:08 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 04:12 <DIR> --d----- c:\program files\GRETECH
2009-01-09 20:23 <DIR> --d----- c:\program files\TOM Online Inc

==================== Find3M ====================

2009-01-15 05:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 05:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 05:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 05:04 109,056 a------- c:\windows\system32\iesysprep.dll
2009-01-15 05:04 132,096 a------- c:\windows\system32\ieUnatt.exe
2009-01-15 05:04 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-01-15 05:04 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-01-15 05:04 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-01-15 05:04 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-01-15 05:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 05:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 05:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 05:03 66,560 a------- c:\windows\system32\wextract.exe
2009-01-15 05:02 169,472 a------- c:\windows\system32\iexpress.exe
2009-01-15 05:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 05:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 05:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 04:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstor.dat
2008-12-31 03:39 51,200 a------- c:\windows\inf\infpub.dat
2008-12-21 22:12 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-13 11:49 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-24 22:31 2,248,544 a------- c:\windows\system32\sqlncli.dll
2008-11-24 22:31 65,888 a------- c:\windows\system32\sqlctr90.dll
2008-10-24 19:34 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-19 06:41 174 a--sh--- c:\program files\desktop.ini
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-19 06:24 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:01:48.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:02 PM

Posted 19 February 2009 - 01:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 19 February 2009 - 02:28 PM

Thanks.
When I use the search engine, when I click any link I got from search engine(google, yahoo, live)
I will be redirect to btcar.com

And firefox and IE both have this problem.


And here is the new log file.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 14:22:06.54 on 02/19/2009 Thu
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k TabletInputServiceGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k WlansvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NMSAccessU.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\NetDrive\wdService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\WDAC48.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Pinyin\googlepinyindaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\GridService\peer.exe
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\svchost.exe -k tapisrv
C:\Windows\System32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 3\program\scalc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Alarm\Alarm.exe
C:\Program Files\STerm2.549绿色版\sterm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ICCup\Launcher\launcher.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Windows\system32\FirewallControlPanel.exe
C:\Users\Administrator\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = res://iesetup.dll/SoftAdmin.htm
uInternet Settings,ProxyServer = ftp=128.6.29.44:3128;http=128.6.29.44:3128;https=128.6.29.44:3128;socks=128.6.29.44:1080
uInternet Settings,ProxyOverride = 192.168.0.*;<local>
BHO: WebThunder Browser Helper: {00000aaa-a363-466e-bef5-9bb68697aa7f} - c:\program files\thunder network\webthunder\WebThunderBHO_Now.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: Lincmediaplayer: {fbaa6932-b59b-4854-8041-27a233394ba3} - c:\program files\linksador\lincmediaplayer\adxloader.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: N/A: {b6bb2c0a-8d74-4664-a1cd-103bd9a69de9} - c:\program files\linksador\lincmediaplayer\adxloader.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Actual Window Manager] "c:\program files\actual window manager\ActualWindowManagerCenter.exe"
uRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &使用快车(FlashGet)下载 - c:\program files\flashget\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\program files\flashget\jc_all.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: 使用WEB迅雷下载 - c:\program files\thunder network\webthunder\GetUrl.htm
IE: 使用WEB迅雷下载全部链接 - c:\program files\thunder network\webthunder\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
IE: {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - hxxp://www.pplive.com/zh-cn/other/live/install.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli RASSFM

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\tom online inc\tom live player\nptcast40.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

============= SERVICES / DRIVERS ===============

R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\system32\drivers\storflt.sys [2008-10-24 33280]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-10-25 143376]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-11-7 96016]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-11-7 41744]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2008-10-24 1382672]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-10-24 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-10-24 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-10-25 235536]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-10-24 53325]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\netdrive\rffsd.sys [2008-11-3 67032]
S0 sacdrv;sacdrv;c:\windows\system32\drivers\sacdrv.sys [2008-1-19 88632]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-6-13 225920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-19 21504]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\system32\rsopprov.exe [2008-1-19 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-1-19 21504]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-10-24 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-24 652552]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\drivers\bxvbdx.sys [2008-1-19 396288]
S4 ioatdma;Intel® QuickData Technology Device;c:\windows\system32\drivers\qd26032.sys [2008-1-19 31232]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\system32\drivers\s3cap.sys [2008-10-24 5632]
S4 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2008-1-19 37320]
S4 vmbus;VMBus;c:\windows\system32\drivers\vmbus.sys [2008-1-19 185032]

============== File Associations ===============

txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-02-16 00:45 <DIR> --d----- c:\program files\common files\xing shared
2009-02-16 00:09 168,448 a------- c:\windows\system32\unrar.dll
2009-02-16 00:09 839,680 a------- c:\windows\system32\lameACM.acm
2009-02-16 00:09 414 a------- c:\windows\system32\lame_acm.xml
2009-02-16 00:09 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2009-02-16 00:09 795,648 a------- c:\windows\system32\xvidcore.dll
2009-02-16 00:09 217,088 a------- c:\windows\system32\yv12vfw.dll
2009-02-16 00:09 130,048 a------- c:\windows\system32\xvidvfw.dll
2009-02-16 00:09 118,784 a------- c:\windows\system32\ac3acm.acm
2009-02-16 00:09 86,016 a------- c:\windows\system32\dpl100.dll
2009-02-16 00:09 684,032 a------- c:\windows\system32\divx.dll
2009-02-16 00:09 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-02-16 00:09 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-16 00:09 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-12 22:46 1,152 a------- c:\windows\system32\windrv.sys
2009-02-10 12:21 974,848 a------- c:\windows\system32\mfc70.dll
2009-02-10 12:21 964,608 a------- c:\windows\system32\mfc70u.dll
2009-02-10 12:21 487,424 a------- c:\windows\system32\msvcp70.dll
2009-02-10 12:21 344,064 a------- c:\windows\system32\msvcr70.dll
2009-02-10 12:21 54,784 a------- c:\windows\system32\msvci70.dll
2009-02-10 12:21 84,992 a------- c:\windows\system32\atl70.dll
2009-02-10 12:21 953 a------- c:\windows\vpd.properties
2009-02-10 12:21 <DIR> --d----- c:\program files\SAS
2009-02-08 05:00 <DIR> --d----- c:\program files\GRETECH
2009-02-07 20:34 <DIR> --d----- c:\users\admini~1\appdata\roaming\OpenOffice.org
2009-02-07 20:12 <DIR> --d----- c:\program files\JRE
2009-02-07 20:12 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-02-06 14:53 <DIR> --d----- c:\program files\Windows清理助手
2009-01-31 22:11 <DIR> --d----- c:\program files\FILE RECOVERY for Windows
2009-01-30 06:56 <DIR> --d----- c:\program files\VS竞技游戏平台
2009-01-28 13:51 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-28 13:51 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-28 13:51 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-28 13:51 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-28 13:51 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-28 13:51 11,264 a------- c:\windows\system32\icardres.dll
2009-01-28 13:51 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-28 13:51 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-28 13:49 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-28 13:49 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-28 13:49 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-28 13:49 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-28 13:49 83,968 a------- c:\windows\system32\mscories.dll
2009-01-28 09:15 <DIR> --d----- c:\users\admini~1\appdata\roaming\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\common files\ReliaSoft
2009-01-21 22:19 57 a------- c:\windows\system32\peer.ini
2009-01-21 22:17 <DIR> --d----- c:\program files\PPLive
2009-01-21 22:17 <DIR> --d----- c:\program files\common files\Synacast
2009-01-21 22:11 19 a------- c:\windows\powerlist.ini

==================== Find3M ====================

2009-01-15 05:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 05:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 05:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 05:04 109,056 a------- c:\windows\system32\iesysprep.dll
2009-01-15 05:04 132,096 a------- c:\windows\system32\ieUnatt.exe
2009-01-15 05:04 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-01-15 05:04 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-01-15 05:04 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-01-15 05:04 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-01-15 05:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 05:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 05:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 05:03 66,560 a------- c:\windows\system32\wextract.exe
2009-01-15 05:02 169,472 a------- c:\windows\system32\iexpress.exe
2009-01-15 05:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 05:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 05:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 04:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstor.dat
2008-12-31 03:39 51,200 a------- c:\windows\inf\infpub.dat
2008-12-21 22:12 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-13 11:49 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-24 22:31 2,248,544 a------- c:\windows\system32\sqlncli.dll
2008-11-24 22:31 65,888 a------- c:\windows\system32\sqlctr90.dll
2008-10-24 19:34 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-19 06:41 174 a--sh--- c:\program files\desktop.ini
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-19 06:24 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:22:56.51 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 20 February 2009 - 03:20 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 20 February 2009 - 09:53 PM

Thank you. I think problem is fixed now.
I have not been redirected to btcar.com for a while.

And here is the log file from those 2 scans.
I accidently ran combofix.exe twice, so I only get the results for the second run.
I do not know if they are same or different.


log file: combofix.txt

ComboFix 09-02-19.01 - Administrator 2009-02-20 17:30:15.3 - NTFSx86
执行位置: c:\users\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( 2009-01-20 至 2009-02-20 的新的档案 )))))))))))))))))))))))))))))))
.

2009-02-16 00:45 . 2009-02-16 00:45 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-16 00:09 . 2009-02-16 00:09 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-16 00:09 . 2008-11-06 11:37 3,596,288 --a------ c:\windows\System32\qt-dx331.dll
2009-02-16 00:09 . 2008-09-24 13:41 839,680 --a------ c:\windows\System32\lameACM.acm
2009-02-16 00:09 . 2008-12-07 13:08 795,648 --a------ c:\windows\System32\xvidcore.dll
2009-02-16 00:09 . 2008-11-06 11:33 684,032 --a------ c:\windows\System32\divx.dll
2009-02-16 00:09 . 2004-01-25 11:18 217,088 --a------ c:\windows\System32\yv12vfw.dll
2009-02-16 00:09 . 2008-09-16 14:23 168,448 --a------ c:\windows\System32\unrar.dll
2009-02-16 00:09 . 2008-12-07 13:08 130,048 --a------ c:\windows\System32\xvidvfw.dll
2009-02-16 00:09 . 2007-09-20 19:52 118,784 --a------ c:\windows\System32\ac3acm.acm
2009-02-16 00:09 . 2008-12-10 19:33 86,016 --a------ c:\windows\System32\dpl100.dll
2009-02-16 00:09 . 2009-02-09 13:56 67,584 --a------ c:\windows\System32\ff_vfw.dll
2009-02-16 00:09 . 2007-07-10 11:10 547 --a------ c:\windows\System32\ff_vfw.dll.manifest
2009-02-16 00:09 . 2008-10-03 07:30 414 --a------ c:\windows\System32\lame_acm.xml
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Videos
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Searches
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Saved Games
2009-02-13 03:58 . 2008-10-24 19:00 <DIR> d-------- c:\users\zhe\Roaming
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Pictures
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Music
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Links
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Downloads
2009-02-13 03:58 . 2009-02-13 03:59 <DIR> dr------- c:\users\zhe\Documents
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Contacts
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> d--h----- c:\users\zhe\AppData
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> d-------- c:\users\zhe
2009-02-12 22:46 . 2009-02-12 22:46 1,152 --a------ c:\windows\System32\windrv.sys
2009-02-10 12:21 . 2004-02-10 12:36 <DIR> d-------- c:\program files\SAS
2009-02-10 12:21 . 2002-01-05 07:48 974,848 --a------ c:\windows\System32\mfc70.dll
2009-02-10 12:21 . 2002-01-05 07:36 964,608 --a------ c:\windows\System32\mfc70u.dll
2009-02-10 12:21 . 2002-01-05 06:40 487,424 --a------ c:\windows\System32\msvcp70.dll
2009-02-10 12:21 . 2002-01-05 06:37 344,064 --a------ c:\windows\System32\msvcr70.dll
2009-02-10 12:21 . 2002-01-05 05:18 84,992 --a------ c:\windows\System32\atl70.dll
2009-02-10 12:21 . 2002-01-05 06:38 54,784 --a------ c:\windows\System32\msvci70.dll
2009-02-10 12:21 . 2009-02-10 12:21 953 --a------ c:\windows\vpd.properties
2009-02-08 05:00 . 2009-02-08 05:00 <DIR> d-------- c:\users\Administrator\AppData\Roaming\GRETECH
2009-02-08 05:00 . 2009-02-08 05:00 <DIR> d-------- c:\program files\GRETECH
2009-02-07 20:34 . 2009-02-07 20:34 <DIR> d-------- c:\users\Administrator\AppData\Roaming\OpenOffice.org
2009-02-07 20:12 . 2009-02-07 20:12 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-07 20:12 . 2009-02-07 20:12 <DIR> d-------- c:\program files\JRE
2009-02-06 14:53 . 2009-02-06 14:54 <DIR> d-------- c:\program files\Windows清理助手
2009-01-31 22:11 . 2009-01-31 22:12 <DIR> d-------- c:\program files\FILE RECOVERY for Windows
2009-01-30 06:56 . 2009-01-30 06:56 <DIR> d-------- c:\program files\VS竞技游戏平台
2009-01-28 13:51 . 2008-06-19 20:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-01-28 13:51 . 2008-06-19 20:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-01-28 13:51 . 2008-06-19 20:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-01-28 13:51 . 2008-06-19 20:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-01-28 13:51 . 2008-06-19 20:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-01-28 13:51 . 2008-06-19 20:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-01-28 13:51 . 2008-06-19 20:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-01-28 13:51 . 2008-06-19 20:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-01-28 13:49 . 2008-07-27 13:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-01-28 13:49 . 2008-07-27 13:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-01-28 13:49 . 2008-07-27 13:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-01-28 13:49 . 2008-07-27 13:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-01-28 13:49 . 2008-07-27 13:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-01-28 09:15 . 2009-01-28 09:15 <DIR> d-------- c:\users\Administrator\AppData\Roaming\ReliaSoft
2009-01-28 09:14 . 2009-01-28 09:14 <DIR> d-------- c:\program files\ReliaSoft
2009-01-28 09:14 . 2009-01-28 09:14 <DIR> d-------- c:\program files\Common Files\ReliaSoft
2009-01-21 22:19 . 2009-01-21 22:19 57 --a------ c:\windows\System32\peer.ini
2009-01-21 22:17 . 2009-01-21 22:17 <DIR> d-------- c:\program files\PPLive
2009-01-21 22:17 . 2009-01-21 22:17 <DIR> d-------- c:\program files\Common Files\Synacast
2009-01-21 22:11 . 2009-01-21 22:11 19 --a------ c:\windows\powerlist.ini

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 06:47 --------- d-----w c:\program files\DC++
2009-02-20 00:23 --------- d-----w c:\users\Administrator\AppData\Roaming\FileZilla
2009-02-19 09:40 --------- d-----w c:\users\Administrator\AppData\Roaming\PPStream
2009-02-17 23:08 --------- d-----w c:\users\Administrator\AppData\Roaming\WinEdt
2009-02-16 05:45 --------- d-----w c:\program files\Common Files\Real
2009-02-08 01:12 --------- d-----w c:\program files\OpenOffice.org 2.4
2009-02-08 00:20 --------- d-----w c:\users\Administrator\AppData\Roaming\OpenOffice.org2
2009-02-04 14:12 --------- d-----w c:\program files\FlashGet
2009-01-28 18:58 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-26 04:04 --------- d-----w c:\users\Administrator\AppData\Roaming\CCTV
2009-01-26 00:27 --------- d-----w c:\program files\TTPlayer
2009-01-22 03:19 --------- d-----w c:\program files\qqqtv网络电视
2009-01-22 03:11 --------- d-----w c:\program files\PPStream
2009-01-19 08:23 --------- d-----w c:\programdata\vucache
2009-01-19 08:23 --------- d-----w c:\programdata\Thunder Network
2009-01-19 08:23 --------- d-----w c:\program files\Thunder Network
2009-01-19 08:23 --------- d-----w c:\program files\Common Files\Thunder Network
2009-01-18 03:18 --------- d-----w c:\users\Administrator\AppData\Roaming\TaxCut
2009-01-18 03:17 --------- d-----w c:\program files\TaxCut08
2009-01-18 03:16 --------- d-----w c:\program files\PDF995
2009-01-18 03:13 --------- d-----w c:\programdata\TaxCut
2009-01-18 01:59 --------- d-----w c:\program files\RaySource
2009-01-18 01:47 --------- d-----w c:\programdata\Grid
2009-01-18 01:47 --------- d-----w c:\program files\GridService
2009-01-16 10:08 --------- d-----w c:\program files\TVAnts
2009-01-15 21:39 --------- d-----w c:\program files\JabRef
2009-01-14 16:10 --------- d-----w c:\programdata\Microsoft Help
2009-01-10 01:23 --------- d-----w c:\program files\TOM Online Inc
2009-01-09 08:01 --------- d-----w c:\program files\FLV Player
2009-01-07 22:51 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-07 05:47 --------- d-----w c:\program files\Actual Window Manager
2009-01-01 03:00 --------- d-----w c:\program files\Microsoft
2008-12-23 03:53 --------- d-----w c:\program files\eREAD6.0
2008-12-22 03:12 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-21 21:46 --------- d-----w c:\users\Administrator\AppData\Roaming\vlc
2008-12-21 21:43 --------- d-----w c:\program files\VideoLAN
2008-12-20 22:06 --------- d-----w c:\program files\STerm2.549绿色版
2008-01-19 11:41 174 --sha-w c:\program files\desktop.ini
2008-12-02 07:42 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-20_17.27.23.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-20 22:21:00 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-20 22:34:11 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-20 22:21:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-20 22:34:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-20 22:12:26 132,372 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-20 22:27:28 132,372 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-20 22:12:26 676,678 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-20 22:27:28 676,678 ----a-w c:\windows\System32\perfh009.dat
+ 2008-08-30 18:57:06 296,224 ----a-w c:\windows\temp\LZ2FCB.EXE
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2008-10-24 2582288]
"Google Update"="c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-11 133104]
"Actual Window Manager"="c:\program files\Actual Window Manager\ActualWindowManagerCenter.exe" [2009-01-07 1105920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 141848]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-23 68464]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-21 820520]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-08-30 714024]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-26 992816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-16 185632]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-10-24 8504936]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli RASSFM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-16 00:44 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebThunder]
--a------ 2008-12-18 21:59 677280 c:\program files\Thunder Network\WebThunder\WebThunder.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"DisableStatefulFTP"= 1 (0x1)
"DisableStatefulPPTP"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{78A4509C-8959-43D2-9002-32827895EFAE}"= UDP:8081:Trend Micro OfficeScan Listener
"{B450F1C6-6570-4F4C-BD17-863494D10297}"= UDP:c:\program files\DC++\DCPlusPlus.exe:DC++
"{F4EFE48F-338B-470A-99D0-78DA6060CAF7}"= TCP:c:\program files\DC++\DCPlusPlus.exe:DC++
"{ADFE9EED-8D69-4252-AF89-7A0E94AB4A53}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{740FBBCD-B858-4111-B6A6-E6F53BF592F2}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{B3533808-BC23-4C7C-A293-AC51F98CBEE7}"= UDP:c:\program files\GridService\peer.exe:muse peer
"{703A8759-2DB2-4070-B937-915AA58A882D}"= TCP:c:\program files\GridService\peer.exe:muse peer
"{FEF36C8D-AA9C-4B08-BEC1-DBCC11C28037}"= Disabled:UDP:c:\program files\Thunder Network\WebThunder\WebThunder.exe:WebThunder
"{154BF17A-74D2-4355-A54C-593DE5796654}"= Disabled:TCP:c:\program files\Thunder Network\WebThunder\WebThunder.exe:WebThunder
"{B2AB905F-EBDE-4E46-B8D1-465091E85C12}"= UDP:c:\program files\GridService\peer.exe:muse peer
"{EFB171D1-A16D-489C-B535-0F48CC07338A}"= TCP:c:\program files\GridService\peer.exe:muse peer
"{2CAE094A-3645-4FB4-876B-4302CB482F89}"= UDP:8081:Trend Micro OfficeScan Listener

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"= c:\program files\Kingsoft\Powerword 2007\xdict.exe:*:Enabled:Kingsoft PowerWord
"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"= c:\program files\Kingsoft\Powerword 2007\update.exe:*:Enabled:Kingsoft PowerWord Online Update
"c:\\Program Files\\PPStream\\PPStream.exe"= c:\program files\PPStream\PPStream.exe:*:Enabled:PPS网络电视
"c:\\Program Files\\PPStream\\PPSAP.exe"= c:\program files\PPStream\PPSAP.exe:*:Enabled:PPS 网络加速器

R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\System32\drivers\storflt.sys [2008-10-24 33280]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2008-10-25 143376]
R1 VBoxDrv;VirtualBox Service;c:\windows\System32\drivers\VBoxDrv.sys [2008-11-07 96016]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\System32\drivers\VBoxUSBMon.sys [2008-11-07 41744]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2008-10-24 1382672]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2008-10-25 235536]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [2008-10-24 53325]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\NetDrive\rffsd.sys [2008-11-03 67032]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-06-26 3662848]
S0 sacdrv;sacdrv;c:\windows\System32\drivers\sacdrv.sys [2008-01-19 88632]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2008-10-24 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-10-24 36368]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\System32\drivers\e1y6032.sys [2008-06-13 225920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-01-19 21504]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\System32\rsopprov.exe [2008-01-19 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\System32\svchost.exe -k netsvcs [2008-01-19 21504]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2008-10-24 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-10-24 652552]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\System32\drivers\bxvbdx.sys [2008-01-19 396288]
S4 ioatdma;Intel® QuickData Technology Device;c:\windows\System32\drivers\qd26032.sys [2008-01-19 31232]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\System32\drivers\s3cap.sys [2008-10-24 5632]
S4 storvsc;storvsc;c:\windows\System32\drivers\storvsc.sys [2008-01-19 37320]
S4 vmbus;VMBus;c:\windows\System32\drivers\vmbus.sys [2008-01-19 185032]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
TapiSrv REG_MULTI_SZ TapiSrv
WebClientGroup REG_MULTI_SZ WebClient
WlansvcGroup REG_MULTI_SZ wlansvc
TabletInputServiceGroup REG_MULTI_SZ TabletInputService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sacsvr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
FCRegSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaabf43d-b433-11dd-9ed6-0021869f3f8e}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
‘计划任务’ 文件夹 里的内容

2009-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-285618892-2696770435-1718402303-500.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-11 15:59]

2009-02-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-10-31 13:14]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = ftp=128.6.29.44:3128;http=128.6.29.44:3128;https=128.6.29.44:3128;socks=128.6.29.44:1080
uInternet Settings,ProxyOverride = 192.168.0.*;<local>
IE: &使用快车(FlashGet)下载 - c:\program files\FlashGet\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\program files\FlashGet\jc_all.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: 使用WEB迅雷下载 - c:\program files\Thunder Network\WebThunder\GetUrl.htm
IE: 使用WEB迅雷下载全部链接 - c:\program files\Thunder Network\WebThunder\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: {{962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - hxxp://www.pplive.com/zh-cn/other/live/install.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
FF - plugin: c:\program files\TOM Online Inc\TOM Live Player\nptcast40.dll
FF - plugin: c:\users\Administrator\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 17:34:31
Windows 6.0.6001 Service Pack 1 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。


c:\users\Administrator\AppData\Roaming\Thunderbird\Profiles\imqjqo1m.default\parent.lock

扫描完成
被隐藏的档案: 1

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\RFNP32.DLL
c:\windows\system32\RFHelper.dll
c:\windows\system32\rfhres.dll

- - - - - - - > 'Explorer.exe'(4452)
c:\program files\Actual Window Manager\aimemb.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\audiodg.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\System32\NMSAccessU.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\NetDrive\wdService.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
c:\program files\Trend Micro\OfficeScan Client\PccNTUpd.exe
c:\windows\System32\msdtc.exe
c:\progra~1\Logitech\Video\AlbumDB2.exe
c:\progra~1\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
完成时间: 2009-02-20 17:41:49 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-02-20 22:41:46
ComboFix2.txt 2009-02-20 22:28:45

Pre-Run: 8,298,201,088 bytes free
Post-Run: 8,270,274,560 bytes free

343 --- E O F --- 2009-01-30 02:27:13




log file from gmer

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-20 18:06:29
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

INT 0x51 ? 84E07BF8
INT 0x51 ? 84E07BF8
INT 0x51 ? 8516BDC8
INT 0x52 ? 9C4A0A50
INT 0x61 ? 9C4A02D0
INT 0x62 ? 9C4A0CD0
INT 0x71 ? 9C4A0550
INT 0x72 ? 8516BDC8
INT 0x82 ? 8516BDC8
INT 0x92 ? 8516BDC8
INT 0xA2 ? 8516BDC8
INT 0xB2 ? 8516BDC8

---- Kernel code sections - GMER 1.0.14 ----

? System32\Drivers\spob.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 82F4846F 5 Bytes JMP 8516B3A8
.text aydfb18y.SYS 82F78000 22 Bytes [ 26, 42, A1, 81, 10, 41, A1, ... ]
.text aydfb18y.SYS 82F78017 159 Bytes [ 00, 32, A7, B0, 82, 3D, A5, ... ]
.text aydfb18y.SYS 82F780B7 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text aydfb18y.SYS 82F780CE 80 Bytes [ 00, 00, 26, 00, 00, 00, E0, ... ]
.text aydfb18y.SYS 82F7811F 194 Bytes [ 7E, 38, 40, 39, 82, 3B, C4, ... ]
.text ...
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82A046D2] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82A04040] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82A047FC] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82A040BE] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82A0413C] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82A13D92] \SystemRoot\System32\Drivers\spob.sys
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortCompleteRequest] 61642446
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortMoveMemory] 7E3982F8
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 61902846
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B82F8
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\aydfb18y.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [743E7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [744298C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [743ED3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [743DF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [743E7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [743DE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7441B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [743ED68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [743E012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [743E0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [743D71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7446D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [744075E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [743DDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [743D668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [743D66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4452] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [743E1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84E0D1F8
Device \Driver\sptd \Device\655747688 spob.sys

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 84E091F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D597B0E9-3937-4DCA-BE28-E120ACAF01CF} 9C56E500
Device \Driver\usbuhci \Device\USBPDO-0 850981F8
Device \Driver\PCI_PNP3664 \Device\00000051 spob.sys
Device \Driver\usbuhci \Device\USBPDO-1 850981F8
Device \Driver\usbuhci \Device\USBPDO-2 850981F8
Device \Driver\usbehci \Device\USBPDO-3 850991F8
Device \Driver\usbuhci \Device\USBPDO-4 850981F8

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 850981F8
Device \Driver\usbuhci \Device\USBPDO-6 850981F8
Device \Driver\volmgr \Device\HarddiskVolume1 84E091F8
Device \Driver\usbehci \Device\USBPDO-7 850991F8
Device \Driver\volmgr \Device\HarddiskVolume2 84E091F8
Device \Driver\cdrom \Device\CdRom0 9C56A1F8
Device \Driver\volmgr \Device\HarddiskVolume3 84E091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E0B1F8
Device \Driver\atapi \Device\Ide\IdePort0 84E0B1F8
Device \Driver\atapi \Device\Ide\IdePort1 84E0B1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 84E0C1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 84E0C1F8
Device \Driver\volmgr \Device\HarddiskVolume4 84E091F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 9C56E500
Device \Driver\Smb \Device\NetbiosSmb 9C56C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 851421F8

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 850981F8
Device \Driver\usbuhci \Device\USBFDO-1 850981F8
Device \Driver\usbuhci \Device\USBFDO-2 850981F8
Device \Driver\usbehci \Device\USBFDO-3 850991F8
Device \Driver\usbuhci \Device\USBFDO-4 850981F8
Device \Driver\usbuhci \Device\USBFDO-5 850981F8
Device \Driver\usbuhci \Device\USBFDO-6 850981F8
Device \Driver\usbehci \Device\USBFDO-7 850991F8
Device \Driver\aydfb18y \Device\Scsi\aydfb18y1Port3Path0Target0Lun0 8512E1F8
Device \Driver\aydfb18y \Device\Scsi\aydfb18y1 8512E1F8
Device \FileSystem\fastfat \Fat A6061500
Device \FileSystem\fastfat \Fat AA1AF45E

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs ADD451F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x9B 0x49 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x72 0xD1 0x7A 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3C 0x53 0x80 0x94 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x9B 0x49 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x72 0xD1 0x7A 0x21 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3C 0x53 0x80 0x94 ...

---- EOF - GMER 1.0.14 ----

Edited by sungohan, 20 February 2009 - 09:56 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 21 February 2009 - 11:15 AM

Hello.

There are some leftovers.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/201545/search-engine-always-pops-up-btcarcom/
    
    Suspect::[59]
    c:\windows\System32\drivers\sacdrv.sys 
    
    File::
    c:\windows\System32\windrv.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#7 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 21 February 2009 - 07:23 PM

Thank you very much!

And here is the log file from ComboFix and Mbam

ComboFix.txt

ComboFix 09-02-19.01 - Administrator 2009-02-21 14:19:03.4 - NTFSx86
执行位置: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt

FILE ::
c:\windows\System32\windrv.sys
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\windrv.sys

.
((((((((((((((((((((((((( 2009-01-21 至 2009-02-21 的新的档案 )))))))))))))))))))))))))))))))
.

2009-02-20 17:45 . 2009-02-20 18:06 250 --a------ c:\windows\gmer.ini
2009-02-16 00:45 . 2009-02-16 00:45 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-16 00:09 . 2009-02-16 00:09 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-16 00:09 . 2008-11-06 11:37 3,596,288 --a------ c:\windows\System32\qt-dx331.dll
2009-02-16 00:09 . 2008-09-24 13:41 839,680 --a------ c:\windows\System32\lameACM.acm
2009-02-16 00:09 . 2008-12-07 13:08 795,648 --a------ c:\windows\System32\xvidcore.dll
2009-02-16 00:09 . 2008-11-06 11:33 684,032 --a------ c:\windows\System32\divx.dll
2009-02-16 00:09 . 2004-01-25 11:18 217,088 --a------ c:\windows\System32\yv12vfw.dll
2009-02-16 00:09 . 2008-09-16 14:23 168,448 --a------ c:\windows\System32\unrar.dll
2009-02-16 00:09 . 2008-12-07 13:08 130,048 --a------ c:\windows\System32\xvidvfw.dll
2009-02-16 00:09 . 2007-09-20 19:52 118,784 --a------ c:\windows\System32\ac3acm.acm
2009-02-16 00:09 . 2008-12-10 19:33 86,016 --a------ c:\windows\System32\dpl100.dll
2009-02-16 00:09 . 2009-02-09 13:56 67,584 --a------ c:\windows\System32\ff_vfw.dll
2009-02-16 00:09 . 2007-07-10 11:10 547 --a------ c:\windows\System32\ff_vfw.dll.manifest
2009-02-16 00:09 . 2008-10-03 07:30 414 --a------ c:\windows\System32\lame_acm.xml
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Videos
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Searches
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Saved Games
2009-02-13 03:58 . 2008-10-24 19:00 <DIR> d-------- c:\users\zhe\Roaming
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Pictures
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Music
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Links
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Downloads
2009-02-13 03:58 . 2009-02-13 03:59 <DIR> dr------- c:\users\zhe\Documents
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> dr------- c:\users\zhe\Contacts
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> d--h----- c:\users\zhe\AppData
2009-02-13 03:58 . 2009-02-13 03:58 <DIR> d-------- c:\users\zhe
2009-02-10 12:21 . 2004-02-10 12:36 <DIR> d-------- c:\program files\SAS
2009-02-10 12:21 . 2002-01-05 07:48 974,848 --a------ c:\windows\System32\mfc70.dll
2009-02-10 12:21 . 2002-01-05 07:36 964,608 --a------ c:\windows\System32\mfc70u.dll
2009-02-10 12:21 . 2002-01-05 06:40 487,424 --a------ c:\windows\System32\msvcp70.dll
2009-02-10 12:21 . 2002-01-05 06:37 344,064 --a------ c:\windows\System32\msvcr70.dll
2009-02-10 12:21 . 2002-01-05 05:18 84,992 --a------ c:\windows\System32\atl70.dll
2009-02-10 12:21 . 2002-01-05 06:38 54,784 --a------ c:\windows\System32\msvci70.dll
2009-02-10 12:21 . 2009-02-10 12:21 953 --a------ c:\windows\vpd.properties
2009-02-08 05:00 . 2009-02-08 05:00 <DIR> d-------- c:\users\Administrator\AppData\Roaming\GRETECH
2009-02-08 05:00 . 2009-02-08 05:00 <DIR> d-------- c:\program files\GRETECH
2009-02-07 20:34 . 2009-02-07 20:34 <DIR> d-------- c:\users\Administrator\AppData\Roaming\OpenOffice.org
2009-02-07 20:12 . 2009-02-07 20:12 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-07 20:12 . 2009-02-07 20:12 <DIR> d-------- c:\program files\JRE
2009-02-06 14:53 . 2009-02-06 14:54 <DIR> d-------- c:\program files\Windows清理助手
2009-01-31 22:11 . 2009-01-31 22:12 <DIR> d-------- c:\program files\FILE RECOVERY for Windows
2009-01-30 06:56 . 2009-01-30 06:56 <DIR> d-------- c:\program files\VS竞技游戏平台
2009-01-28 13:51 . 2008-06-19 20:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-01-28 13:51 . 2008-06-19 20:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-01-28 13:51 . 2008-06-19 20:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-01-28 13:51 . 2008-06-19 20:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-01-28 13:51 . 2008-06-19 20:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-01-28 13:51 . 2008-06-19 20:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-01-28 13:51 . 2008-06-19 20:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-01-28 13:51 . 2008-06-19 20:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-01-28 13:49 . 2008-07-27 13:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-01-28 13:49 . 2008-07-27 13:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-01-28 13:49 . 2008-07-27 13:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-01-28 13:49 . 2008-07-27 13:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-01-28 13:49 . 2008-07-27 13:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-01-28 09:15 . 2009-01-28 09:15 <DIR> d-------- c:\users\Administrator\AppData\Roaming\ReliaSoft
2009-01-28 09:14 . 2009-01-28 09:14 <DIR> d-------- c:\program files\ReliaSoft
2009-01-28 09:14 . 2009-01-28 09:14 <DIR> d-------- c:\program files\Common Files\ReliaSoft
2009-01-21 22:19 . 2009-01-21 22:19 57 --a------ c:\windows\System32\peer.ini
2009-01-21 22:17 . 2009-01-21 22:17 <DIR> d-------- c:\program files\PPLive
2009-01-21 22:17 . 2009-01-21 22:17 <DIR> d-------- c:\program files\Common Files\Synacast
2009-01-21 22:11 . 2009-01-21 22:11 19 --a------ c:\windows\powerlist.ini

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 02:50 --------- d-----w c:\programdata\Microsoft Help
2009-02-20 06:47 --------- d-----w c:\program files\DC++
2009-02-20 00:23 --------- d-----w c:\users\Administrator\AppData\Roaming\FileZilla
2009-02-19 09:40 --------- d-----w c:\users\Administrator\AppData\Roaming\PPStream
2009-02-17 23:08 --------- d-----w c:\users\Administrator\AppData\Roaming\WinEdt
2009-02-16 05:45 --------- d-----w c:\program files\Common Files\Real
2009-02-08 01:12 --------- d-----w c:\program files\OpenOffice.org 2.4
2009-02-08 00:20 --------- d-----w c:\users\Administrator\AppData\Roaming\OpenOffice.org2
2009-02-04 14:12 --------- d-----w c:\program files\FlashGet
2009-01-28 18:58 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-26 04:04 --------- d-----w c:\users\Administrator\AppData\Roaming\CCTV
2009-01-26 00:27 --------- d-----w c:\program files\TTPlayer
2009-01-22 03:19 --------- d-----w c:\program files\qqqtv网络电视
2009-01-22 03:11 --------- d-----w c:\program files\PPStream
2009-01-19 08:23 --------- d-----w c:\programdata\vucache
2009-01-19 08:23 --------- d-----w c:\programdata\Thunder Network
2009-01-19 08:23 --------- d-----w c:\program files\Thunder Network
2009-01-19 08:23 --------- d-----w c:\program files\Common Files\Thunder Network
2009-01-18 03:18 --------- d-----w c:\users\Administrator\AppData\Roaming\TaxCut
2009-01-18 03:17 --------- d-----w c:\program files\TaxCut08
2009-01-18 03:16 --------- d-----w c:\program files\PDF995
2009-01-18 03:13 --------- d-----w c:\programdata\TaxCut
2009-01-18 01:59 --------- d-----w c:\program files\RaySource
2009-01-18 01:47 --------- d-----w c:\programdata\Grid
2009-01-18 01:47 --------- d-----w c:\program files\GridService
2009-01-16 10:08 --------- d-----w c:\program files\TVAnts
2009-01-15 21:39 --------- d-----w c:\program files\JabRef
2009-01-10 01:23 --------- d-----w c:\program files\TOM Online Inc
2009-01-09 08:01 --------- d-----w c:\program files\FLV Player
2009-01-07 22:51 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-07 05:47 --------- d-----w c:\program files\Actual Window Manager
2009-01-01 03:00 --------- d-----w c:\program files\Microsoft
2008-12-23 03:53 --------- d-----w c:\program files\eREAD6.0
2008-12-22 03:12 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-21 21:46 --------- d-----w c:\users\Administrator\AppData\Roaming\vlc
2008-12-21 21:43 --------- d-----w c:\program files\VideoLAN
2008-01-19 11:41 174 --sha-w c:\program files\desktop.ini
2008-12-02 07:42 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-20_17.27.23.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-21 19:18:29 6,086,656 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-02-21 19:21:45 6,086,656 ----a-w c:\windows\ERDNT\subs\SCHEMA.DAT
+ 2009-02-20 22:45:40 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2007-08-24 11:01:22 147,304 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109150000000000000000F01FEC\12.0.6215\DWGCNV.DLL
- 2009-01-14 16:10:32 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-21 02:50:07 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-01-14 16:10:32 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-21 02:50:07 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-14 16:10:32 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-21 02:50:07 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-01-14 16:10:32 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-02-21 02:50:07 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-14 16:10:32 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-21 02:50:07 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-01-14 16:10:32 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-21 02:50:07 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-14 16:10:32 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-21 02:50:07 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-14 16:10:32 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-21 02:50:07 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-14 16:10:32 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-21 02:50:07 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-01-14 16:10:32 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-21 02:50:07 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-14 16:10:32 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-21 02:50:07 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-01-14 16:10:32 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-21 02:50:07 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-11-13 03:10:07 20,240 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-21 02:49:44 20,240 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-13 03:10:07 217,864 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-21 02:49:44 217,864 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-13 03:10:07 18,704 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-21 02:49:44 18,704 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-13 03:10:07 35,088 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-21 02:49:44 35,088 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-13 03:10:07 327,952 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
+ 2009-02-21 02:49:44 327,952 ----a-r c:\windows\Installer\{90120000-0051-0000-0000-0000000FF1CE}\visicon.exe
- 2009-02-20 22:21:00 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-21 19:24:48 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-20 22:21:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-21 19:24:41 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-20 22:45:40 85,969 ----a-w c:\windows\System32\drivers\gmer.sys
- 2009-02-15 20:16:01 323,904 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2009-02-21 19:24:04 323,904 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\System32\mrt.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\System32\mrt.exe
- 2009-02-20 22:12:26 132,372 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-20 22:27:28 132,372 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-20 22:12:26 676,678 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-20 22:27:28 676,678 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-29 01:48:37 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-02-21 19:21:45 6,086,656 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-08-30 18:57:06 296,224 ----a-w c:\windows\temp\KR7509.EXE
- 2009-02-13 08:59:33 19,485,290 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-21 05:34:32 29,315,545 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- 快照技术重新设置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2008-10-24 2582288]
"Google Update"="c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-11 133104]
"Actual Window Manager"="c:\program files\Actual Window Manager\ActualWindowManagerCenter.exe" [2009-01-07 1105920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 141848]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-23 68464]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-21 820520]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-08-30 714024]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-26 992816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-16 185632]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-10-24 8504936]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli RASSFM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-16 00:44 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebThunder]
--a------ 2008-12-18 21:59 677280 c:\program files\Thunder Network\WebThunder\WebThunder.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"DisableStatefulFTP"= 1 (0x1)
"DisableStatefulPPTP"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{78A4509C-8959-43D2-9002-32827895EFAE}"= UDP:8081:Trend Micro OfficeScan Listener
"{B450F1C6-6570-4F4C-BD17-863494D10297}"= UDP:c:\program files\DC++\DCPlusPlus.exe:DC++
"{F4EFE48F-338B-470A-99D0-78DA6060CAF7}"= TCP:c:\program files\DC++\DCPlusPlus.exe:DC++
"{ADFE9EED-8D69-4252-AF89-7A0E94AB4A53}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{740FBBCD-B858-4111-B6A6-E6F53BF592F2}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{B3533808-BC23-4C7C-A293-AC51F98CBEE7}"= UDP:c:\program files\GridService\peer.exe:muse peer
"{703A8759-2DB2-4070-B937-915AA58A882D}"= TCP:c:\program files\GridService\peer.exe:muse peer
"{FEF36C8D-AA9C-4B08-BEC1-DBCC11C28037}"= Disabled:UDP:c:\program files\Thunder Network\WebThunder\WebThunder.exe:WebThunder
"{154BF17A-74D2-4355-A54C-593DE5796654}"= Disabled:TCP:c:\program files\Thunder Network\WebThunder\WebThunder.exe:WebThunder
"{B2AB905F-EBDE-4E46-B8D1-465091E85C12}"= UDP:c:\program files\GridService\peer.exe:muse peer
"{EFB171D1-A16D-489C-B535-0F48CC07338A}"= TCP:c:\program files\GridService\peer.exe:muse peer
"{2CAE094A-3645-4FB4-876B-4302CB482F89}"= UDP:8081:Trend Micro OfficeScan Listener

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"= c:\program files\Kingsoft\Powerword 2007\xdict.exe:*:Enabled:Kingsoft PowerWord
"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"= c:\program files\Kingsoft\Powerword 2007\update.exe:*:Enabled:Kingsoft PowerWord Online Update
"c:\\Program Files\\PPStream\\PPStream.exe"= c:\program files\PPStream\PPStream.exe:*:Enabled:PPS网络电视
"c:\\Program Files\\PPStream\\PPSAP.exe"= c:\program files\PPStream\PPSAP.exe:*:Enabled:PPS 网络加速器

R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\System32\drivers\storflt.sys [2008-10-24 33280]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2008-10-25 143376]
R1 VBoxDrv;VirtualBox Service;c:\windows\System32\drivers\VBoxDrv.sys [2008-11-07 96016]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\System32\drivers\VBoxUSBMon.sys [2008-11-07 41744]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2008-10-24 1382672]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2008-10-25 235536]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [2008-10-24 53325]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\NetDrive\rffsd.sys [2008-11-03 67032]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-06-26 3662848]
S0 sacdrv;sacdrv;c:\windows\System32\drivers\sacdrv.sys [2008-01-19 88632]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2008-10-24 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2008-10-24 36368]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\System32\drivers\e1y6032.sys [2008-06-13 225920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-01-19 21504]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\System32\rsopprov.exe [2008-01-19 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\System32\svchost.exe -k netsvcs [2008-01-19 21504]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2008-10-24 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-10-24 652552]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\System32\drivers\bxvbdx.sys [2008-01-19 396288]
S4 ioatdma;Intel® QuickData Technology Device;c:\windows\System32\drivers\qd26032.sys [2008-01-19 31232]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\System32\drivers\s3cap.sys [2008-10-24 5632]
S4 storvsc;storvsc;c:\windows\System32\drivers\storvsc.sys [2008-01-19 37320]
S4 vmbus;VMBus;c:\windows\System32\drivers\vmbus.sys [2008-01-19 185032]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
TapiSrv REG_MULTI_SZ TapiSrv
WebClientGroup REG_MULTI_SZ WebClient
WlansvcGroup REG_MULTI_SZ wlansvc
TabletInputServiceGroup REG_MULTI_SZ TabletInputService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sacsvr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
FCRegSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaabf43d-b433-11dd-9ed6-0021869f3f8e}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
‘计划任务’ 文件夹 里的内容

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-285618892-2696770435-1718402303-500.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-11 15:59]

2009-02-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-10-31 13:14]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = ftp=128.6.29.44:3128;http=128.6.29.44:3128;https=128.6.29.44:3128;socks=128.6.29.44:1080
uInternet Settings,ProxyOverride = 192.168.0.*;<local>
IE: &使用快车(FlashGet)下载 - c:\program files\FlashGet\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\program files\FlashGet\jc_all.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: 使用WEB迅雷下载 - c:\program files\Thunder Network\WebThunder\GetUrl.htm
IE: 使用WEB迅雷下载全部链接 - c:\program files\Thunder Network\WebThunder\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: {{962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - hxxp://www.pplive.com/zh-cn/other/live/install.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
FF - plugin: c:\program files\TOM Online Inc\TOM Live Player\nptcast40.dll
FF - plugin: c:\users\Administrator\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\sx1sxs08.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 14:25:24
Windows 6.0.6001 Service Pack 1 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\RFNP32.DLL
c:\windows\system32\RFHelper.dll
c:\windows\system32\rfhres.dll

- - - - - - - > 'Explorer.exe'(5888)
c:\program files\Actual Window Manager\aimemb.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\audiodg.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\System32\NMSAccessU.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\System32\conime.exe
c:\program files\NetDrive\wdService.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
c:\program files\Trend Micro\OfficeScan Client\PccNTUpd.exe
c:\windows\System32\msdtc.exe
.
**************************************************************************
.
完成时间: 2009-02-21 14:32:39 - 电脑已重新启动 [Administrator]
ComboFix-quarantined-files.txt 2009-02-21 19:32:36
ComboFix2.txt 2009-02-20 22:28:45

Pre-Run: 8,225,984,512 bytes free
Post-Run: 8,181,284,864 bytes free

392 --- E O F --- 2009-02-21 02:51:32



From Mbam:

Malwarebytes' Anti-Malware 1.34
Database version: 1787
Windows 6.0.6001 Service Pack 1

2/21/2009 7:19:26 PM
mbam-log-2009-02-21 (19-19-26).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 419246
Time elapsed: 2 hour(s), 53 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 21 February 2009 - 07:30 PM

Hello.

Looks good. Let's get an online scan to check for anything we've missed.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Follow up with a DDS.txt log too.

Any problems at the moment?

With Regards,
The Panda

#9 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 22 February 2009 - 01:36 PM

Thanks,
here is the report from Kaspersky.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 22, 2009
Operating System: Microsoft Windows Server 2008 Standard Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 22, 2009 04:14:45
Records in database: 1829252
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
W:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 433693
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 07:24:00


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\C\RECYCLER\S-1-3-70-100003143-100021784-100031593-8510.com.vir Infected: Rootkit.Win32.TDSS.gxg 1
C:\Qoobox\Quarantine\C\Windows\System32\gaopdxylhiksre.dll.vir Infected: Rootkit.Win32.TDSS.gxu 1

The selected area was scanned.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 22 February 2009 - 01:38 PM

Hello.

Kaspersky online found some items in ComboFix's quarentine.

Please take a new DDS.txt log.

Are there any problems right now?

With Regards,
The Panda

#11 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 22 February 2009 - 03:43 PM

Thank you, and here is the log file from dds.
And attached file is attach.txt


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 15:40:31.70 on 02/22/2009 Sun
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k TabletInputServiceGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k WlansvcGroup
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NMSAccessU.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k tapisrv
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\NetDrive\wdService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Pinyin\googlepinyindaemon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Actual Window Manager\ActualWindowManagerCenter.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\STerm2.549绿色版\sterm.exe
C:\Program Files\Kingsoft\Powerword 2007\xdict.exe
C:\Program Files\ICCup\Launcher\launcher.exe
C:\Program Files\Alarm\Alarm.exe
C:\Windows\explorer.exe
E:\Games\StarCraft\Tools\Chaoslauncher\Chaoslauncher.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Games\StarCraft\starcraft.exe
E:\Games\StarCraft\Tools\bwrepinfow.exe
C:\Windows\system32\taskeng.exe
C:\Users\Administrator\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyServer = ftp=128.6.29.44:3128;http=128.6.29.44:3128;https=128.6.29.44:3128;socks=128.6.29.44:1080
uInternet Settings,ProxyOverride = 192.168.0.*;<local>
BHO: WebThunder Browser Helper: {00000aaa-a363-466e-bef5-9bb68697aa7f} - c:\program files\thunder network\webthunder\WebThunderBHO_Now.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Actual Window Manager] "c:\program files\actual window manager\ActualWindowManagerCenter.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &使用快车(FlashGet)下载 - c:\program files\flashget\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\program files\flashget\jc_all.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: 使用WEB迅雷下载 - c:\program files\thunder network\webthunder\GetUrl.htm
IE: 使用WEB迅雷下载全部链接 - c:\program files\thunder network\webthunder\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
IE: {962EFB8E-2683-42d4-AC74-AAA4C759B9C6} - http://my.xunlei.com
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {18226BF8-DC0B-4D81-80E9-A41AE37BB73A} - hxxp://www.pplive.com/zh-cn/other/live/install.cab
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli RASSFM

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\tom online inc\tom live player\nptcast40.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\sx1sxs08.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

============= SERVICES / DRIVERS ===============

R0 storflt;Disk VMBUS Acceleration Filter Driver;c:\windows\system32\drivers\storflt.sys [2008-10-24 33280]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-10-25 143376]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-11-7 96016]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-11-7 41744]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2008-10-24 1382672]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-10-25 235536]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-10-24 53325]
R2 WebDriveFSD;WebDrive File System Driver;c:\program files\netdrive\rffsd.sys [2008-11-3 67032]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
S0 sacdrv;sacdrv;c:\windows\system32\drivers\sacdrv.sys [2008-1-19 88632]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-10-24 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-10-24 36368]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-6-13 225920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-19 21504]
S3 RSoPProv;Resultant Set of Policy Provider;c:\windows\system32\rsopprov.exe [2008-1-19 78336]
S3 sacsvr;Special Administration Console Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-1-19 21504]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-10-24 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-24 652552]
S4 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\drivers\bxvbdx.sys [2008-1-19 396288]
S4 ioatdma;Intel® QuickData Technology Device;c:\windows\system32\drivers\qd26032.sys [2008-1-19 31232]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver;c:\windows\system32\drivers\s3cap.sys [2008-10-24 5632]
S4 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2008-1-19 37320]
S4 vmbus;VMBus;c:\windows\system32\drivers\vmbus.sys [2008-1-19 185032]

============== File Associations ===============

txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-02-21 14:39 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-02-21 14:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 14:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 14:39 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-21 14:39 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-21 14:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 14:18 161,792 a------- c:\windows\SWREG.exe
2009-02-21 14:18 98,816 a------- c:\windows\sed.exe
2009-02-21 14:18 <DIR> --d----- C:\ComboFix
2009-02-20 17:45 250 a------- c:\windows\gmer.ini
2009-02-16 00:45 <DIR> --d----- c:\program files\common files\xing shared
2009-02-16 00:09 168,448 a------- c:\windows\system32\unrar.dll
2009-02-16 00:09 839,680 a------- c:\windows\system32\lameACM.acm
2009-02-16 00:09 414 a------- c:\windows\system32\lame_acm.xml
2009-02-16 00:09 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2009-02-16 00:09 795,648 a------- c:\windows\system32\xvidcore.dll
2009-02-16 00:09 217,088 a------- c:\windows\system32\yv12vfw.dll
2009-02-16 00:09 130,048 a------- c:\windows\system32\xvidvfw.dll
2009-02-16 00:09 118,784 a------- c:\windows\system32\ac3acm.acm
2009-02-16 00:09 86,016 a------- c:\windows\system32\dpl100.dll
2009-02-16 00:09 684,032 a------- c:\windows\system32\divx.dll
2009-02-16 00:09 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-02-16 00:09 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-16 00:09 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-10 12:21 974,848 a------- c:\windows\system32\mfc70.dll
2009-02-10 12:21 964,608 a------- c:\windows\system32\mfc70u.dll
2009-02-10 12:21 487,424 a------- c:\windows\system32\msvcp70.dll
2009-02-10 12:21 344,064 a------- c:\windows\system32\msvcr70.dll
2009-02-10 12:21 54,784 a------- c:\windows\system32\msvci70.dll
2009-02-10 12:21 84,992 a------- c:\windows\system32\atl70.dll
2009-02-10 12:21 953 a------- c:\windows\vpd.properties
2009-02-10 12:21 <DIR> --d----- c:\program files\SAS
2009-02-08 05:00 <DIR> --d----- c:\program files\GRETECH
2009-02-07 20:34 <DIR> --d----- c:\users\admini~1\appdata\roaming\OpenOffice.org
2009-02-07 20:12 <DIR> --d----- c:\program files\JRE
2009-02-07 20:12 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-02-06 14:53 <DIR> --d----- c:\program files\Windows清理助手
2009-01-31 22:11 <DIR> --d----- c:\program files\FILE RECOVERY for Windows
2009-01-30 06:56 <DIR> --d----- c:\program files\VS竞技游戏平台
2009-01-28 13:51 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-28 13:51 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-28 13:51 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-28 13:51 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-28 13:51 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-28 13:51 11,264 a------- c:\windows\system32\icardres.dll
2009-01-28 13:51 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-28 13:51 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-28 13:49 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-28 13:49 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-28 13:49 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-28 13:49 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-28 13:49 83,968 a------- c:\windows\system32\mscories.dll
2009-01-28 09:15 <DIR> --d----- c:\users\admini~1\appdata\roaming\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\ReliaSoft
2009-01-28 09:14 <DIR> --d----- c:\program files\common files\ReliaSoft

==================== Find3M ====================

2009-01-15 05:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 05:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 05:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 05:04 109,056 a------- c:\windows\system32\iesysprep.dll
2009-01-15 05:04 132,096 a------- c:\windows\system32\ieUnatt.exe
2009-01-15 05:04 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-01-15 05:04 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-01-15 05:04 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-01-15 05:04 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-01-15 05:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 05:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 05:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 05:03 66,560 a------- c:\windows\system32\wextract.exe
2009-01-15 05:02 169,472 a------- c:\windows\system32\iexpress.exe
2009-01-15 05:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 05:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 05:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 04:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-31 03:39 86,016 a------- c:\windows\inf\infstor.dat
2008-12-31 03:39 51,200 a------- c:\windows\inf\infpub.dat
2008-12-13 11:49 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-24 22:31 2,248,544 a------- c:\windows\system32\sqlncli.dll
2008-11-24 22:31 65,888 a------- c:\windows\system32\sqlctr90.dll
2008-10-24 19:34 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-19 06:41 174 a--sh--- c:\program files\desktop.ini
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-01-19 06:29 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-01-19 06:29 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-19 06:24 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:41:31.71 ===============

Attached Files



#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 22 February 2009 - 05:16 PM

Hello.

Looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#13 sungohan

sungohan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 22 February 2009 - 05:21 PM

Thank you, Panda, my problems are all solved.
You guys are really life savior.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 23 February 2009 - 02:44 PM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users