Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans: userinit.exe and srsvc.dll


  • This topic is locked This topic is locked
33 replies to this topic

#1 paul00001

paul00001

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 01 August 2009 - 08:24 AM

Hello,
This is my first topic on bleepingcomputer, hope you could help me find some solution.
Actually I posted it in the other forum and it was moved to Misplaced HJT Logs forum, and I was instructed to
post it again in "HijackThis Logs and Virus/Trojan/Spyware/Malware Removal" forum.
Could you help me and give some advices or instructions how to solve some specific trojans problem?
I have troubles with two trojans witch cannot be removed from my laptop. I use Windows XP sp2.
After scan using Spyware Terminator, it reported two critical objects:
(1)Trojan.KillAV.drg : C:\WINDOWS\system32\srsvc.dll
C:\WINDOWS\system32\dllcache\srsvc.dll
C:\WINDOWS\system32\srsvc.dll.ren
(2)Trojan.SpyWare.GEY : C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\dllcache\userinit.exe
After infection my internet connection speed slowed down, sometimes to 2-3kB and even below 1kB.
I tried to remove these trojans, but i had info that they can be removed on reboot.
After rebooting and typing user name and password it logged me in and imediately logged off.
Then using another computer I googled and found that these two files belong to Windows system and if
delete userinit.exe it will cause troubles what I met.
I found and read some solutions about how to get userinit.exe back to the system. I used Windows XP
installation CD recovery console and "expand" userinit.exe and srsvc.dll to C:\WINDOWS\system32
I recognized that previous removal only removed userinit.exe and didnt remove srsvc.dll as it was
overwritten while I used "expand" command and expanded original dll from Windows installation CD.
After reboot I could log in with user name and password. But after scan with ST, it reported
that those two "trojans" still exists in my system. As I found srsvc.dll is related to system restore
and could not be deleted. Maybe it's "false positive" reported by ST, but I'm very confused.
I post logfile from SpywareTerminator below. I'm european guy, but I use Windows XP
sp2 chinese version as I can speak and read chinese and need this Windows version while doing translations.
Some programs in my computer probably can mislead you because their chinese origin.
I found one topic on your web:
Userinit.exe / Trojan problem, Malware/Spyware, posted by Tom on Jan 24 2009, it seems to be similar
to my problem, but it not include srsvc.dll problem. Should I proceed according instructions in that topic
or hold with it? Could you give me some advise? I would be very greatfull if someone could help me solve
the problem.
I just read in "Preparation Guide for use before posting about your potential Malware problem" about DDS scan,
and I proceeded with it, and post it after SpywareTerminator log, also attach Attach.txt from DDS scan.


Logfile of Spyware Terminator v2.5.8.145 (db:3.007.031.000)
Scan Time: 2009-8-1 16:40:16 length: 1852 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Normal
Scan type: Full_Virus__Spyware_Scan
Scanned Objects: 57512 (Critical:5)
Filter: No System items, No Safe items, No Invalid items

Running Processes
AppleMobileDeviceService.exe [Apple Inc.] : C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
WPService.exe [China Merchants Bank] : C:\Program Files\CMBCHINA\WebProtect\WPService.exe
PSIService.exe : C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
RichVideo.exe : C:\Program Files\Cyberlink\Shared files\RichVideo.exe
slmdmsr.exe [ ] : C:\WINDOWS\system32\slmdmsr.exe
TUProgSt.exe [TuneUp Software] : C:\WINDOWS\system32\TUProgSt.exe
UnlockerAssistant.exe : C:\Program Files\Unlocker\UnlockerAssistant.exe
PDVDServ.exe [Cyberlink Corp.] : E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
brs.exe [cyberlink] : C:\Program Files\Cyberlink\Shared Files\brs.exe
NitroPDFPrinterMonitor.exe : E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
rstray.exe [Beijing Rising Information Technology Co., Ltd.] : C:\Program Files\Rising\AntiSpyware\rstray.exe

Internet Settings
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyOverride = *.local
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

BHO
02 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - [RealPlayer] : C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
02 - BHO: WebProtect - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - [China Merchants Bank] : C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll

Toolbars
03 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - [金山软件股份有限公司] : E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll

StartUps
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, UnlockerAssistant : : C:\Program Files\Unlocker\UnlockerAssistant.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft Pinyin IME Migration : [Microsoft Corporation] : C:\Program Files\Common Files\Microsoft Shared\IME12\IMESC\IMSCMIG.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, RemoteControl : [Cyberlink Corp.] : E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, LanguageShortcut : : E:\PROGRAM FILES WINDOWS\CYBERLINK\POWERDVD\LANGUAGE\LANGUAGE.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, BDRegion : [cyberlink] : C:\Program Files\Cyberlink\Shared Files\brs.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Nitro PDF Printer Monitor : : E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, OSSelectorReinstall : : C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, runeip : [Beijing Rising Information Technology Co., Ltd.] : C:\Program Files\Rising\AntiSpyware\rstray.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, KKDelay : [Beijing Rising Information Technology Co., Ltd.] : C:\Program Files\Rising\AntiSpyware\RunOnce.exe
04 - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs : [Beijing Rising Information Technology Co., Ltd.] : C:\WINDOWS\system32\kmon.dll
04 - HKLM\System\CurrentControlSet\Control\Session Manager, BootExecute : [Beijing Rising Information Technology Co., Ltd.] : C:\WINDOWS\system32\KKNative.exe

Shell Extensions
WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} - : C:\Program Files\WinRAR\rarext.dll
N5ShellExtension ContextMenu Shell Extension - {D0DC6B97-C6FA-4B42-9649-5891A97E5005} - : E:\Program Files Windows\Nitro PDF\Professional\N5ShellExtension.dll
PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - [PowerISO Computing, Inc.] : E:\Program Files Windows\PowerISO\PWRISOSH.DLL
TuneUp Theme Extension - {44440D00-FF19-4AFC-B765-9A0970567D97} - [TuneUp Software] : C:\WINDOWS\system32\uxtuneup.dll
TuneUp Shredder Shell Extension - {4858E7D9-8E12-45a3-B6A3-1CD128C9D403} - [TuneUp Software] : E:\Program Files Windows\TuneUp Utilities 2009\SDShelEx-win32.dll
TuneUp Disk Space Explorer Shell Extension - {4838CD50-7E5D-4811-9B17-C47A85539F28} - [TuneUp Software] : E:\Program Files Windows\TuneUp Utilities 2009\DseShExt-x86.dll
iTunes - {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - [Apple Inc.] : E:\Program Files Windows\iTunes\iTunesMiniPlayer.dll
RealOne Player Context Menu Class - {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - [RealNetworks, Inc.] : C:\Program Files\Real\RealPlayer\rpshell.dll

Services
23 - [Realtek Semiconductor Corp.] : C:\WINDOWS\system32\drivers\ALCXWDM.SYS
23 - [Apple Inc.] : C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
23 - [GEAR Software Inc.] : C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
23 - [Intel Corporation] : C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23 - : C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlmnt5.sys
23 - : C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
23 - : C:\WINDOWS\system32\DRIVERS\SLDRV\RecAgent.sys
23 - : C:\Program Files\Cyberlink\Shared files\RichVideo.exe
23 - [Ralink Technology, Corp.] : C:\WINDOWS\system32\DRIVERS\rt73.sys
23 - : C:\WINDOWS\system32\DRIVERS\SLDRV\slntamr.sys
23 - : C:\WINDOWS\system32\slmdmsr.exe
23 - : C:\WINDOWS\system32\DRIVERS\SLDRV\SlWdmSup.sys
23 - [Acronis] : C:\WINDOWS\system32\DRIVERS\snapman.sys
23 - [Crawler.com] : C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
23 - [TuneUp Software] : C:\WINDOWS\system32\TUProgSt.exe
23 - [Cyberlink Corp.] : E:\Program Files Windows\CyberLink\PowerDVD\000.fcl

Winlogon Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName : [Intel Corporation] : C:\WINDOWS\system32\igfxsrvc.dll

Threat Files
<Trojan.KillAV.drg> : C:\WINDOWS\system32\dllcache\srsvc.dll
<Trojan.SpyWare.GEY> : C:\WINDOWS\system32\dllcache\userinit.exe
<Trojan.KillAV.drg> : C:\WINDOWS\system32\srsvc.dll.ren

Advanced Files Report
%SYSDIR%\uxtuneup.dll [TuneUp Software] [TuneUp Utilities 2009] MD5=A98E8E3CF1E8375B7E13596DE52F558C SIZE=28928
%COMMONFILES%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [Apple Inc.] [Apple Mobile Device Service] MD5=7E94E567C1AA5ABE6174032B3DAB6C23 SIZE=144712
%PROGRAMFILES%\CMBCHINA\WebProtect\WPService.exe [China Merchants Bank] [WebProtect] MD5=68CBE4A287B7D67580B6D9968F5336A3 SIZE=232848
%PROGRAMFILES%\CMBCHINA\WebProtect\WebProtectPlus.dll [China Merchants Bank] [WebProtect] MD5=11D2EFF4F74D3C829C5CCEC6D26ED35C SIZE=231312
%COMMONFILES%\Protexis\License Service\PSIService.exe [PSIService] MD5=64E413BA0C529AA40C3924BBCC4153DB SIZE=174656
%COMMONFILES%\Protexis\License Service\PSIKey.dll [Protexis Inc.] [PSIKey] MD5=3A0F7D74187101B0DFF01D5B460FDAF3 SIZE=1456704
%PROGRAMFILES%\Cyberlink\Shared files\RichVideo.exe [RichVideo Module] MD5=2D84428075CE90F1B8882D54960C7000 SIZE=243056
%SYSDIR%\slmdmsr.exe [Modem] MD5=CB14F42AF2D4659A2AE738EBD3FC29B3 SIZE=61440
%SYSDIR%\TUProgSt.exe [TuneUp Software] [TuneUp Utilities 2009] MD5=F21C3B0BD8CF9509CBB333001BC6C24D SIZE=604416
%PROGRAMFILES%\Unlocker\UnlockerHook.dll MD5=0BE47E7F7D991B5A3E377407862D60C3 SIZE=4608
%SYSDIR%\hccutils.DLL [Intel Corporation] [Intel® Common User Interface] MD5=3F28F9FF3ABCA19A910CE76173312DDD SIZE=118784
%SYSDIR%\igfxdev.dll [Intel Corporation] [Intel® Common User Interface] MD5=42F13988C86F52F3AC8030D39824BCBB SIZE=139264
%SYSDIR%\igfxsrvc.dll [Intel Corporation] [Intel® Common User Interface] MD5=A6B1CAFDD894AB0A38BF1C9727BFFF1D SIZE=348160
%SYSDIR%\igfxres.dll [Intel Corporation] [Intel® Common User Interface] MD5=87638BD78B1C439C1ED4BF5FE27A1155 SIZE=143360
%SYSDIR%\igfxress.dll [Intel Corporation] [Intel® Common User Interface] MD5=E892C5FF39AE9AB0673BC933D811F341 SIZE=1245184
%SYSDIR%\igfxhk.dll [Intel Corporation] [Intel® Common User Interface] MD5=07AB3FF6A17DFF523B3DF98EF7772B1A SIZE=131072
E:\Program Files Windows\CyberLink\PowerDVD\CLRCEngine3.dll [CyberLink Corp.] [Cyberlink PowerCinema] MD5=5DCE70DAA2B5DFA2F932FF6213FCBAA9 SIZE=69632
%COMMONFILES%\BCL Technologies\NitroPDF5\bepprint.dll [bepprint Module] MD5=3396AA0FC49B1A2556849365AF0606B5 SIZE=495616
%COMMONFILES%\BCL Technologies\NitroPDF5\bclprnlib.dll [bclprnlib] MD5=BA732AA04EEFD6A5D2324B803D1A2E3F SIZE=393216
%COMMONFILES%\BCL Technologies\NitroPDF5\bclnap.dll [Tester] MD5=5E967DD65E96334CDD4C659A8A5F438A SIZE=98304
%PROGRAMFILES%\Rising\AntiSpyware\rsmginfo.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus Software] MD5=3B618B40D414347B670AE7B881C8BF92 SIZE=281200
%PROGRAMFILES%\Rising\AntiSpyware\RsXML.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus 2008] MD5=6444C8E1B4109F21A81072E560033784 SIZE=146032
%PROGRAMFILES%\Rising\AntiSpyware\ComServ.dll [Beijing Rising Information Technology Co., Ltd.] [comservice] MD5=790D591FC0397F8297DD20EB1014B870 SIZE=154224
%PROGRAMFILES%\Rising\AntiSpyware\Syslay.dll [Beijing Rising Information Technology Co., Ltd.] [Rising Base Function] MD5=33788884077C48AA20D6B09F7B415EBF SIZE=100976
%PROGRAMFILES%\Rising\AntiSpyware\rscommon.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus 2008] MD5=16C313A295393C4774B96D30F9CC9B56 SIZE=150128
%PROGRAMFILES%\Rising\AntiSpyware\comx3.dll [Beijing Rising Information Technology Co., Ltd.] [Rising Base Function] MD5=41A70B49EA7B39CCC471E12727BB6146 SIZE=182896
%PROGRAMFILES%\Rising\AntiSpyware\pngdll.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus 2008] MD5=57F7D65F25BCD1E6D646662D53BBEC4D SIZE=264816
%PROGRAMFILES%\Rising\AntiSpyware\runiep.dll [Beijing Rising Information Technology Co., Ltd.] [瑞星卡卡上网安全助手6.0] MD5=9FBB58F54891E272E541AD192785457A SIZE=424560
%PROGRAMFILES%\Rising\AntiSpyware\NComm.dll [Beijing Rising Information Technology Co., Ltd.] [瑞星卡卡上网安全助手] MD5=E2FA9BEDC4B6D2609483B69FAB1049EB SIZE=215664
%PROGRAMFILES%\Rising\AntiSpyware\ProcCom.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus 2008] MD5=9C00CDEF1A2FDCAF8955E623E8CC9E17 SIZE=125552
%PROGRAMFILES%\Rising\AntiSpyware\RsCommX2.dll [Beijing Rising Information Technology Co., Ltd.] [Rising AntiVirus 2008] MD5=EFF42F658C2AB6060367AC6BD8073CE7 SIZE=141936
%PROGRAMFILES%\Opera\Opera.dll [Opera Software] [Opera Internet Browser] MD5=6DC10166CFCE5ECB77B23D814682191E SIZE=3712000
%PROGRAMFILES%\Opera\Program\Plugins\NPSWF32.dll [Adobe Systems, Inc.] [Shockwave Flash] MD5=9BDD20A1787CC41C9F8D9B1272345B5E SIZE=3771296
%PROGRAMFILES%\WinRAR\rarext.dll MD5=60FE004235A8108446DCFC1E526FDE0E SIZE=129024
E:\Program Files Windows\Nitro PDF\Professional\N5ShellExtension.dll [NitroPDF Professional ShellExtension] MD5=0190798F0DDD86D3E22B4DEE9EC7F608 SIZE=689440
E:\Program Files Windows\PowerISO\PWRISOSH.DLL [PowerISO Computing, Inc.] [PowerISO Shell Dynamic Link Library] MD5=2D55C8AA289F2D6EC3D7722DC89CE625 SIZE=221184
E:\Program Files Windows\TuneUp Utilities 2009\SDShelEx-win32.dll [TuneUp Software] [TuneUp Utilities 2009] MD5=4AA33C62FDF937ECF0566B6103B5D6B9 SIZE=28416
E:\Program Files Windows\TuneUp Utilities 2009\DseShExt-x86.dll [TuneUp Software] [TuneUp Utilities 2009] MD5=DD731ACFC71D8DE4C92FDEE7F8D662CD SIZE=25856
E:\Program Files Windows\iTunes\iTunesMiniPlayer.dll [Apple Inc.] [iTunes] MD5=C86F66DC60DA034BAA3D7DECD9980951 SIZE=124200
%PROGRAMFILES%\Real\RealPlayer\rpshell.dll [RealNetworks, Inc.] [RealPlayer] MD5=6D76BB2E9255DFB44C0CE9E69017B5B1 SIZE=63016
%SYSDIR%\drivers\ALCXWDM.SYS [Realtek Semiconductor Corp.] [Windows ® WDM driver for Realtek AC'97 Audio(HRTF data Copyright 1994 by MIT Media Lab)] MD5=DD8520280304B6145A6BE31008748C7C SIZE=4122368
%SYSDIR%\svchost.exe -k netsvcs
%PROGRAMFILES%\CMBCHINA\WebProtect\WPService.exe \start
%SYSDIR%\svchost -k DcomLaunch
%SYSDIR%\svchost.exe -k NetworkService
%SYSDIR%\Drivers\GEARAspiWDM.sys [GEAR Software Inc.] [CD DVD Filter] MD5=F2F431D1573EE632975C524418655B84 SIZE=23400
%SYSDIR%\DRIVERS\ialmnt5.sys [Intel Corporation] [Intel Graphics Accelerator Drivers for Windows NT®] MD5=A1D34220B152E73CDBF71A69606A2DB1 SIZE=827100
%SYSDIR%\svchost.exe -k LocalService
%SYSDIR%\DRIVERS\SLDRV\Mtlmnt5.sys [Modem] MD5=8CC4AB0F1FDB5FC7F58779DAB0B1D22E SIZE=237616
%SYSDIR%\DRIVERS\SLDRV\RecAgent.sys [Modem] MD5=5DF1543B5258AF20DEDDBB32808470C5 SIZE=14680
%SYSDIR%\svchost -k rpcss
%SYSDIR%\DRIVERS\rt73.sys [Ralink Technology, Corp.] [Ralink 802.11 Wireless Adapters] MD5=6EA04A4370609E5E1EAEEE898A2AB6AC SIZE=252928
%SYSDIR%\DRIVERS\SLDRV\slntamr.sys [Modem] MD5=C9AAD69D51713E136F8C20026FF9D0DA SIZE=699192
%SYSDIR%\DRIVERS\SLDRV\SlWdmSup.sys [Modem] MD5=58F389DAEA07A855F7F38DD0D66E20C2 SIZE=13248
%SYSDIR%\DRIVERS\snapman.sys [Acronis] [Acronis Snapshot API] MD5=7CDB603A351B65C1A3347840625AD74D SIZE=97248
%SYSDIR%\drivers\sp_rsdrv2.sys [Crawler.com] [Spyware Terminator] MD5=8831252BCF05FCFB5ABD116A22E552D8 SIZE=142592
%SYSDIR%\svchost.exe -k imgsvc
E:\Program Files Windows\CyberLink\PowerDVD\000.fcl [Cyberlink Corp.] [CyberLink FCL Driver] MD5=5867CE254625645345C833510D24F124 SIZE=41456

End of Report


DDS (Ver_09-07-30.01) - NTFSx86
Run by haier at 18:59:52.85 on 2009-08-01 星期六
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.936.86.2052.18.2039.1467 [GMT 8:00]

AV: Spyware Terminator *On-access scanning enabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\haier\桌面\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WebProtect: {53763d1d-9ca8-4c7c-9756-a8e6b8fc063b} - c:\program files\cmbchina\webprotect\WebProtect.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: 金山快译(&K): {6c3797d2-3fef-4cd4-b654-d3ae55b4128c} - e:\program files windows\kingsoft\fastait 2006\IEBand.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RemoteControl] "e:\program files windows\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "e:\program files windows\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Nitro PDF Printer Monitor] "e:\program files windows\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [runeip] "c:\program files\rising\antispyware\rstray.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRunOnce: [KKDelay] c:\program files\rising\antispyware\RunOnce.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: 导出到 Microsoft Excel(&X) - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: kmon.dll
SEH: Ras Shell Execute Hook: {ac2dc2ef-5165-40a3-8cdf-41dca1b0901a} - 瑞星卡卡上网安全助手
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-05-03 02:00 8 ---shr-- c:\windows\system32\5F22D8A524.sys

============= FINISH: 19:00:22.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:02 AM

Posted 10 August 2009 - 12:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 11 August 2009 - 05:51 AM

Hello Fireman,
Thank you for reply :thumbup2: I was patient and have not done any changes in my laptop, no new installs, no uninstalls.
I didn't use any other antispyware programs and tried to remove trojans, I've just waited :)
Till now, if I use SpywareTerminator to scan, these trojans appear every time in ST log:
(1)Trojan.KillAV.drg : C:\WINDOWS\system32\srsvc.dll
C:\WINDOWS\system32\dllcache\srsvc.dll
C:\WINDOWS\system32\srsvc.dll.ren
(2)Trojan.SpyWare.GEY : C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\dllcache\userinit.exe

I downloaded DDS.pif and run the scan. But after starting I saw on screen "not enough memory" info (appeared 4 times).
This is a little strange, because my RAM is 2GB.
Below is DDS scan log, and Attach.txt file in attachment. I tried to upload rar-ed file but it was unsuccessful.
Please feel free to ask any question. If you feel it should be neccessery to explain for you some chinese names (or chinese origin) appearing in the log, I just do this below DDS log after "####" marks.


DDS (Ver_09-07-30.01) - NTFSx86
Run by haier at 17:53:42.95 on 2009-08-11 星期二
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.936.86.2052.18.2039.1635 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\haier\桌面\dds.pif
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WebProtect: {53763d1d-9ca8-4c7c-9756-a8e6b8fc063b} - c:\program files\cmbchina\webprotect\WebProtect.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: 金山快译(&K): {6c3797d2-3fef-4cd4-b654-d3ae55b4128c} - e:\program files windows\kingsoft\fastait 2006\IEBand.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RemoteControl] "e:\program files windows\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "e:\program files windows\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Nitro PDF Printer Monitor] "e:\program files windows\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [runeip] "c:\program files\rising\antispyware\rstray.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRunOnce: [KKDelay] c:\program files\rising\antispyware\RunOnce.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: 导出到 Microsoft Excel(&X) - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: kmon.dll
SEH: Ras Shell Execute Hook: {ac2dc2ef-5165-40a3-8cdf-41dca1b0901a} - 瑞星卡卡上网安全助手
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-05-03 02:00 8 ---shr-- c:\windows\system32\5F22D8A524.sys

============= FINISH: 17:54:16.31 ===============



###########################################

Some chinese file names explanation:

C:\Program Files\CMBCHINA\WebProtect\WPService.exe It belongs to China Merchants Bank (chinese origin)

C:\Program Files\Rising\AntiSpyware\rstray.exe It belongs to Rising AntiSpyware (chinese software)

BHO: WebProtect: {53763d1d-9ca8-4c7c-9756-a8e6b8fc063b} - c:\program files\cmbchina\webprotect\WebProtect.dll
It belongs to China Merchants Bank (chinese origin)

TB: 金山快译(&K): {6c3797d2-3fef-4cd4-b654-d3ae55b4128c} - e:\program files windows\kingsoft\fastait 2006\IEBand.dll
It belongs to Kingsoft fast chinese - english translator (chinese software)

mRun: [runeip] "c:\program files\rising\antispyware\rstray.exe" /startup It belongs to Rising AntiSpyware (chinese software)

mRunOnce: [KKDelay] c:\program files\rising\antispyware\RunOnce.exe It belongs to Rising AntiSpyware (chinese software)

DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
It belongs to China Merchants Bank (chinese origin)

SEH: Ras Shell Execute Hook: {ac2dc2ef-5165-40a3-8cdf-41dca1b0901a} - 瑞星卡卡上网安全助手
It belongs to Rising AntiSpyware (chinese software)

Hope it will be helpful :)

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:02 AM

Posted 14 August 2009 - 02:39 AM

Hi paul00001,


Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Note:If you can't run Combofix, please delete that copy from your desktop and redownload it again. Please rename it to paul.exe before downloading it to your desktop. Thanks.


Step2


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Step3

I also notice you have not any antivirus program installed in your system (only the rising antispyware). it's somewhat suicidal in this digital world nowadays.
Please get ONE antivirus and install it. Restart the computer for changes to take effect.

AVG Free 8.0 for Windows
AntiVir Free Edition



Step4
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<


In your next reply, please post back:

1.Combofix log
2.GooredFix log
3.RSIT log.txt and info.txt. Thanks

#5 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 15 August 2009 - 08:07 AM

Hello Sundavis,
Thank you for step by step instructions :thumbup2: I had issues while runnig ComboFix.exe, it told me that some files are corrupted so I could not run it, but also could not close it, I had to reboot for return to normal state. I downloaded it again, and "in case" again but renamed to paul.exe. Then ComboFix run ok, but I didn't install Recovery Console as I was off-line. I have Windows installation CD, so Recovery Console can be accessed from there.
But I think I should appologize for one thing. As you can see in log, yesterday I installed windows notepad.exe to my laptop, just used expand command and expanded it from CD. Before, I had troubles with notepad and files with notepad icons and txt extesions often was opened in wordpad.exe. I didn't know how to fix it, probably some entries in registry should be fixed. I would like to ask about your help with this problem after I complete all your instructions and computer will be "clean". Also some other thing bother me, files with .rtf extensions always are opened in MS Office Word, but should be opened in writepad.
I also expanded netstat.exe, as I read on your web about its powerful usage.
From recomended two AV programs I installed Avira, and disabled Spyware Terminator shield (before I used ST with integrated ClamAV).
There are all logs below. I can not copy and pasteb GooredFix log, so I upload this log as attachment

ComboFix 09-08-10.06 - haier -08-15 星期六 19:05.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.2052.18.2039.1624 [GMT 8:00]
执行位置: c:\documents and settings\haier\桌面\ComboFix.exe

注意 - 这台电脑没有安装恢复控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\haier\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk
c:\windows\Installer\51a4e1.msp
c:\windows\Installer\a95d7.msi
c:\windows\system32\_000014_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Netcom3


((((((((((((((((((((((((( 2009-07-15 至 2009-08-15 的新的档案 )))))))))))))))))))))))))))))))
.

2009-08-15 01:25 . 2004-08-04 00:52 36864 -c--a-w- c:\windows\system32\dllcache\netstat.exe
2009-08-15 01:08 . 2004-08-04 00:52 36864 ----a-w- c:\windows\system32\netstat.exe
2009-08-15 01:02 . 2004-08-04 00:52 66560 -c--a-w- c:\windows\system32\dllcache\notepad.exe
2009-08-15 01:02 . 2004-08-04 00:52 66560 ----a-w- c:\windows\system32\notepad.exe
2009-08-15 01:01 . 2004-08-04 00:52 66560 ----a-w- c:\windows\notepad.exe
2009-08-13 13:56 . 2009-08-14 16:44 -------- d-----w- c:\windows\ServicePackFiles
2009-08-07 11:28 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 14:37 . 2006-10-31 10:26 36864 -c----w- c:\windows\system32\dllcache\hidclass.sys
2009-08-01 08:50 . 2009-07-03 16:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-01 08:50 . 2009-07-03 16:55 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-31 01:20 . 2004-08-04 00:52 23552 ----a-w- c:\windows\system32\userinit.exe
2009-07-31 01:19 . 2004-08-04 00:52 168960 ----a-w- c:\windows\system32\srsvc.dll
2009-07-25 11:41 . 2009-07-25 11:41 -------- d-----w- c:\program files\William O'Neil + Co. Inc
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-----w- c:\documents and settings\haier\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 11:00 . 2009-07-06 07:35 -------- d-----w- c:\documents and settings\haier\Application Data\Spyware Terminator
2009-08-15 08:30 . 2009-07-06 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-15 08:30 . 2009-01-30 16:38 -------- d-----w- c:\program files\WinClamAVShield
2009-08-14 19:05 . 2008-04-18 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-09 11:46 . 2009-04-01 04:29 -------- d-----w- c:\documents and settings\haier\Application Data\Skype
2009-08-05 09:05 . 2004-08-08 03:33 201728 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:14 . 2009-07-12 20:11 725448 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-01 05:19 . 2009-07-06 07:35 -------- d-----w- c:\program files\Spyware Terminator
2009-07-25 11:41 . 2008-04-17 14:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 17:46 . 2008-04-28 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-17 18:56 . 2004-08-08 03:33 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:36 . 2008-04-17 09:13 103280 ----a-w- c:\documents and settings\haier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 19:35 . 2009-07-12 19:35 -------- d-----w- c:\documents and settings\haier\Application Data\Autodesk
2009-07-12 19:35 . 2009-07-12 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-12 19:35 . 2009-07-12 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-12 19:25 . 2009-07-12 19:25 -------- d-----w- c:\program files\Autodesk
2009-07-12 19:25 . 2009-07-12 19:25 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-12 19:25 . 2009-07-12 19:23 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-07-12 19:20 . 2004-08-08 03:33 98024 ----a-w- c:\windows\system32\prfc0804.dat
2009-07-12 19:20 . 2004-08-08 03:33 266280 ----a-w- c:\windows\system32\prfh0804.dat
2009-07-12 18:19 . 2009-07-12 18:19 -------- d-----w- c:\documents and settings\haier\Application Data\Eltima Software
2009-07-12 18:18 . 2004-08-08 03:33 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 17:17 . 2009-07-09 17:17 -------- d-----w- c:\documents and settings\haier\Application Data\IcoFX
2009-07-06 07:35 . 2009-07-06 07:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-07-06 07:35 . 2009-07-06 07:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-07-06 07:35 . 2009-07-06 07:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-04 12:52 . 2009-02-20 12:36 -------- d-----w- c:\program files\Opera
2009-07-04 10:56 . 2009-07-04 10:56 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-07-04 10:50 . 2008-05-30 12:00 -------- d-----w- c:\program files\Common Files\Real
2009-07-04 10:50 . 2009-07-04 10:50 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-04 10:49 . 2008-05-30 12:00 -------- d-----w- c:\program files\Real
2009-07-04 10:49 . 2003-03-18 12:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-03 16:55 . 2004-08-08 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 11:26 . 2008-08-22 12:13 637592 ----a-w- c:\windows\system32\kmon.dll
2009-06-28 06:46 . 2009-06-28 06:17 -------- d-----w- c:\documents and settings\haier\Application Data\KVIrc
2009-06-28 06:18 . 2009-06-28 05:39 -------- d-----w- c:\program files\KVIrc
2009-06-25 18:34 . 2004-08-08 03:33 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:34 . 2004-08-08 03:33 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:34 . 2004-08-08 03:33 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:34 . 2004-08-08 03:33 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:34 . 2004-08-08 03:33 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:34 . 2004-08-08 03:33 291328 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:34 . 2004-08-08 03:33 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:34 . 2004-08-08 03:33 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:34 . 2004-08-08 03:33 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:34 . 2004-08-08 03:33 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:34 . 2004-08-08 03:33 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:34 . 2004-08-08 03:33 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:18 . 2004-08-08 03:33 707072 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:18 . 2004-08-08 03:33 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:18 . 2004-08-08 03:33 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:18 . 2004-08-08 03:33 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:18 . 2004-08-08 03:33 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:18 . 2004-08-08 03:33 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 12:48 . 2009-06-24 12:48 -------- d-----w- c:\program files\iPod
2009-06-24 12:48 . 2008-12-23 16:43 -------- d-----w- c:\program files\Common Files\Apple
2009-06-24 12:45 . 2009-06-24 12:44 -------- d-----w- c:\program files\QuickTime
2009-06-24 12:35 . 2009-06-24 12:35 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-22 11:49 . 2004-08-08 03:33 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-08 03:33 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-08 03:33 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-08 03:33 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2004-08-08 03:33 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 06:02 . 2009-06-19 06:02 -------- d-----w- c:\program files\Realtek AC97
2009-06-19 05:20 . 2008-04-17 14:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-19 05:12 . 2009-06-19 05:12 -------- d-----w- c:\program files\WinSCP
2009-06-16 14:53 . 2004-08-08 03:33 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:53 . 2004-08-08 03:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 11:32 . 2004-08-08 03:33 85504 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 11:32 . 2004-08-08 03:33 74240 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:23 . 2004-08-08 03:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:26 . 2004-08-08 03:33 134144 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:41 . 2008-04-17 09:02 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:25 . 2004-08-08 03:33 1272832 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 18:19 . 2008-05-02 18:00 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 10:32 . 2009-07-12 17:58 758018 ----a-w- c:\windows\system32\xvidcore.dll
2008-05-02 18:00 . 2008-05-02 18:00 8 --sh--r- c:\windows\system32\5F22D8A524.sys
.

------- Sigcheck -------

[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-08 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-08 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-08 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-26 32560]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"RemoteControl"="e:\program files windows\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="e:\program files windows\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
"Nitro PDF Printer Monitor"="e:\program files windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-06-25 210224]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-11-29 1544099]
"runeip"="c:\program files\Rising\AntiSpyware\rstray.exe" [2009-04-28 141936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-04 198160]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="c:\program files\Rising\AntiSpyware\RunOnce.exe" [2008-08-22 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-08 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0KKNative.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="e:\program files windows\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="e:\program files windows\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Program Files Windows\\SparVoip\\SparVoip.exe"=
"e:\\Program Files Windows\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files Windows\\Kingsoft\\PowerWord 2006\\xdict.exe"=
"e:\\Program Files Windows\\Kingsoft\\PowerWord 2006\\update.exe"=
"e:\\Program Files Windows\\Kingsoft\\FastAIT 2006\\FastAIT.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"e:\\Program Files Windows\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files Windows\\iTunes\\iTunes.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\monitor.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\manager.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"e:\\Program Files Windows\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-6 15:35 142592]
R2 CMBWPS;Cmb WebProtect Support;c:\program files\CMBCHINA\WebProtect\WPService.exe [2008-4-18 18:49 232848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-5-13 17:43 604416]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-2-9 3:55 472832]
S3 FNDRV;FNDRV;\??\j:\fndrv.sys --> j:\fndrv.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-7-9 21:36 31592]
S3 SSDefrag;SSDefrag;c:\windows\system32\drivers\SSDefrag.sys [2008-4-22 5:32 34560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
‘计划任务’ 文件夹 里的内容

2008-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A} - (no file)


.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: 导出到 Microsoft Excel(&X) - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 19:10
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\e:\program files windows\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@=""

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Kingsoft\褢q\隷褘 *2*0*0*6*\Option]
"UseProxy"=dword:00000000
"ProxyNeedLog"=dword:00000000
"ProxyPort"=dword:00000000
"ProxyType"=dword:ffffffff
"ValidateServerAddr"=dword:00000000
"ProxyAddr"=""
"ProxyPwd"=""
"ProxyUser"=""
"SavedPassport"="KSKY0012752"
"BakVSAddr"="cs1.db.kingsoft.com|cs2.db.kingsoft.com|cs3.db.kingsoft.com|cs4.db.kingsoft.com|"
"UpdateServerAddr"="http://up.cb.kingsoft.com/updateFastAIT2006/"
"AutoUpdate"=dword:00000001

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:7b,00,00,00,6d,00,00,00,02,03,00,00,cc,01,00,00

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:7b,00,00,00,6d,00,00,00,02,03,00,00,cc,01,00,00

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\?R銐宧V *#*0* *縹飴璬>e\Attributes]
"Vendor"="Microsoft"
"Technology"="MMSys"

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\?R銐宧V *#*0* *縹飴璬>e\UI\AudioVolume]
"CLSID"="{364D8E0B-67CB-4547-9948-9E7F1B1743ED}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]
@="BDATuner.组件.1"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\windows\system32\slmdmsr.exe
c:\windows\system32\snmp.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
完成时间: 2009-08-15 19:13 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-08-15 11:13

Pre-Run: 2,167,304,192 可用字节
Post-Run: 2,058,092,544 可用字节

287 --- E O F --- 2009-08-13 13:58


Logfile of random's system information tool 1.06 (written by random/random)
Run by haier at 2009-08-15 20:16:09
Microsoft Windows XP Professional Service Pack 2
System drive C: has 2 GB (15%) free of 10 GB
Total RAM: 2039 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16:30, on 2009-8-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\haier\桌面\RSIT.exe
C:\Program Files\trend micro\haier.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "E:\Program Files Windows\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 7135 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-04 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B}]
WebProtect - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll [2007-08-20 341904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - 金山快译(&K) - E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll [2005-08-26 221184]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-08 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-08 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-08 455168]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-03-10 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-03-10 126976]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-08 15872]
"Microsoft Pinyin IME Migration"=C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE [2006-10-26 32560]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"RemoteControl"=E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe [2008-01-22 81920]
"LanguageShortcut"=E:\Program Files Windows\CyberLink\PowerDVD\Language\Language.exe [2007-10-11 62760]
"BDRegion"=C:\Program Files\Cyberlink\Shared Files\brs.exe [2007-11-17 91432]
"Nitro PDF Printer Monitor"=E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe [2008-06-25 210224]
"OSSelectorReinstall"=C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe [2005-11-29 1544099]
"runeip"=C:\Program Files\Rising\AntiSpyware\rstray.exe [2009-04-28 141936]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-04 198160]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"=C:\Program Files\Rising\AntiSpyware\RunOnce.exe [2008-08-22 68208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-08 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-03-10 348160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\Program Files Windows\SparVoip\SparVoip.exe"="E:\Program Files Windows\SparVoip\SparVoip.exe:*:Enabled:SparVoip"
"E:\Program Files Windows\Microsoft Office\Office12\OUTLOOK.EXE"="E:\Program Files Windows\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"E:\Program Files Windows\Kingsoft\PowerWord 2006\xdict.exe"="E:\Program Files Windows\Kingsoft\PowerWord 2006\xdict.exe:*:Enabled:Kingsoft PowerWord"
"E:\Program Files Windows\Kingsoft\PowerWord 2006\update.exe"="E:\Program Files Windows\Kingsoft\PowerWord 2006\update.exe:*:Enabled:Kingsoft PowerWord Online Update"
"E:\Program Files Windows\Kingsoft\FastAIT 2006\FastAIT.exe"="E:\Program Files Windows\Kingsoft\FastAIT 2006\FastAIT.exe:*:Enabled:金山快译2006"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe"="E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"E:\Program Files Windows\iTunes\iTunes.exe"="E:\Program Files Windows\iTunes\iTunes.exe:*:Enabled:iTunes"
"E:\Program Files Windows\Autodesk\Backburner\monitor.exe"="E:\Program Files Windows\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"E:\Program Files Windows\Autodesk\Backburner\manager.exe"="E:\Program Files Windows\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"E:\Program Files Windows\Autodesk\Backburner\server.exe"="E:\Program Files Windows\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server"
"E:\Program Files Windows\Autodesk\3ds Max 2010\3dsmax.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2010 32-bit"
"E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe:*:Enabled:mental ray satellite server for Autodesk 3ds Max 2010 32-bit"
"E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32.exe:*:Enabled:mental ray satellite for Autodesk 3ds Max 2010 32-bit"
"C:\Program Files\KVIrc\kvirc.exe"="C:\Program Files\KVIrc\kvirc.exe:*:Enabled:K Visual IRC Client Executable"
"E:\Program Files Windows\Skype\Phone\Skype.exe"="E:\Program Files Windows\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe"="E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"

======File associations======

.bat - edit -
.cmd - edit -
.inf - open -
.ini - open - notepad.exe %1
.js - edit -
.reg - edit -
.txt - open - notepad.exe %1
.vbs - edit -

======List of files/folders created in the last 1 months======

2009-08-15 20:16:09 ----D---- C:\rsit
2009-08-15 20:16:09 ----D---- C:\Program Files\trend micro
2009-08-15 19:41:06 ----D---- C:\Program Files\Avira
2009-08-15 19:41:06 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-08-15 19:26:17 ----SHD---- C:\RECYCLER
2009-08-15 19:01:31 ----A---- C:\WINDOWS\zip.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\SWSC.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\SWREG.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\sed.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\PEV.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-15 19:01:31 ----A---- C:\WINDOWS\grep.exe
2009-08-15 19:01:28 ----D---- C:\WINDOWS\ERDNT
2009-08-15 19:01:25 ----D---- C:\Qoobox
2009-08-15 15:31:59 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-15 09:08:41 ----A---- C:\WINDOWS\system32\netstat.exe
2009-08-15 09:02:03 ----A---- C:\WINDOWS\system32\notepad.exe
2009-08-15 09:01:14 ----A---- C:\WINDOWS\notepad.exe
2009-08-13 21:58:22 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-13 21:58:16 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-13 21:58:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-13 21:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-13 21:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2009-08-13 21:57:55 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-13 21:57:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-13 21:56:23 ----D---- C:\WINDOWS\ServicePackFiles
2009-08-13 21:56:21 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$
2009-08-13 21:56:15 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-13 21:56:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$
2009-08-03 22:38:08 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-03 22:37:49 ----HDC---- C:\WINDOWS\$NtUninstallKB924941$
2009-08-03 22:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB918005$
2009-08-03 22:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB895961-v4$
2009-07-31 09:20:22 ----A---- C:\WINDOWS\system32\userinit.exe
2009-07-31 09:19:01 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-07-25 19:41:33 ----D---- C:\Program Files\William O'Neil + Co. Inc
2009-07-25 19:40:33 ----D---- C:\Documents and Settings\haier\Application Data\InstallShield
2009-07-19 01:44:45 ----HDC---- C:\WINDOWS\$NtUninstallKB946627$

======List of files/folders modified in the last 1 months======

2009-08-15 20:16:09 ----D---- C:\Program Files
2009-08-15 20:10:00 ----RSD---- C:\WINDOWS\assembly
2009-08-15 20:07:06 ----D---- C:\WINDOWS\Temp
2009-08-15 20:07:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-15 20:06:58 ----D---- C:\WINDOWS
2009-08-15 20:06:37 ----D---- C:\WINDOWS\system32
2009-08-15 20:06:29 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-15 20:05:26 ----SHD---- C:\WINDOWS\Installer
2009-08-15 20:04:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-15 20:04:01 ----D---- C:\WINDOWS\WinSxS
2009-08-15 19:41:17 ----HD---- C:\WINDOWS\inf
2009-08-15 19:41:17 ----D---- C:\WINDOWS\system32\drivers
2009-08-15 19:12:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-15 19:10:32 ----A---- C:\WINDOWS\system.ini
2009-08-15 19:08:56 ----D---- C:\WINDOWS\system32\config
2009-08-15 19:07:50 ----D---- C:\WINDOWS\AppPatch
2009-08-15 19:07:48 ----D---- C:\Program Files\Common Files
2009-08-15 19:01:30 ----SHD---- C:\System Volume Information
2009-08-15 19:01:30 ----D---- C:\WINDOWS\system32\Restore
2009-08-15 19:00:32 ----D---- C:\Documents and Settings\haier\Application Data\Spyware Terminator
2009-08-15 16:30:30 ----D---- C:\Program Files\WinClamAVShield
2009-08-15 16:30:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2009-08-15 03:05:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 01:52:45 ----D---- C:\WINDOWS\Debug
2009-08-14 01:26:48 ----D---- C:\WINDOWS\system32\Setup
2009-08-13 21:58:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-13 21:57:51 ----D---- C:\Program Files\Outlook Express
2009-08-09 19:46:20 ----D---- C:\Documents and Settings\haier\Application Data\Skype
2009-08-07 19:29:22 ----D---- C:\Program Files\Internet Explorer
2009-08-05 17:05:17 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-08-03 22:38:57 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-01 13:19:01 ----D---- C:\Program Files\Spyware Terminator
2009-08-01 02:49:02 ----D---- C:\!KillBox
2009-07-30 08:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-25 19:41:41 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-20 20:24:06 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-19 21:13:06 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 18:43:04 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 01:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-07-18 02:56:01 ----A---- C:\WINDOWS\system32\atl.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-08 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-08 38912]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-03-14 46652]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B}; \??\E:\Program Files Windows\CyberLink\PowerDVD\000.fcl []
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-08 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-03-10 827100]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-08 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlmnt5.sys [2005-05-10 237616]
R3 RT73;TL-WN321G/WN321G+ Wireless USB Adapter; C:\WINDOWS\system32\DRIVERS\rt73.sys [2006-01-12 252928]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\SLDRV\slntamr.sys [2005-07-20 699192]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SLDRV\SlWdmSup.sys [2005-05-10 13248]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-23 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-10-23 59264]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-10-23 20608]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2006-10-16 472832]
S3 AR5211;TP-LINK Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-06-25 463168]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 FNDRV;FNDRV; \??\J:\fndrv.sys []
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlstrm.sys [2005-05-10 1464848]
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-04-24 69504]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\SLDRV\Slnthal.sys [2005-05-10 101328]
S3 SSDefrag;SSDefrag; \??\C:\WINDOWS\system32\drivers\SSDefrag.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-03-05 36864]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-10-23 17152]
S3 usbscan;USB 扫描仪驱动程序; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB 大容量存储设备; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 exFat;exFat; C:\WINDOWS\system32\drivers\exFat.sys [2008-09-29 133632]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour 服务; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
R2 CMBWPS;Cmb WebProtect Support; C:\Program Files\CMBCHINA\WebProtect\WPService.exe [2007-08-27 232848]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 ProtexisLicensing;ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [2006-11-02 174656]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\Cyberlink\Shared files\RichVideo.exe [2007-10-16 243056]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slmdmsr.exe [2005-05-10 61440]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2006-11-21 31744]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-07-06 487424]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-05-13 604416]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2004-08-08 14336]
S3 aspnet_state;ASP.NET 状态服务; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-07-13 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod 服务; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-08 19456]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2004-08-08 8704]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-05-13 361216]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-08-15 20:16:32

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Acronis?Disk Director Suite-->MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"E:\Program Files Windows\Audacity\unins000.exe"
Autodesk 3ds Max 2010 32-bit-->MsiExec.exe /I{317AC0C7-FEBF-0409-87A3-4FC70D0ED900}
Autodesk Backburner 2008.1-->MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
Autodesk FBX Plugin 2009.4 - 3ds Max 2010-->C:\Program Files\Autodesk\FBX\FBXPlugins\2009.4\3ds Max 2010\Uninstall.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCleaner (remove only)-->"E:\Program Files Windows\CCleaner\uninst.exe"
Clean Disk Security 7.73-->E:\Program Files Windows\Clean Disk Security\uninst.exe
CorelDRAW Graphics Suite X3-->MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
Defraggler (remove only)-->"E:\Program Files Windows\Defraggler\uninst.exe"
DGOControls-->C:\Program Files\InstallShield Installation Information\{779A19AC-A302-425D-B295-F12116C2D731}\setup.exe -runfromtemp -l0x0009 -removeonly
EN-->MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
EVEREST Ultimate Edition v5.02-->"E:\Program Files Windows\Lavalys\EVEREST Ultimate Edition\unins000.exe"
FastAIT 2006-->MsiExec.exe /I{09AD093B-BB4C-4732-9F59-02C49B66E025}
FastStone Capture 4.8-->C:\Program Files\FastStone Capture\uninst.exe
FontNav-->MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
HashCalc 2.02-->"E:\Program Files Windows\HashCalc\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
IcoFX 1.6.4-->"E:\Program Files Windows\IcoFX 1.6\unins000.exe"
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Karen's Cookie Viewer-->E:\Program Files Windows\Karen's Power Tools\Cookie Viewer\uninst.exe
KVIrc-->"C:\Program Files\KVIrc\uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHS-->MsiExec.exe /I{C3A681FC-A157-33CB-94E5-8B01F42F178C}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHS-->MsiExec.exe /I{97BF0930-6AAB-329F-9064-1F22CC083DE2}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 Language Pack - chs-->MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 3.5 语言包 - 简体中文-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft Office Access MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0015-0804-0000-0000000FF1CE}
Microsoft Office Excel MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0016-0804-0000-0000000FF1CE}
Microsoft Office IME (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0028-0804-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0044-0804-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001A-0804-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0018-0804-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001F-0804-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proofing (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-002C-0804-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0019-0804-0000-0000000FF1CE}
Microsoft Office Shared MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-006E-0804-0000-0000000FF1CE}
Microsoft Office Word MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001B-0804-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nitro PDF Professional-->MsiExec.exe /I{081D00DF-35F0-4570-8037-3E289795928F}
OpenSSL 0.9.8j (32-bit)-->"C:\OpenSSL\unins000.exe"
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
PowerDVD Ultra-->"C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x000804 /z-uninstall
PowerISO-->"E:\Program Files Windows\PowerISO\uninstall.exe"
Powerword 2006-->MsiExec.exe /I{1D44EA4F-C446-4C4F-92F7-02F72E589989}
PuTTY version 0.60-->"C:\Program Files\PuTTY\unins000.exe"
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x804 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x804 REMOVE
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Smart Link 56K Voice Modem-->C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
SparVoip-->"E:\Program Files Windows\SparVoip\unins000.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"E:\Program Files Windows\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
Technitium MAC Address Changer v5.0-->C:\Program Files\Technitium\TMACv5.0\Installer.exe
thinkorswim-->E:\Program Files Windows\thinkorswim\uninstall.exe
TransMac version 8.1-->"E:\Program Files Windows\TransMac\unins000.exe"
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
Unlocker 1.8.5-->C:\Program Files\Unlocker\uninst.exe
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB934391)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Outlook 2007 Junk Email Filter (kb970012)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {DC4A962B-9EC2-469C-BC9C-87312ADAEE81}
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update Manager-->MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA-->MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8 安全更新 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8 安全更新 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Player (KB973540) 安全更新-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Windows XP 安全更新 (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Windows XP 更新 (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Windows XP 更新 (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB895961-v4)-->"C:\WINDOWS\$NtUninstallKB895961-v4$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB918005)-->"C:\WINDOWS\$NtUninstallKB918005$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB924941)-->"C:\WINDOWS\$NtUninstallKB924941$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
WinHex-->C:\Program Files\WinHex\WinHex.exe uninst
WinRAR 压缩文件管理器-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.1.9-->"C:\Program Files\WinSCP\unins000.exe"
Xilisoft iPhone Ringtone Maker-->E:\Program Files Windows\Xilisoft iPhone Ringtone Maker\Uninstall.exe
卡卡上网安全助手-->C:\Program Files\Rising\AntiSpyware\KKUninst.exe
招商银行一网通网盾-->C:\Program Files\CMBCHINA\WebProtect\Setup.exe UNINSTALL

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: MATRIX
Event Code: 7035
Message: Network Location Awareness (NLA) 服务成功发送一个 开始 控件。

Record Number: 47028
Source Name: Service Control Manager
Time Written: 20090703175221.000000+480
Event Type: 信息
User: NT AUTHORITY\SYSTEM

Computer Name: MATRIX
Event Code: 7023
Message: Task Scheduler 服务因下列错误而停止:
找不到指定的模块。


Record Number: 47027
Source Name: Service Control Manager
Time Written: 20090703175221.000000+480
Event Type: 错误
User:

Computer Name: MATRIX
Event Code: 1001
Message: SNMP 服务成功启动。

Record Number: 47026
Source Name: SNMP
Time Written: 20090703175218.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 6005
Message: 事件日志服务已启动。

Record Number: 47025
Source Name: EventLog
Time Written: 20090703175207.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 2 Uniprocessor Free。

Record Number: 47024
Source Name: EventLog
Time Written: 20090703175207.000000+480
Event Type: 信息
User:

=====Application event log=====

Computer Name: MATRIX
Event Code: 1800
Message: 已经启动 Windows 安全中心服务。

Record Number: 5622
Source Name: SecurityCenter
Time Written: 20090213220929.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 1015
Message: TraceLevel 参数不在注册表中;
使用的默认跟踪级别是 32。

Record Number: 5621
Source Name: EvntAgnt
Time Written: 20090213220924.000000+480
Event Type: 警告
User:

Computer Name: MATRIX
Event Code: 1003
Message: TraceFileName 参数不在注册表中;
使用的默认跟踪文件是 。

Record Number: 5620
Source Name: EvntAgnt
Time Written: 20090213220924.000000+480
Event Type: 警告
User:

Computer Name: MATRIX
Event Code: 0
Message:
Record Number: 5619
Source Name: RichVideo
Time Written: 20090213220922.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 1
Message:
Record Number: 5618
Source Name: Bonjour Service
Time Written: 20090213220920.000000+480
Event Type: 信息
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;E:\Program Files Windows\Autodesk\Backburner;C:\Program Files\Common Files\Autodesk Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"OPENSSL_CONF"=C:\OpenSSL\bin\openssl.cfg
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:02 AM

Posted 15 August 2009 - 10:36 AM

Hi paul00001,



files with .rtf extensions always are opened in MS Office Word, but should be opened in writepad

Right click the .rtf ext file, select properties, In General Tap, Click change button in open with, then select the wordpad, and check the box of Always use the selected program to open this kind of file.

Let's do some maintenance for temporarily and recheck your system with Kas online scanner. If things goes well, you can update your system to SP3 afterwards. All the corrupted files or doubted unsigcheck files should be replaced automatically.



Step1
  • Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from Here :
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close. Exit the program.

Step2

Please go to Here and Download System Repair Engine by smallfrogs

  • Extract it to Desktop & double click SREng.exe to run it.
  • Note:If you prefer to using Simplified Chinese, please click tool menu, press options, under Please select a language scroll down menu, select Simplified Chinese. Exit the program and rerun it.
  • Click System Repair in the left pane.
  • Click on File Association tap
  • Check Select all button, and click Repair button.
  • Select 'Smart Scan' in the left pane & tick "Verify the digital signatures of process modules"
  • Click on the Scan button. When finished, click on the Save Reports button & save the log to Desktop
  • You can refer to this thread for your reference.

Step3

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • Java™ 6 Update 13
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.


Step4

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Step5

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.SREng log
2.KAS Scan Report

Tell me how your pc is running now.

#7 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 17 August 2009 - 05:25 AM

Hello Sundavis,
Thank you for help with .rtf extensions files and similar problem with .txt files.
I proceeded with you instructions, but as I recognized, after completing some steps things were going wrong.
I'll try to describe it clearly:
I finished step 1 with FixPolicies.exe and then proceeded with System Repair Engineer. I downloaded SRE and run it as you described. Then I followed with removing old Java application JRE and installed new one. But during installation I had 7 or 8 times info about java "syntax error". Then after I used ATF Cleaner to clean temp files while trying to use Kaspersky Online Scanner I recognized that my internet connection speed extremely slowed down, it is now 5 or 2 or below 2 kB/s. Before I started to proceed with your last instructions my internet connection speed was normal, between 160 kB/s and 300 kB/s, sometimes even 600 kB/s (while downloadnig files). I tried to run Kaspersky Online Scanner with Internet Explorer 8 and also with Opera 9, and connection speed was always as I described above. So I'm not able to complete it because download will take maybe several days.
You know, I think the problem is with using System Repair Engineer, I remember I used it something about 2 years ago while I had some troubles and in that time it caused much more troubles than good. I know that they probably improved the program, but how to explain that there are problems after using it. While running SRE it automatically opened itself in chinese, it recognized my chinese Windows, so the log file is also in chinese. I don't know if you can read chinese, but sections in the report should be the same as in english version. I post the log below, but I'm not able to complete KAS Scan Report.


2009-08-16,20:21:40

System Repair Engineer 2.7.1.1261
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
	所有的启动项目(包括注册表、启动文件夹、服务等)
	浏览器加载项
	正在运行的进程(包括进程模块信息)
	文件关联
	Winsock 提供者
	Autorun.inf
	HOSTS 文件
	进程特权扫描
	计划任务
	API HOOK
	隐藏进程


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
	<PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
	<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
	<IgfxTray><C:\WINDOWS\system32\igfxtray.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<HotKeysCmds><C:\WINDOWS\system32\hkcmd.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<UnlockerAssistant><"C:\Program Files\Unlocker\UnlockerAssistant.exe">  []
	<Microsoft Pinyin IME Migration><C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL>  [(Verified)Microsoft Corporation]
	<ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup>  [InstallShield Software Corporation]
	<ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start>  [InstallShield Software Corporation]
	<RemoteControl><"E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe">  [Cyberlink Corp.]
	<LanguageShortcut><"E:\Program Files Windows\CyberLink\PowerDVD\Language\Language.exe">  [(Verified)CyberLink]
	<BDRegion><C:\Program Files\Cyberlink\Shared Files\brs.exe>  [(Verified)CyberLink]
	<Nitro PDF Printer Monitor><"E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe">  [(Verified)Nitro PDF]
	<OSSelectorReinstall><C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe>  []
	<runeip><"C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup>  [(Verified)Beijing Rising Information Technology Corporation Limited]
	<SunJavaUpdateSched><"C:\Program Files\Java\jre6\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."]
	<SoundMan><SOUNDMAN.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [(Verified)"RealNetworks, Inc."]
	<avgnt><"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min>  [Avira GmbH]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
	<KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe>  [(Verified)Beijing Rising Information Technology Corporation Limited]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
	<UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
	<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	<PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows]
	<SysTray><%systemroot%\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
	<WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
	<WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
	<WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
	<WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
	<WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
	<WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
	<WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
	<WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
	<WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
	<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
	<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
	<Internet Explorer 版本更新><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
	<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /HideWMP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
	<Browser Customizations><"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
	<浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
	<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
	<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]

==================================
启动文件夹
N/A

==================================
服务
[Avira AntiVir Scheduler / AntiVirSchedulerService][Running/Auto Start]
  <"C:\Program Files\Avira\AntiVir Desktop\sched.exe"><Avira GmbH>
[Avira AntiVir Guard / AntiVirService][Running/Auto Start]
  <"C:\Program Files\Avira\AntiVir Desktop\avguard.exe"><Avira GmbH>
[Apple Mobile Device / Apple Mobile Device][Running/Auto Start]
  <"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple Inc.>
[Bonjour 服务 / Bonjour Service][Running/Auto Start]
  <"C:\Program Files\Bonjour\mDNSResponder.exe"><Apple Inc.>
[Cmb WebProtect Support / CMBWPS][Running/Auto Start]
  <C:\Program Files\CMBCHINA\WebProtect\WPService.exe /start><China Merchants Bank>
[FLEXnet Licensing Service / FLEXnet Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"><Macrovision Europe Ltd.>
[getPlus(R) Helper / getPlus(R) Helper][Stopped/Manual Start]
  <C:\Program Files\NOS\bin\getPlus_HelperSvc.exe><NOS Microsystems Ltd.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[iPod 服务 / iPod Service][Stopped/Manual Start]
  <"C:\Program Files\iPod\bin\iPodService.exe"><Apple Inc.>
[Java Quick Starter / JavaQuickStarterService][Running/Auto Start]
  <"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"><Sun Microsystems, Inc.>
[ProtexisLicensing / ProtexisLicensing][Running/Auto Start]
  <"C:\Program Files\Common Files\Protexis\License Service\PSIService.exe"><>
[Cyberlink RichVideo Service(CRVS) / RichVideo][Running/Auto Start]
  <"C:\Program Files\Cyberlink\Shared files\RichVideo.exe"><>
[Task Scheduler / Schedule][Stopped/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\system32\schedsvc.dll><N/A>
[SmartLinkService / SLService][Running/Auto Start]
  <slmdmsr.exe><>
[Spyware Terminator Realtime Shield Service / sp_rssrv][Running/Auto Start]
  <"C:\Program Files\Spyware Terminator\sp_rsser.exe"><Crawler.com>
[TuneUp Drive Defrag Service / TuneUp.Defrag][Stopped/Manual Start]
  <C:\WINDOWS\System32\TuneUpDefragService.exe><TuneUp Software>
[TuneUp Program Statistics Service / TuneUp.ProgramStatisticsSvc][Running/Auto Start]
  <C:\WINDOWS\System32\TUProgSt.exe><TuneUp Software>

==================================
驱动程序
[D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) / A3AB][Stopped/Manual Start]
  <system32\DRIVERS\A3AB.sys><D-Link Corporation>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[TP-LINK Wireless Network Adapter Service / AR5211][Stopped/Manual Start]
  <system32\DRIVERS\ar5211.sys><Atheros Communications, Inc.>
[avgio / avgio][Running/System Start]
  <\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys><Avira GmbH>
[avgntflt / avgntflt][Running/Auto Start]
  <system32\DRIVERS\avgntflt.sys><Avira GmbH>
[avipbb / avipbb][Running/System Start]
  <system32\DRIVERS\avipbb.sys><Avira GmbH>
[catchme / catchme][Stopped/Manual Start]
  <\??\C:\ComboFix\catchme.sys><N/A>
[FNDRV / FNDRV][Stopped/Manual Start]
  <\??\J:\fndrv.sys><N/A>
[GEAR ASPI Filter Driver / GEARAspiWDM][Running/Manual Start]
  <System32\Drivers\GEARAspiWDM.sys><GEAR Software Inc.>
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
  <system32\DRIVERS\SLDRV\Mtlmnt5.sys><>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
  <system32\DRIVERS\SLDRV\Mtlstrm.sys><>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RecAgent / RecAgent][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\SLDRV\RecAgent.sys><>
[TL-WN321G/WN321G+ Wireless USB Adapter / RT73][Running/Manual Start]
  <system32\DRIVERS\rt73.sys><Ralink Technology, Corp.>
[Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver / RTL8023][Stopped/Manual Start]
  <system32\DRIVERS\Rtlnic51.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SmartLink AMR_PCI Driver / Slntamr][Running/Manual Start]
  <system32\DRIVERS\SLDRV\slntamr.sys><>
[SlNtHal / SlNtHal][Stopped/Manual Start]
  <system32\DRIVERS\SLDRV\Slnthal.sys><>
[SlWdmSup / SlWdmSup][Running/Manual Start]
  <system32\DRIVERS\SLDRV\SlWdmSup.sys><>
[Acronis Snapshots Manager / snapman][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\snapman.sys><Acronis>
[Spyware Terminator Driver 2 / sp_rsdrv2][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys><>
[SSDefrag / SSDefrag][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\SSDefrag.sys><Piriform Ltd>
[ssmdrv / ssmdrv][Running/System Start]
  <system32\DRIVERS\ssmdrv.sys><Avira GmbH>
[TCP/IP Protocol Driver / Tcpip][Running/System Start]
  <system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[Apple Mobile USB Driver / USBAAPL][Stopped/Manual Start]
  <System32\Drivers\usbaapl.sys><Apple, Inc.>
[{95808DC4-FA4A-4C74-92FE-5B863F82066B} / {95808DC4-FA4A-4C74-92FE-5B863F82066B}][Running/Auto Start]
  <\??\E:\Program Files Windows\CyberLink\PowerDVD\000.fcl><Cyberlink Corp.>

==================================
浏览器加载项
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[RealPlayer Download and Record Plugin for Internet Explorer]
  {3049C3E9-B461-4BC5-8870-4C09146192CA} <C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll, (Signed) RealPlayer>
[WebProtect]
  {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} <C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll, (Signed) China Merchants Bank>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435b-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, Sun Microsystems, Inc.>
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[金山快译(&K)]
  {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} <E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll, 金山软件股份有限公司>
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINDOWS\system32\CMBEdit.dll, >
[DLM Control]
  {4871A87A-BFDD-4106-8153-FFDE2BAC2967} <C:\WINDOWS\DOWNLO~1\DOWNLO~1.OCX, Akamai Technologies, Inc.>
[Java Plug-in 1.6.0_13]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, >
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[Java Plug-in 1.6.0_13]
  {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, >
[Java Plug-in 1.6.0_13]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_13.dll, (Signed) Sun Microsystems, Inc.>
[]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <, >
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, (Signed) Apple Inc.>
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <, >
[Edit Class]
  {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} <C:\WINDOWS\system32\CMBEdit.dll, >
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[InformationCardSigninHelper Class]
  {19916E01-B44E-4E31-94A4-4696DF46157B} <C:\WINDOWS\system32\icardie.dll, (Signed) Microsoft Corporation>
[]
  {22BF413B-C6D2-4D91-82A9-A0F997BA588C} <, >
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, (Signed) Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[RealPlayer RAM Download Handler]
  {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} <C:\WINDOWS\system32\rmoc3260.dll, (Signed) RealNetworks, Inc.>
[RealPlayer Download and Record Plugin for Internet Explorer]
  {3049C3E9-B461-4BC5-8870-4C09146192CA} <C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll, (Signed) RealPlayer>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, (Signed) Microsoft Corporation>
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, (Signed) Microsoft Corporation>
[QuickTime Object]
  {4063BE15-3B08-470D-A0D5-B37161CFFD69} <C:\Program Files\QuickTime\QTPlugin.ocx, (Signed) Apple Inc.>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[DLM Control]
  {4871A87A-BFDD-4106-8153-FFDE2BAC2967} <C:\WINDOWS\DOWNLO~1\DOWNLO~1.OCX, Akamai Technologies, Inc.>
[]
  {4F1E5B1A-2A80-42CA-8532-2D05CB959537} <, >
[WebProtect]
  {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} <C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll, (Signed) China Merchants Bank>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[]
  {57BDEE5A-1E29-4CFD-AEE7-EF32118EB6D6} <, >
[]
  {6483F145-A768-4C41-AACC-52D4D7845851} <, >
[]
  {693571CB-54A3-4E90-9D52-EEAE1334E2D3} <, >
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[金山快译(&K)]
  {6C3797D2-3FEF-4CD4-B654-D3AE55B4128C} <E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll, 金山软件股份有限公司>
[]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <, >
[]
  {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} <, >
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <, >
[XML DOM Document 6.0]
  {88D96A05-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 6.0]
  {88D96A06-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[XSL Template 6.0]
  {88D96A08-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Java Plug-in 1.6.0_13]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, >
[Microsoft Forms 2.0 ComboBox]
  {8BD21D30-EC42-11CE-9E0D-00AA006002F3} <C:\WINDOWS\system32\FM20.DLL, (Signed) Microsoft Corporation>
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[RMGetLicense Class]
  {A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, (Signed) Microsoft Corporation>
[]
  {ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8} <, >
[PlotWon Control]
  {AECD14A8-F662-11D1-A395-00805F535788} <C:\PROGRA~1\WILLIA~1.INC\DGOCON~1\plotwon.ocx, (Signed) William O'Neil + Co. Inc.>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, (Signed) N/A>
[OWSClientMiscApis Class]
  {BDEADE3F-C265-11D0-BCED-00A0C90AB50F} <E:\PROGRA~1\MICROS~1\Office12\OWSCLT.DLL, (Signed) Microsoft Corporation>
[OWSBrowserUI Class]
  {BDEADE43-C265-11D0-BCED-00A0C90AB50F} <E:\PROGRA~1\MICROS~1\Office12\OWSCLT.DLL, (Signed) Microsoft Corporation>
[]
  {CC59E0F9-7E43-44FA-9FAA-8377850BF205} <, >
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[]
  {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} <, >
[Microsoft Url Search Hook]
  {CFBFAE00-17A6-11D0-99CB-00C04FD64497} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, (Signed) RealNetworks, Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx, (Signed) Adobe Systems, Inc.>
[iTunesDetector Class]
  {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} <E:\Program Files Windows\iTunes\ITDetector.ocx, (Signed) Apple Inc.>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435B-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, Sun Microsystems, Inc.>
[QuickTimeCheck Class]
  {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} <C:\Program Files\QuickTime\QTSystem\QuickTimeCheck.ocx, (Signed) Apple Inc.>
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[]
  {EEDD6FF9-13DE-496B-9A1C-D78B3215E266} <, >
[]
  {F3E70CEA-956E-49CC-B444-73AFE593AD7F} <, >
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[导出到 Microsoft Excel(&X)]
  <res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程
[PID: 480 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 536 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 560 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 604 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.3520 (xpsp_sp2_qfe.090206-1239)]
[PID: 616 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 776 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\WINDOWS\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
[PID: 864 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
	[C:\WINDOWS\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
[PID: 904 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[c:\windows\system32\uxtuneup.dll]  [TuneUp Software, 8.0.3100.31]
	[c:\windows\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 976 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1020 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1088 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1124 / SYSTEM][C:\Program Files\Avira\AntiVir Desktop\sched.exe]  [Avira GmbH, 9.00.00.09]
	[C:\Program Files\Avira\AntiVir Desktop\schedr.dll]  [Avira GmbH, 8.00.05.00]
	[C:\Program Files\Avira\AntiVir Desktop\avevtlog.dll]  [Avira GmbH, 9.00.00.07]
	[C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll]  [, 3.06.01.00]
[PID: 1188 / SYSTEM][C:\Program Files\Avira\AntiVir Desktop\avguard.exe]  [Avira GmbH, 9.00.01.32]
	[C:\Program Files\Avira\AntiVir Desktop\AVEvtLog.dll]  [Avira GmbH, 9.00.00.07]
	[C:\Program Files\Avira\AntiVir Desktop\guardmsg.dll]  [Avira GmbH, 9.00.02.00]
	[C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll]  [, 3.06.01.00]
	[C:\Program Files\Avira\AntiVir Desktop\AVPREF.DLL]  [Avira GmbH, 9.00.00.01]
	[C:\Program Files\Avira\AntiVir Desktop\SMTPLIB.DLL]  [Avira GmbH, 9.02.00.25]
	[C:\Program Files\Avira\AntiVir Desktop\AVGIO.DLL]  [Avira GmbH, 9.00.01.04]
	[C:\Program Files\Avira\AntiVir Desktop\aecore.dll]  [Avira GmbH, 8.1.7.6]
	[C:\Program Files\Avira\AntiVir Desktop\aevdf.dll]  [Avira GmbH, 8.1.1.1]
	[C:\Program Files\Avira\AntiVir Desktop\aescript.dll]  [Avira GmbH, 8.1.2.25]
	[C:\Program Files\Avira\AntiVir Desktop\aescn.dll]  [Avira GmbH, 8.1.2.4]
	[C:\Program Files\Avira\AntiVir Desktop\aerdl.dll]  [Avira GmbH, 8.1.2.4]
	[C:\Program Files\Avira\AntiVir Desktop\aepack.dll]  [Avira GmbH, 8.1.3.18]
	[C:\Program Files\Avira\AntiVir Desktop\unacev2.dll]  [ACE Compression Software, 2.6.0.2]
	[C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll]  [Avira GmbH, 8.1.0.38]
	[C:\Program Files\Avira\AntiVir Desktop\aeheur.dll]  [Avira GmbH, 8.1.0.154]
	[C:\Program Files\Avira\AntiVir Desktop\aehelp.dll]  [Avira GmbH, 8.1.5.3]
	[C:\Program Files\Avira\AntiVir Desktop\aegen.dll]  [Avira GmbH, 8.1.1.56]
	[C:\Program Files\Avira\AntiVir Desktop\aeemu.dll]  [Avira GmbH, 8.1.0.9]
	[C:\Program Files\Avira\AntiVir Desktop\aebb.dll]  [Avira GmbH, 8.1.0.3]
	[C:\Program Files\Avira\AntiVir Desktop\avipc.dll]  [Avira GmbH, 1.1.3.4]
[PID: 1200 / SYSTEM][C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe]  [Apple Inc., 2.50.39.0]
[PID: 1220 / SYSTEM][C:\Program Files\Bonjour\mDNSResponder.exe]  [Apple Inc., 1,0,6,2]
[PID: 1252 / SYSTEM][C:\Program Files\CMBCHINA\WebProtect\WPService.exe]  [China Merchants Bank, 1, 0, 0, 1]
	[C:\Program Files\CMBCHINA\WebProtect\WebProtectPlus.dll]  [China Merchants Bank, 1, 0, 0, 1]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1320 / SYSTEM][C:\Program Files\Java\jre6\bin\jqs.exe]  [Sun Microsystems, Inc., 6.0.130.3]
	[C:\Program Files\Java\jre6\bin\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 1364 / SYSTEM][C:\Program Files\Common Files\Protexis\License Service\PSIService.exe]  [, 2.0.0.1]
	[C:\Program Files\Common Files\Protexis\License Service\PSIKey.dll]  [Protexis Inc., 2.0.0.1]
[PID: 1404 / SYSTEM][C:\Program Files\Cyberlink\Shared files\RichVideo.exe]  [, 2.0.2119  ]
[PID: 1452 / SYSTEM][C:\WINDOWS\system32\slmdmsr.exe]  [ , 4.20.01]
[PID: 1480 / SYSTEM][C:\WINDOWS\System32\snmp.exe]  [(Verified) Microsoft Corporation, 5.1.2600.3038 (xpsp_sp2_gdr.061119-2303)]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1500 / SYSTEM][C:\Program Files\Spyware Terminator\sp_rsser.exe]  [Crawler.com, 2.5.0.511]
[PID: 1572 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1592 / SYSTEM][C:\WINDOWS\System32\TUProgSt.exe]  [TuneUp Software, 8.0.3100.31]
	[C:\WINDOWS\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
[PID: 1860 / haier][C:\WINDOWS\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\WINDOWS\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
	[C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 9.1.0.2009022700]
[PID: 308 / haier][C:\WINDOWS\system32\igfxtray.exe]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\hccutils.DLL]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxdev.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\WINDOWS\system32\igfxsrvc.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxres.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxress.dll]  [Intel Corporation, 3.0.0.4277]
[PID: 316 / haier][C:\WINDOWS\system32\hkcmd.exe]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\hccutils.DLL]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxdev.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\WINDOWS\system32\igfxsrvc.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxhk.dll]  [Intel Corporation, 3.0.0.4277]
	[C:\WINDOWS\system32\igfxres.dll]  [Intel Corporation, 3.0.0.4277]
[PID: 328 / haier][C:\Program Files\Unlocker\UnlockerAssistant.exe]  [N/A, ]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 412 / haier][E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe]  [Cyberlink Corp., 7.00.3722]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[E:\Program Files Windows\CyberLink\PowerDVD\CLRCEngine3.dll]  [CyberLink Corp., 7.00.3317	]
[PID: 524 / haier][C:\Program Files\Cyberlink\Shared Files\brs.exe]  [cyberlink, 2.3.0.1116]
	[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 620 / haier][E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe]  [, 5, 4, 0, 21]
	[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL]  [Microsoft Corporation, 8.00.50727.762]
	[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80CHS.DLL]  [Microsoft Corporation, 8.00.50727.762]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\WINDOWS\system32\msi.dll]  [Microsoft Corporation, 4.5.6001.22159]
	[C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepprint.dll]  [, 5, 0, 0, 5]
	[C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bclprnlib.dll]  [ , 5, 0, 0, 8]
	[C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bclnap.dll]  [ , 1, 0, 0, 1]
[PID: 1116 / haier][C:\Program Files\Rising\AntiSpyware\rstray.exe]  [Beijing Rising Information Technology Co., Ltd., 21.0.0.17]
	[C:\Program Files\Rising\AntiSpyware\rsmginfo.dll]  [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\Program Files\Rising\AntiSpyware\RsXML.dll]  [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 2]
	[C:\Program Files\Rising\AntiSpyware\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Rising\AntiSpyware\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Rising\AntiSpyware\ComServ.dll]  [Beijing Rising Information Technology Co., Ltd., 21.0.0.31]
	[C:\Program Files\Rising\AntiSpyware\Syslay.dll]  [Beijing Rising Information Technology Co., Ltd., 21.0.0.6]
	[C:\Program Files\Rising\AntiSpyware\rscommon.dll]  [Beijing Rising Information Technology Co., Ltd., 20.0.1.1]
	[C:\Program Files\Rising\AntiSpyware\comx3.dll]  [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
	[C:\Program Files\Rising\AntiSpyware\pngdll.dll]  [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 5]
	[C:\Program Files\Rising\AntiSpyware\runiep.dll]  [Beijing Rising Information Technology Co., Ltd., 6.0.0.43]
	[C:\Program Files\Rising\AntiSpyware\NComm.dll]  [Beijing Rising Information Technology Co., Ltd., 6.0.0.11]
	[C:\Program Files\Rising\AntiSpyware\ProcCom.dll]  [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 20]
	[C:\Program Files\Rising\AntiSpyware\RsCommX2.dll]  [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 20]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1260 / haier][C:\Program Files\Java\jre6\bin\jusched.exe]  [Sun Microsystems, Inc., 6.0.130.3]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1688 / haier][C:\WINDOWS\SOUNDMAN.EXE]  [Realtek Semiconductor Corp., 5, 1, 0, 59]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 1584 / haier][C:\Program Files\Common Files\Real\Update_OB\realsched.exe]  [RealNetworks, Inc., 0.1.1.374]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 1832 / haier][C:\Program Files\Avira\AntiVir Desktop\avgnt.exe]  [Avira GmbH, 9.00.00.12]
	[C:\Program Files\Avira\AntiVir Desktop\cclib.dll]  [Avira GmbH, 9.00.00.10]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[c:\program files\avira\antivir desktop\ccgen.dll]  [Avira GmbH, 9.00.00.35]
	[c:\program files\avira\antivir desktop\ccgenrc.dll]  [Avira GmbH, 9.00.17.01]
	[c:\program files\avira\antivir desktop\ccguard.dll]  [Avira GmbH, 9.00.00.19]
	[c:\program files\avira\antivir desktop\ccgrdrc.dll]  [Avira GmbH, 9.00.06.02]
	[c:\program files\avira\antivir desktop\avipc.dll]  [Avira GmbH, 1.1.3.4]
	[c:\program files\avira\antivir desktop\ccupdate.dll]  [Avira GmbH, 9.00.00.16]
	[c:\program files\avira\antivir desktop\ccupdrc.dll]  [Avira GmbH, 9.00.06.01]
	[c:\program files\avira\antivir desktop\cclic.dll]  [Avira GmbH, 9.00.00.06]
	[c:\program files\avira\antivir desktop\cclicrc.dll]  [Avira GmbH, 9.00.01.00]
	[c:\program files\avira\antivir desktop\ccmsg.dll]  [Avira GmbH, 9.00.02.01]
[PID: 1912 / haier][C:\WINDOWS\system32\ctfmon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 2144 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3456 / haier][C:\Program Files\Opera\opera.exe]  [Opera Software, 10487]
	[C:\Program Files\Opera\Opera.dll]  [Opera Software, 10487]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 2896 / haier][C:\WINDOWS\system32\conime.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
[PID: 3808 / haier][C:\Documents and Settings\haier\桌面\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.7.1.1261]
[PID: 3912 / haier][C:\Documents and Settings\haier\桌面\sreng2\SREe67666fe.EXE]  [Smallfrogs Studio, 2.7.1.1261]
	[C:\Program Files\Unlocker\UnlockerHook.dll]  [N/A, ]
	[C:\Documents and Settings\haier\桌面\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
	[C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  Error. []
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1	   localhost

==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 1124, C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\SCHED.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1188, C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 328, C:\PROGRAM FILES\UNLOCKER\UNLOCKERASSISTANT.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 412, E:\PROGRAM FILES WINDOWS\CYBERLINK\POWERDVD\PDVDSERV.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1832, C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGNT.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3456, C:\PROGRAM FILES\OPERA\OPERA.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3808, C:\DOCUMENTS AND SETTINGS\HAIER\桌面\SRENG2\SRENGLDR.EXE]

==================================
计划任务
[已启用] AppleSoftwareUpdate.job
		C:\Program Files\Apple Software Update\SoftwareUpdate.exe 

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:02 AM

Posted 17 August 2009 - 06:17 AM

Hi paul00001,



I think the problem is with using System Repair Engineer

SREng only fixes your file association. It should not break your internet connection speed. You need to rerun it to fix the INF error. After that, please do the following:


Step1

Let's try the following instead. Hope it works.

Please download this file > http://www.dougknox.com/xp/fileassoc/xp_fileassoc.zip

Unzip it to your desktop, and double-click on xp_fileassoc.bat to restore file associations.


Step2
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
FCopy::
c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\system32\drivers\tcpip.sys


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After that, let's do some maintenance to ensure your internet access to work properly.

Click Start>Run>Type CMD>A command prompt DOS window will open. Type/Paste ipconfig /flushdns and then press Enter to purge the DNS resolver cache.

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.


Step3

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.

I will give you another one, just in case. :thumbup2:


Please go to F-Secure Online Scanner
  • Follow the on screen prompts to download activeX. Once that has completed, you'll be presented with types of scans.
  • Tick 'My Scan' and click 'Show Options'
  • Under Select File Types, tick All File Types
  • Under Select Folders for Scanning, tick 'Scan a Folder' and click Select
  • Select the C:\ drive, otherwise it will scan all drives.
  • Click OK
  • Click Start
  • After it has completed, save the log and copy/paste the results in your next reply.
  • If you have problems to run F-Secure Online Scanner, You may refer to this thread


Please post back the logs in your next reply.


1.Combofix log
2.ESET Online Scan log
3.Fresh RIST log

Tell me how your pc is running now.

#9 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 18 August 2009 - 05:59 AM

Hi sundavis,
I still have troubles, SREng and Fileassoc didn't fix .INF file associations. I checked the state using SREng, it still marks that there is an error in .INF
Should I procced with step 2 anyway?
This is what I thought, maybe some dll or exe responsible for those files association is missing, maybe I could expand it from Windows installation CD?

#10 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 18 August 2009 - 08:15 AM

It's me again, I have a question, how to restore to the state before I first time use Combofix? Combofix created restore point, but I can not see it on the list. My idea is to start all again from previous state. Maybe you could make some modifications in proceeding steps as some of fixtools doesn't work in my case. What do you think?

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:02 AM

Posted 18 August 2009 - 08:35 AM

Hi paul00001,


My idea is to start all again from previous state


It's not necessary to proceed that process. It will make things more complicated than we expected.

It seemed that you didn't update java. Please uninstall old version java via add/remove programs first. You may try Windows Installer CleanUp to remove the outdated java from Here if you don't know how.

Then go to Here to get the updates. There should be no more syntax error hopefully. Please proceed the next steps as described in my previous post.

Some reasons for a INF error is that it has become overwritten by another program, this can cause incompatibility with some applications. We will deal with INF error later. Good luck!

Edited by sundavis, 18 August 2009 - 09:00 AM.


#12 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 19 August 2009 - 09:03 AM

Hi Sundavis,
Thing probably are more complicated than I thought. I tried in four different places to use internet (tree places with wireless and wired, in my friend homes) but every time on my computer internet connection speed was as low as 2-4 kB/s or lower, my freinds had the lowest speed as 70kB/s on their computers. So the problem is inside my laptop, not router. Probably some of fixtools erased something what was releted with internet connection. As you could recognized in log files I use Tune-up Utilities to maitain good speed and performance (including internet speed). If unexpectedly some file was deleted, so I'm in the state like this. I even can not open www.bleepingconputer.com log in and read you reply, also can not download anything.
You just wrote that I didn't install new Java, but I already installed new Java. First you gave me link to update nr 16 (english web) and I installed it, this time the link is to update 15 (chinese web). Maybe this is the point. I will try to uninstall JRE 16 and install JRE 15
But if connection speed will be still so low, my point is, that we have to restore to previous point, at least I had internet access at that point.
This post I wrote using my friend's computer as I just tested my laptop internet speed in his home. I'm not able to download anything using my computer.

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:02 AM

Posted 19 August 2009 - 09:14 AM

Hi paul00001,



We will take care of your internet access problem later, but we need to establish your system is free of virus first. Please do as instructed in my previous post.

If you have download problems, please use your pendrive or usb to transfer the necessary files to your computer. I need to check the combofix log and you may stop online scan for temporarily since you have connection problem.

Make sure you do everything right. Otherwise, you can try install Firefox instead temporarily from Here . In your next reply, please post back Combofix log and Rist log and detail the procedure you have performed. Thanks.

Edited by sundavis, 19 August 2009 - 09:58 AM.


#14 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 20 August 2009 - 02:46 AM

Hi Sundavis,
and thanks for your patience :thumbup2: Below I describe all what I did.
Yesterday first I tried to uninstall JRE update 16, but unsuccessful. In my friend's home, I downloaded Windows Installer Ceanup tool and save it to usb flash drive (also JRE update 15), but when I tried to install it didn't work (I don't know why). I found that there is restore point to the state before I uninstall JRE update 13 and I restored to that state, then tried to uninstall JRE update 13, but also unsuccessful, told me that .msi file is missing. Then I dig my drives and found that have WIC tool downloaded some time ago, I installed and used WIC to remove JRE 13. But this tool suppose to remove only registry entries (they wrote such comment in description). Internet connection speed was as before, so I could not download update 15.
Then I prepared CFScript.txt file and tried to run Combofix, but it told me that Combofix just expired. I tried to connect to download new one and at least I successfuly downloaded it. Then I run Combofix with CFScript.txt as you described. Please see the log. I stopped at this step and waiting for your answer. Didn't do "ipconfig /flushdns". Internet speed is still slow, about 8-10 kB/s but at least I can log in and post the log.

ComboFix 09-08-19.03 - haier -08-20 星期四 14:33.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.2052.18.2039.1632 [GMT 8:00]
执行位置: c:\documents and settings\haier\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\haier\桌面\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

注意 - 这台电脑没有安装恢复控制台 !!
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( 2009-07-20 至 2009-08-20 的新的档案 )))))))))))))))))))))))))))))))
.

2009-08-19 21:59 . 2009-08-19 21:59 3584 ----a-r- c:\documents and settings\haier\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-19 21:54 . 2009-08-19 21:54 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-19 16:31 . 2009-08-19 21:59 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-19 16:30 . 2009-08-19 16:30 -------- d-----w- c:\program files\MSECACHE
2009-08-18 10:28 . 2009-08-20 06:33 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-17 19:18 . 2009-08-18 07:09 609400 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-15 12:16 . 2009-08-15 12:16 -------- d-----w- c:\program files\trend micro
2009-08-15 11:41 . 2009-07-28 08:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-15 11:41 . 2009-03-30 02:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-15 11:41 . 2009-02-13 04:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-15 11:41 . 2009-02-13 04:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-15 11:41 . 2009-08-15 11:41 -------- d-----w- c:\program files\Avira
2009-08-15 11:41 . 2009-08-15 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-15 01:25 . 2004-08-04 00:52 36864 -c--a-w- c:\windows\system32\dllcache\netstat.exe
2009-08-15 01:08 . 2004-08-04 00:52 36864 ----a-w- c:\windows\system32\netstat.exe
2009-08-15 01:02 . 2004-08-04 00:52 66560 -c--a-w- c:\windows\system32\dllcache\notepad.exe
2009-08-15 01:02 . 2004-08-04 00:52 66560 ----a-w- c:\windows\system32\notepad.exe
2009-08-15 01:01 . 2004-08-04 00:52 66560 ----a-w- c:\windows\notepad.exe
2009-08-13 13:56 . 2009-08-14 16:44 -------- d-----w- c:\windows\ServicePackFiles
2009-08-07 11:28 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 14:37 . 2006-10-31 10:26 36864 -c----w- c:\windows\system32\dllcache\hidclass.sys
2009-08-01 08:50 . 2009-07-03 16:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-01 08:50 . 2009-07-03 16:55 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-31 01:20 . 2004-08-04 00:52 23552 ----a-w- c:\windows\system32\userinit.exe
2009-07-31 01:19 . 2004-08-04 00:52 168960 ----a-w- c:\windows\system32\srsvc.dll
2009-07-25 11:41 . 2009-07-25 11:41 -------- d-----w- c:\program files\William O'Neil + Co. Inc
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-----w- c:\documents and settings\haier\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 00:58 . 2009-07-06 07:35 -------- d-----w- c:\documents and settings\haier\Application Data\Spyware Terminator
2009-08-16 14:01 . 2009-04-01 04:29 -------- d-----w- c:\documents and settings\haier\Application Data\Skype
2009-08-16 12:39 . 2008-12-14 02:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 12:04 . 2004-08-08 03:33 277150 ----a-w- c:\windows\system32\prfh0804.dat
2009-08-15 12:04 . 2004-08-08 03:33 110228 ----a-w- c:\windows\system32\prfc0804.dat
2009-08-15 08:30 . 2009-07-06 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-08-15 08:30 . 2009-01-30 16:38 -------- d-----w- c:\program files\WinClamAVShield
2009-08-14 19:05 . 2008-04-18 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 09:05 . 2004-08-08 03:33 201728 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 05:19 . 2009-07-06 07:35 -------- d-----w- c:\program files\Spyware Terminator
2009-07-25 11:41 . 2008-04-17 14:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 17:46 . 2008-04-28 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-17 18:56 . 2004-08-08 03:33 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:36 . 2008-04-17 09:13 103280 ----a-w- c:\documents and settings\haier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 19:35 . 2009-07-12 19:35 -------- d-----w- c:\documents and settings\haier\Application Data\Autodesk
2009-07-12 19:35 . 2009-07-12 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-12 19:35 . 2009-07-12 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-12 19:25 . 2009-07-12 19:25 -------- d-----w- c:\program files\Autodesk
2009-07-12 19:25 . 2009-07-12 19:25 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-12 19:25 . 2009-07-12 19:23 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-07-12 18:19 . 2009-07-12 18:19 -------- d-----w- c:\documents and settings\haier\Application Data\Eltima Software
2009-07-12 18:18 . 2004-08-08 03:33 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 17:17 . 2009-07-09 17:17 -------- d-----w- c:\documents and settings\haier\Application Data\IcoFX
2009-07-06 07:35 . 2009-07-06 07:35 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-07-06 07:35 . 2009-07-06 07:35 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-07-06 07:35 . 2009-07-06 07:35 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-04 12:52 . 2009-02-20 12:36 -------- d-----w- c:\program files\Opera
2009-07-04 10:56 . 2009-07-04 10:56 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-07-04 10:50 . 2008-05-30 12:00 -------- d-----w- c:\program files\Common Files\Real
2009-07-04 10:50 . 2009-07-04 10:50 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-04 10:49 . 2008-05-30 12:00 -------- d-----w- c:\program files\Real
2009-07-04 10:49 . 2003-03-18 12:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-03 16:55 . 2004-08-08 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 11:26 . 2008-08-22 12:13 637592 ----a-w- c:\windows\system32\kmon.dll
2009-06-28 06:46 . 2009-06-28 06:17 -------- d-----w- c:\documents and settings\haier\Application Data\KVIrc
2009-06-28 06:18 . 2009-06-28 05:39 -------- d-----w- c:\program files\KVIrc
2009-06-25 18:34 . 2004-08-08 03:33 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:34 . 2004-08-08 03:33 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:34 . 2004-08-08 03:33 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:34 . 2004-08-08 03:33 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:34 . 2004-08-08 03:33 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:34 . 2004-08-08 03:33 291328 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:34 . 2004-08-08 03:33 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:34 . 2004-08-08 03:33 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:34 . 2004-08-08 03:33 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:34 . 2004-08-08 03:33 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:34 . 2004-08-08 03:33 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:34 . 2004-08-08 03:33 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:18 . 2004-08-08 03:33 707072 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:18 . 2004-08-08 03:33 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:18 . 2004-08-08 03:33 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:18 . 2004-08-08 03:33 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:18 . 2004-08-08 03:33 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:18 . 2004-08-08 03:33 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 12:48 . 2009-06-24 12:48 -------- d-----w- c:\program files\iPod
2009-06-24 12:48 . 2008-12-23 16:43 -------- d-----w- c:\program files\Common Files\Apple
2009-06-24 12:45 . 2009-06-24 12:44 -------- d-----w- c:\program files\QuickTime
2009-06-24 12:35 . 2009-06-24 12:35 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-22 11:49 . 2004-08-08 03:33 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-08 03:33 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-08 03:33 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-08 03:33 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2004-08-08 03:33 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:53 . 2004-08-08 03:33 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:53 . 2004-08-08 03:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 11:32 . 2004-08-08 03:33 85504 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 11:32 . 2004-08-08 03:33 74240 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:23 . 2004-08-08 03:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:26 . 2004-08-08 03:33 134144 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:41 . 2008-04-17 09:02 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:25 . 2004-08-08 03:33 1272832 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 18:19 . 2008-05-02 18:00 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-02 18:00 . 2008-05-02 18:00 8 --sh--r- c:\windows\system32\5F22D8A524.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_11.10.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 02:59 . 2009-08-20 02:59 16384 c:\windows\Temp\Perflib_Perfdata_5c0.dat
+ 2009-08-20 02:59 . 2009-08-20 02:59 16384 c:\windows\Temp\Perflib_Perfdata_528.dat
- 2004-08-08 03:33 . 2009-07-12 19:20 68490 c:\windows\system32\perfc009.dat
+ 2004-08-08 03:33 . 2009-08-15 12:04 68490 c:\windows\system32\perfc009.dat
+ 2009-08-15 11:41 . 2009-05-11 02:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-11-24 20:59 . 2008-11-24 20:59 31560 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2009-08-15 12:09 . 2009-08-15 12:09 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a715aa442ef87ae99b3ade185599249d\UIAutomationProvider.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-08-15 12:07 . 2009-08-15 12:07 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2d7408a0232f2e2efd0d7adf5dfa733a\PresentationFontCache.ni.exe
+ 2009-08-15 12:07 . 2009-08-15 12:07 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c8fd2d9233f8ea3031fb16f697635231\PresentationCFFRasterizer.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe
+ 2009-08-15 16:51 . 2009-08-15 16:51 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-07-12 19:10 . 2009-07-12 19:10 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-08-18 09:32 . 2009-08-19 21:54 205736 c:\windows\system32\Restore\rstrlog.dat
- 2004-08-08 03:33 . 2009-07-12 19:20 435584 c:\windows\system32\perfh009.dat
+ 2004-08-08 03:33 . 2009-08-15 12:04 435584 c:\windows\system32\perfh009.dat
+ 2009-08-16 12:39 . 2009-08-16 12:39 149280 c:\windows\system32\javaws.exe
+ 2009-08-16 12:39 . 2009-08-16 12:39 145184 c:\windows\system32\javaw.exe
+ 2009-08-16 12:39 . 2009-08-16 12:39 145184 c:\windows\system32\java.exe
+ 2004-08-08 03:33 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2009-08-16 12:33 . 2009-08-16 12:33 270336 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-11-24 20:59 . 2008-11-24 20:59 436040 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2008-07-25 03:17 . 2008-07-25 03:17 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 364872 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 990032 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2009-08-19 21:59 . 2009-08-19 21:59 472064 c:\windows\Installer\44b71.msi
+ 2008-12-13 01:58 . 2008-12-13 01:58 754688 c:\windows\Installer\3034f7.msp
+ 2009-08-15 16:51 . 2009-08-15 16:51 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe
+ 2009-08-15 12:10 . 2009-08-15 12:10 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\6a818099f0386e2356ae94f886a2196f\WindowsFormsIntegration.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\a6d9503962d47c722231c1478f180695\UIAutomationTypes.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\5c028c3d8db6c0f0277673ea4a2d89fb\UIAutomationClient.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll
+ 2009-08-15 16:50 . 2009-08-15 16:50 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\18bbe2b6717e7f1d1dd672526e9889ee\System.Drawing.Design.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe
+ 2009-08-15 16:51 . 2009-08-15 16:51 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe
+ 2009-08-15 12:08 . 2009-08-15 12:08 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f475294d8c7dc2dd4febeef27bc0417e\PresentationFramework.Classic.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8003abaf6bcf70f7eb620d06837e897b\PresentationFramework.Luna.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\59a67874d8d8475faa5be1d993083d12\PresentationFramework.Aero.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2c980c9a5051d723c6ec2a78a3d0e2b3\PresentationFramework.Royale.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe
+ 2009-08-15 16:51 . 2009-08-15 16:51 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe
+ 2009-08-15 16:51 . 2009-08-15 16:51 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-07-12 19:16 . 2009-07-12 19:16 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2009-08-15 12:05 . 2009-08-15 12:05 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2009-08-15 12:05 . 2009-08-15 12:05 229376 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-07-12 19:15 . 2009-07-12 19:15 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
+ 2009-08-15 12:05 . 2009-08-15 12:05 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll
- 2009-07-12 19:15 . 2009-07-12 19:15 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
+ 2009-08-15 12:05 . 2009-08-15 12:05 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-12-05 11:35 . 2008-12-05 11:35 1736528 c:\windows\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll
- 2008-07-29 11:16 . 2008-07-29 11:16 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
+ 2008-12-05 12:12 . 2008-12-05 12:12 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
- 2008-07-25 03:17 . 2008-07-25 03:17 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 5813576 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2008-11-24 20:59 . 2008-11-24 20:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2008-07-25 03:17 . 2008-07-25 03:17 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2008-12-13 01:57 . 2008-12-13 01:57 8397824 c:\windows\Installer\3034e0.msp
+ 2009-08-15 12:08 . 2009-08-15 12:08 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\14cd5f4b61d35f9b76327d6be9853755\WindowsBase.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\f3c7957351aec85f526a3350c9718b1e\UIAutomationClientsideProviders.ni.dll
+ 2009-08-15 12:07 . 2009-08-15 12:07 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll
+ 2009-08-15 16:54 . 2009-08-15 16:54 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\646ab52eef343380aa002c220dc31e13\System.Printing.ni.dll
+ 2009-08-15 16:50 . 2009-08-15 16:50 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\543aced762f6b0c3f8e037955941afc6\System.DirectoryServices.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\c70731047b0022638b3f9fb158948a03\System.Data.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\826b09ab0d0e36f4d631b4cd335df511\System.Data.SqlXml.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\0bbec79460b1137df5313f9baf7b246f\System.Data.Linq.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\47d87251e93256c635eb73403b8db33e\System.Core.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\4bfb3048bf200a6a8592d1b4ba861a7f\ReachFramework.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\6bafb1a2a73794ddb9761cb321c9e7e2\PresentationUI.ni.dll
+ 2009-08-15 12:07 . 2009-08-15 12:07 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\e634bc4c4a00635a0a254febab0e2e2c\PresentationBuildTasks.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll
+ 2009-08-15 16:52 . 2009-08-15 16:52 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-08-15 12:05 . 2009-08-15 12:05 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2009-07-12 19:16 . 2009-07-12 19:16 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2009-07-12 19:13 . 2009-07-12 19:13 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
- 2009-07-12 19:09 . 2009-07-12 19:09 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-07-12 19:14 . 2009-07-12 19:14 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-08-15 12:04 . 2009-08-15 12:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-07-12 19:10 . 2009-07-12 19:10 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-08-15 12:03 . 2009-08-15 12:03 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-12-13 02:21 . 2008-12-13 02:21 10473472 c:\windows\Installer\3034eb.msp
+ 2009-08-15 12:05 . 2009-08-15 12:05 11073536 c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10E.tmp\mscorlib.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll
+ 2009-08-15 16:53 . 2009-08-15 16:53 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
+ 2009-08-15 16:51 . 2009-08-15 16:51 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\4146033013edebd7e0cb604e504ebfee\System.ServiceModel.ni.dll
+ 2009-08-15 12:09 . 2009-08-15 12:09 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8ee220bc3cce4f7bbd7818946519ed7f\System.Design.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96e710f47c601cba3f2348a8d11ddede\PresentationFramework.ni.dll
+ 2009-08-15 12:08 . 2009-08-15 12:08 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\956375d487cbef36165b3250030e3574\PresentationCore.ni.dll
+ 2009-08-15 12:07 . 2009-08-15 12:07 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll
.
-- 快照技术重新设置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-08 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-08 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-08 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-26 32560]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"RemoteControl"="e:\program files windows\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="e:\program files windows\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
"Nitro PDF Printer Monitor"="e:\program files windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-06-25 210224]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-11-29 1544099]
"runeip"="c:\program files\Rising\AntiSpyware\rstray.exe" [2009-04-28 141936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-04 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="c:\program files\Rising\AntiSpyware\RunOnce.exe" [2008-08-22 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-08 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0KKNative.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="e:\program files windows\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="e:\program files windows\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Program Files Windows\\SparVoip\\SparVoip.exe"=
"e:\\Program Files Windows\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files Windows\\Kingsoft\\PowerWord 2006\\xdict.exe"=
"e:\\Program Files Windows\\Kingsoft\\PowerWord 2006\\update.exe"=
"e:\\Program Files Windows\\Kingsoft\\FastAIT 2006\\FastAIT.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"e:\\Program Files Windows\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files Windows\\iTunes\\iTunes.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\monitor.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\manager.exe"=
"e:\\Program Files Windows\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"e:\\Program Files Windows\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"e:\\Program Files Windows\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-6 15:35 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-8-15 19:41 108289]
R2 CMBWPS;Cmb WebProtect Support;c:\program files\CMBCHINA\WebProtect\WPService.exe [2008-4-18 18:49 232848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-5-13 17:43 604416]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-2-9 3:55 472832]
S3 FNDRV;FNDRV;\??\j:\fndrv.sys --> j:\fndrv.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-7-9 21:36 31592]
S3 SSDefrag;SSDefrag;c:\windows\system32\drivers\SSDefrag.sys [2008-4-22 5:32 34560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
‘计划任务’ 文件夹 里的内容

2008-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: 导出到 Microsoft Excel(&X) - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 14:36
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\e:\program files windows\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@=""

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Kingsoft\褢q\隷褘 *2*0*0*6*\Option]
"UseProxy"=dword:00000000
"ProxyNeedLog"=dword:00000000
"ProxyPort"=dword:00000000
"ProxyType"=dword:ffffffff
"ValidateServerAddr"=dword:00000000
"ProxyAddr"=""
"ProxyPwd"=""
"ProxyUser"=""
"SavedPassport"="KSKY0012752"
"BakVSAddr"="cs1.db.kingsoft.com|cs2.db.kingsoft.com|cs3.db.kingsoft.com|cs4.db.kingsoft.com|"
"UpdateServerAddr"="http://up.cb.kingsoft.com/updateFastAIT2006/"
"AutoUpdate"=dword:00000001

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:7b,00,00,00,6d,00,00,00,02,03,00,00,cc,01,00,00

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1"=hex:7b,00,00,00,6d,00,00,00,02,03,00,00,cc,01,00,00

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\?R銐宧V *#*0* *縹飴璬>e\Attributes]
"Vendor"="Microsoft"
"Technology"="MMSys"

[HKEY_USERS\S-1-5-21-1229272821-2049760794-1801674531-1003\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\?R銐宧V *#*0* *縹飴璬>e\UI\AudioVolume]
"CLSID"="{364D8E0B-67CB-4547-9948-9E7F1B1743ED}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]
@="BDATuner.组件.1"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
完成时间: 2009-08-20 14:38
ComboFix-quarantined-files.txt 2009-08-20 06:38

Pre-Run: 2,960,928,768 可用字节
Post-Run: 2,910,900,224 可用字节

532 --- E O F --- 2009-08-15 12:05

#15 paul00001

paul00001
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 20 August 2009 - 03:13 AM

Below I post RIST log and info.


Logfile of random's system information tool 1.06 (written by random/random)
Run by haier at 2009-08-20 15:50:50
Microsoft Windows XP Professional Service Pack 2
System drive C: has 3 GB (27%) free of 10 GB
Total RAM: 2039 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:50:54, on 2009-8-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\haier\桌面\RSIT.exe
C:\Program Files\trend micro\haier.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "E:\Program Files Windows\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6818 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-04 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B}]
WebProtect - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll [2007-08-20 341904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-16 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-16 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - 金山快译(&K) - E:\Program Files Windows\Kingsoft\FastAIT 2006\IEBand.dll [2005-08-26 221184]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-08 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-08 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-08 455168]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-03-10 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-03-10 126976]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-08 15872]
"Microsoft Pinyin IME Migration"=C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE [2006-10-26 32560]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]
"RemoteControl"=E:\Program Files Windows\CyberLink\PowerDVD\PDVDServ.exe [2008-01-22 81920]
"LanguageShortcut"=E:\Program Files Windows\CyberLink\PowerDVD\Language\Language.exe [2007-10-11 62760]
"BDRegion"=C:\Program Files\Cyberlink\Shared Files\brs.exe [2007-11-17 91432]
"Nitro PDF Printer Monitor"=E:\Program Files Windows\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe [2008-06-25 210224]
"OSSelectorReinstall"=C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe [2005-11-29 1544099]
"runeip"=C:\Program Files\Rising\AntiSpyware\rstray.exe [2009-04-28 141936]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-04 198160]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"=C:\Program Files\Rising\AntiSpyware\RunOnce.exe [2008-08-22 68208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-03-10 348160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\Program Files Windows\SparVoip\SparVoip.exe"="E:\Program Files Windows\SparVoip\SparVoip.exe:*:Enabled:SparVoip"
"E:\Program Files Windows\Microsoft Office\Office12\OUTLOOK.EXE"="E:\Program Files Windows\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"E:\Program Files Windows\Kingsoft\PowerWord 2006\xdict.exe"="E:\Program Files Windows\Kingsoft\PowerWord 2006\xdict.exe:*:Enabled:Kingsoft PowerWord"
"E:\Program Files Windows\Kingsoft\PowerWord 2006\update.exe"="E:\Program Files Windows\Kingsoft\PowerWord 2006\update.exe:*:Enabled:Kingsoft PowerWord Online Update"
"E:\Program Files Windows\Kingsoft\FastAIT 2006\FastAIT.exe"="E:\Program Files Windows\Kingsoft\FastAIT 2006\FastAIT.exe:*:Enabled:金山快译2006"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe"="E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"E:\Program Files Windows\iTunes\iTunes.exe"="E:\Program Files Windows\iTunes\iTunes.exe:*:Enabled:iTunes"
"E:\Program Files Windows\Autodesk\Backburner\monitor.exe"="E:\Program Files Windows\Autodesk\Backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"E:\Program Files Windows\Autodesk\Backburner\manager.exe"="E:\Program Files Windows\Autodesk\Backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"E:\Program Files Windows\Autodesk\Backburner\server.exe"="E:\Program Files Windows\Autodesk\Backburner\server.exe:*:Enabled:backburner 2.3 server"
"E:\Program Files Windows\Autodesk\3ds Max 2010\3dsmax.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2010 32-bit"
"E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe:*:Enabled:mental ray satellite server for Autodesk 3ds Max 2010 32-bit"
"E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32.exe"="E:\Program Files Windows\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32.exe:*:Enabled:mental ray satellite for Autodesk 3ds Max 2010 32-bit"
"C:\Program Files\KVIrc\kvirc.exe"="C:\Program Files\KVIrc\kvirc.exe:*:Enabled:K Visual IRC Client Executable"
"E:\Program Files Windows\Skype\Phone\Skype.exe"="E:\Program Files Windows\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe"="E:\Program Files Windows\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"

======File associations======

.bat - edit -
.cmd - edit -
.inf - open -
.js - edit -
.reg - edit -
.vbs - edit -

======List of files/folders created in the last 1 months======

2009-08-20 15:50:50 ----D---- C:\rsit
2009-08-20 14:43:42 ----SHD---- C:\RECYCLER
2009-08-20 14:38:42 ----A---- C:\ComboFix.txt
2009-08-20 14:32:08 ----A---- C:\WINDOWS\zip.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\SWSC.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\SWREG.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\sed.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\PEV.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-20 14:32:08 ----A---- C:\WINDOWS\grep.exe
2009-08-20 00:31:09 ----D---- C:\Program Files\Windows Installer Clean Up
2009-08-20 00:30:38 ----D---- C:\Program Files\MSECACHE
2009-08-18 18:28:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-16 20:39:17 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-16 20:39:17 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-16 20:39:17 ----A---- C:\WINDOWS\system32\java.exe
2009-08-15 20:16:09 ----D---- C:\Program Files\trend micro
2009-08-15 19:41:06 ----D---- C:\Program Files\Avira
2009-08-15 19:41:06 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-08-15 19:01:28 ----D---- C:\WINDOWS\ERDNT
2009-08-15 19:01:25 ----D---- C:\Qoobox
2009-08-15 15:31:59 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-15 09:08:41 ----A---- C:\WINDOWS\system32\netstat.exe
2009-08-15 09:02:03 ----A---- C:\WINDOWS\system32\notepad.exe
2009-08-15 09:01:14 ----A---- C:\WINDOWS\notepad.exe
2009-08-13 21:58:22 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-13 21:58:16 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-13 21:58:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-13 21:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-13 21:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2009-08-13 21:57:55 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-13 21:57:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-13 21:56:23 ----D---- C:\WINDOWS\ServicePackFiles
2009-08-13 21:56:21 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$
2009-08-13 21:56:15 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-13 21:56:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$
2009-08-03 22:38:08 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-03 22:37:49 ----HDC---- C:\WINDOWS\$NtUninstallKB924941$
2009-08-03 22:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB918005$
2009-08-03 22:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB895961-v4$
2009-07-31 09:20:22 ----A---- C:\WINDOWS\system32\userinit.exe
2009-07-31 09:19:01 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-07-25 19:41:33 ----D---- C:\Program Files\William O'Neil + Co. Inc
2009-07-25 19:40:33 ----D---- C:\Documents and Settings\haier\Application Data\InstallShield

======List of files/folders modified in the last 1 months======

2009-08-20 14:51:13 ----D---- C:\WINDOWS\Temp
2009-08-20 14:50:48 ----D---- C:\WINDOWS\system32
2009-08-20 14:36:57 ----D---- C:\WINDOWS
2009-08-20 14:36:57 ----A---- C:\WINDOWS\system.ini
2009-08-20 14:35:52 ----D---- C:\WINDOWS\system32\drivers
2009-08-20 14:35:52 ----D---- C:\WINDOWS\AppPatch
2009-08-20 14:35:48 ----D---- C:\Program Files\Common Files
2009-08-20 14:33:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-20 05:59:55 ----SHD---- C:\WINDOWS\Installer
2009-08-20 05:54:48 ----D---- C:\WINDOWS\system32\config
2009-08-20 05:54:27 ----D---- C:\WINDOWS\system32\wbem
2009-08-20 05:54:27 ----D---- C:\WINDOWS\Registration
2009-08-20 00:31:09 ----RD---- C:\Program Files
2009-08-19 08:58:34 ----D---- C:\Documents and Settings\haier\Application Data\Spyware Terminator
2009-08-18 18:33:01 ----RD---- C:\WINDOWS\Web
2009-08-18 18:29:10 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-18 17:32:55 ----D---- C:\WINDOWS\system32\Restore
2009-08-18 14:13:58 ----HD---- C:\WINDOWS\inf
2009-08-17 02:37:04 ----D---- C:\WINDOWS\Prefetch
2009-08-16 22:01:44 ----D---- C:\Documents and Settings\haier\Application Data\Skype
2009-08-16 20:39:02 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-16 00:54:22 ----RSD---- C:\WINDOWS\assembly
2009-08-16 00:51:41 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-15 20:04:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-15 20:04:01 ----D---- C:\WINDOWS\WinSxS
2009-08-15 19:01:30 ----SHD---- C:\System Volume Information
2009-08-15 16:30:30 ----D---- C:\Program Files\WinClamAVShield
2009-08-15 16:30:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2009-08-15 03:05:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 01:52:45 ----D---- C:\WINDOWS\Debug
2009-08-14 01:26:48 ----D---- C:\WINDOWS\system32\Setup
2009-08-13 21:58:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-13 21:57:51 ----D---- C:\Program Files\Outlook Express
2009-08-07 19:29:22 ----D---- C:\Program Files\Internet Explorer
2009-08-05 17:05:17 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-08-01 13:19:01 ----D---- C:\Program Files\Spyware Terminator
2009-08-01 02:49:02 ----D---- C:\!KillBox
2009-07-30 08:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-25 19:41:41 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-22 01:44:35 ----HDC---- C:\WINDOWS\$NtUninstallKB946627$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-08 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-08 38912]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-03-14 46652]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B}; \??\E:\Program Files Windows\CyberLink\PowerDVD\000.fcl []
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-08 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-03-10 827100]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-08 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlmnt5.sys [2005-05-10 237616]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\SLDRV\slntamr.sys [2005-07-20 699192]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SLDRV\SlWdmSup.sys [2005-05-10 13248]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-23 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-10-23 59264]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-10-23 20608]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2006-10-16 472832]
S3 AR5211;TP-LINK Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-06-25 463168]
S3 catchme;catchme; \??\C:\DOCUME~1\haier\LOCALS~1\Temp\catchme.sys []
S3 FNDRV;FNDRV; \??\J:\fndrv.sys []
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlstrm.sys [2005-05-10 1464848]
S3 RT73;TL-WN321G/WN321G+ Wireless USB Adapter; C:\WINDOWS\system32\DRIVERS\rt73.sys [2006-01-12 252928]
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-04-24 69504]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\SLDRV\Slnthal.sys [2005-05-10 101328]
S3 SSDefrag;SSDefrag; \??\C:\WINDOWS\system32\drivers\SSDefrag.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-03-05 36864]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-10-23 17152]
S3 usbscan;USB 扫描仪驱动程序; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB 大容量存储设备; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 exFat;exFat; C:\WINDOWS\system32\drivers\exFat.sys [2008-09-29 133632]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour 服务; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CMBWPS;Cmb WebProtect Support; C:\Program Files\CMBCHINA\WebProtect\WPService.exe [2007-08-27 232848]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-16 153376]
R2 ProtexisLicensing;ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [2006-11-02 174656]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\Cyberlink\Shared files\RichVideo.exe [2007-10-16 243056]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slmdmsr.exe [2005-05-10 61440]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2006-11-21 31744]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2009-07-06 487424]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-05-13 604416]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2004-08-08 14336]
S3 aspnet_state;ASP.NET 状态服务; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-07-13 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod 服务; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-08 19456]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2004-08-08 8704]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-05-13 361216]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-08-20 15:50:55

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Acronis?Disk Director Suite-->MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"E:\Program Files Windows\Audacity\unins000.exe"
Autodesk 3ds Max 2010 32-bit-->MsiExec.exe /I{317AC0C7-FEBF-0409-87A3-4FC70D0ED900}
Autodesk Backburner 2008.1-->MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
Autodesk FBX Plugin 2009.4 - 3ds Max 2010-->C:\Program Files\Autodesk\FBX\FBXPlugins\2009.4\3ds Max 2010\Uninstall.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCleaner (remove only)-->"E:\Program Files Windows\CCleaner\uninst.exe"
Clean Disk Security 7.73-->E:\Program Files Windows\Clean Disk Security\uninst.exe
CorelDRAW Graphics Suite X3-->MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
Defraggler (remove only)-->"E:\Program Files Windows\Defraggler\uninst.exe"
DGOControls-->C:\Program Files\InstallShield Installation Information\{779A19AC-A302-425D-B295-F12116C2D731}\setup.exe -runfromtemp -l0x0009 -removeonly
EN-->MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
EVEREST Ultimate Edition v5.02-->"E:\Program Files Windows\Lavalys\EVEREST Ultimate Edition\unins000.exe"
FastAIT 2006-->MsiExec.exe /I{09AD093B-BB4C-4732-9F59-02C49B66E025}
FastStone Capture 4.8-->C:\Program Files\FastStone Capture\uninst.exe
FontNav-->MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
HashCalc 2.02-->"E:\Program Files Windows\HashCalc\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
IcoFX 1.6.4-->"E:\Program Files Windows\IcoFX 1.6\unins000.exe"
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
Karen's Cookie Viewer-->E:\Program Files Windows\Karen's Power Tools\Cookie Viewer\uninst.exe
KVIrc-->"C:\Program Files\KVIrc\uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHS-->MsiExec.exe /I{C3A681FC-A157-33CB-94E5-8B01F42F178C}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHS-->MsiExec.exe /I{97BF0930-6AAB-329F-9064-1F22CC083DE2}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 Language Pack - chs-->MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 3.5 语言包 - 简体中文-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft Office Access MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0015-0804-0000-0000000FF1CE}
Microsoft Office Excel MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0016-0804-0000-0000000FF1CE}
Microsoft Office IME (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0028-0804-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0044-0804-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001A-0804-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0018-0804-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001F-0804-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proofing (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-002C-0804-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-0019-0804-0000-0000000FF1CE}
Microsoft Office Shared MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-006E-0804-0000-0000000FF1CE}
Microsoft Office Word MUI (Chinese (Simplified)) 2007-->MsiExec.exe /X{90120000-001B-0804-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nitro PDF Professional-->MsiExec.exe /I{081D00DF-35F0-4570-8037-3E289795928F}
OpenSSL 0.9.8j (32-bit)-->"C:\OpenSSL\unins000.exe"
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
PowerDVD Ultra-->"C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x000804 /z-uninstall
PowerISO-->"E:\Program Files Windows\PowerISO\uninstall.exe"
Powerword 2006-->MsiExec.exe /I{1D44EA4F-C446-4C4F-92F7-02F72E589989}
PuTTY version 0.60-->"C:\Program Files\PuTTY\unins000.exe"
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x804 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x804 REMOVE
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Smart Link 56K Voice Modem-->C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
SparVoip-->"E:\Program Files Windows\SparVoip\unins000.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"E:\Program Files Windows\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
Technitium MAC Address Changer v5.0-->C:\Program Files\Technitium\TMACv5.0\Installer.exe
thinkorswim-->E:\Program Files Windows\thinkorswim\uninstall.exe
TransMac version 8.1-->"E:\Program Files Windows\TransMac\unins000.exe"
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
Unlocker 1.8.5-->C:\Program Files\Unlocker\uninst.exe
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB934391)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Outlook 2007 Junk Email Filter (kb970012)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {DC4A962B-9EC2-469C-BC9C-87312ADAEE81}
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update Manager-->MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA-->MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 8 安全更新 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8 安全更新 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Player (KB973540) 安全更新-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Windows XP 安全更新 (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Windows XP 更新 (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Windows XP 更新 (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB895961-v4)-->"C:\WINDOWS\$NtUninstallKB895961-v4$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB918005)-->"C:\WINDOWS\$NtUninstallKB918005$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB924941)-->"C:\WINDOWS\$NtUninstallKB924941$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
WinHex-->C:\Program Files\WinHex\WinHex.exe uninst
WinRAR 压缩文件管理器-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.1.9-->"C:\Program Files\WinSCP\unins000.exe"
Xilisoft iPhone Ringtone Maker-->E:\Program Files Windows\Xilisoft iPhone Ringtone Maker\Uninstall.exe
卡卡上网安全助手-->C:\Program Files\Rising\AntiSpyware\KKUninst.exe
招商银行一网通网盾-->C:\Program Files\CMBCHINA\WebProtect\Setup.exe UNINSTALL

======Security center information======

AV: AntiVir Desktop (disabled) (outdated)

======System event log======

Computer Name: MATRIX
Event Code: 7035
Message: IMAPI CD-Burning COM Service 服务成功发送一个 开始 控件。

Record Number: 48028
Source Name: Service Control Manager
Time Written: 20090714222202.000000+480
Event Type: 信息
User: NT AUTHORITY\SYSTEM

Computer Name: MATRIX
Event Code: 7036
Message: Computer Browser 服务处于 停止 状态。

Record Number: 48027
Source Name: Service Control Manager
Time Written: 20090714222139.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 7036
Message: Terminal Services 服务处于 正在运行 状态。

Record Number: 48026
Source Name: Service Control Manager
Time Written: 20090714222139.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 7035
Message: Terminal Services 服务成功发送一个 开始 控件。

Record Number: 48025
Source Name: Service Control Manager
Time Written: 20090714222138.000000+480
Event Type: 信息
User: NT AUTHORITY\SYSTEM

Computer Name: MATRIX
Event Code: 7036
Message: Remote Access Connection Manager 服务处于 正在运行 状态。

Record Number: 48024
Source Name: Service Control Manager
Time Written: 20090714222137.000000+480
Event Type: 信息
User:

=====Application event log=====

Computer Name: MATRIX
Event Code: 0
Message:
Record Number: 6155
Source Name: iPod Service
Time Written: 20090311170906.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 1800
Message: 已经启动 Windows 安全中心服务。

Record Number: 6154
Source Name: SecurityCenter
Time Written: 20090311170848.000000+480
Event Type: 信息
User:

Computer Name: MATRIX
Event Code: 1015
Message: TraceLevel 参数不在注册表中;
使用的默认跟踪级别是 32。

Record Number: 6153
Source Name: EvntAgnt
Time Written: 20090311170843.000000+480
Event Type: 警告
User:

Computer Name: MATRIX
Event Code: 1003
Message: TraceFileName 参数不在注册表中;
使用的默认跟踪文件是 。

Record Number: 6152
Source Name: EvntAgnt
Time Written: 20090311170843.000000+480
Event Type: 警告
User:

Computer Name: MATRIX
Event Code: 0
Message:
Record Number: 6151
Source Name: RichVideo
Time Written: 20090311170840.000000+480
Event Type: 信息
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;E:\Program Files Windows\Autodesk\Backburner;C:\Program Files\Common Files\Autodesk Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"OPENSSL_CONF"=C:\OpenSSL\bin\openssl.cfg
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users