Random music playing+cpu usage high with nothing running

MK47 · 12-26-2010, 01:44 PM

HI guys, I have been have this problem for a few days now. Music just randomly starts playing with nothing open. It plays at a roughly the same time everyday. When the music starts playing my cpu usage goes up to 60-70% with nothing running. I think I have a virus but I dont want to reboot my pc,it takes too long and I have too much stuff to back up. Can you guys help me?
Thank you very much.
MK

This is my hijackthis log.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\runhostdl.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Tudou\滄厒Tudou\TudouVa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Yeung\Application Data\setdebug.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\WINDOWS\wscript.exe
C:\Program Files\Windows Live\Messenger\msnstart.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Yeung\桌面\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WebDetectorBHO - {43BEAFD9-E005-483D-A367-146BA6C8A32E} - C:\Program Files\Tudou\滄厒Tudou\tudouDetector.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Thunder ToolbarBrowserHelper - {D2F8A635-8B0F-47BF-915E-6F456767A300} - C:\Program Files\Thunder Network\MiniThunder\ToolBarNow.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo!奇摩捷徑列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] "C:\WINDOWS\JM\JMInsIDE.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [rundll] C:\WINDOWS\runhostdl.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PPAP] "C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe" -background
O4 - HKCU\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ( www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

MK47 · 12-26-2010, 02:48 PM

sorry i dont know how to edit my thread but this is my DDS.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Yeung at 22:39:00.56 on 2010/12/26
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.2047.1056 [GMT 0:00]

AV: Webroot Internet Security Essentials *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ESET NOD32¨¾¬r¨t²Î 2.70 *Enabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Webroot Internet Security Essentials *Enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\runhostdl.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Tudou\·ÉËÙTudou\TudouVa.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Yeung\Application Data\setdebug.exe
C:\WINDOWS\wscript.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Yeung\®à*±\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WebDetectorBHO Class: {43beafd9-e005-483d-a367-146ba6c8a32e} - c:\program files\tudou\·ÉËÙtudou\tudouDetector.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ToolbarBrowserHelper Class: {d2f8a635-8b0f-47bf-915e-6f456767a300} - c:\program files\thunder network\minithunder\ToolBarNow.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo!©_¼¯±¶®|¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [rundll] c:\windows\runhostdl.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [PPAP] "c:\program files\common files\pplivenetwork\PPAP.exe" -background
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X IDE Setup] "c:\windows\jm\JMInsIDE.exe"
mRun: [JMB36X Configure] "c:\windows\system32\JMRaidSetup.exe" boot
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
StartupFolder: c:\docume~1\yeung\¡u¶}©l~1\µ{¦¡¶°\±Ò°Ê\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\yeung\¡u¶}©l~1\µ{¦¡¶°\±Ò°Ê\Æô¶¯·É~1.lnk - c:\program files\tudou\·ÉËÙtudou\TudouVa.exe
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: ¨Ï¥Î°g§A¨³¹p¤U?
IE: ¨Ï¥Î°g§A¨³¹p¤U? - c:\program files\thunder network\minithunder\geturl.htm
IE: ¶×¥X¦Ü Microsoft Office Excel(&X) - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yeung\applic~1\mozilla\firefox\profiles\v06g53rz.default\
FF - prefs.js: browser.startup.homepage - hk.yahoo.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\yeung\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\autograph 3.3\webplayer\npagraph.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBFPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Add N Edit Cookies: {038dc421-b19e-4711-a218-1fd10de9163b} - %profile%\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\yeung\application data\idm\idmmzcc3

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-7-30 15424]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-12-26 108296]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-12-25 18816]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2010-7-30 552064]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-12-26 1181040]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-11-3 56352]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-25 136176]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\yeung\locals~1\temp\QUA3E7.tmp [2010-8-28 25616]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\plugins\ui\safedrv.sys --> c:\program files\garena\plugins\ui\safedrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\920b.tmp --> c:\windows\system32\920B.tmp [?]

=============== Created Last 30 ================

2010-12-26 18:58:40 86016 ----a-w- c:\program files\common files\script.ext
2010-12-26 18:58:38 45056 ----a-w- c:\program files\common files\debug.ext
2010-12-26 17:31:26 775168 ----a-w- c:\windows\isRS-000.tmp
2010-12-26 17:30:54 108296 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2010-12-26 17:30:40 1563008 ----a-w- c:\windows\WRSetup.dll
2010-12-26 17:30:40 -------- d-----w- c:\docume~1\yeung\applic~1\Webroot
2010-12-26 17:30:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-12-26 16:41:24 -------- d-----w- c:\program files\MSSOAP
2010-12-26 16:41:03 -------- d-----w- c:\program files\Webroot
2010-12-26 14:59:40 -------- d-----w- c:\windows\pss
2010-12-25 23:36:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-25 17:15:07 -------- d-----w- c:\docume~1\yeung\locals~1\applic~1\Temp
2010-12-25 17:14:43 -------- d-----w- c:\docume~1\yeung\locals~1\applic~1\Google
2010-12-24 14:47:15 -------- d-----w- c:\program files\Sophos
2010-12-24 12:40:24 -------- d-----w- c:\docume~1\yeung\applic~1\Malwarebytes
2010-12-24 12:40:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-24 12:40:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-24 12:40:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-24 12:40:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-22 16:53:48 45056 ----a-w- c:\program files\common files\dll.ext
2010-12-18 04:14:02 86016 ----a-w- c:\windows\wscript.exe
2010-12-18 04:14:01 45056 ----a-w- c:\docume~1\yeung\applic~1\setdebug.exe
2010-12-18 04:13:58 45056 ----a-w- c:\windows\runhostdl.exe
2010-12-18 04:11:26 -------- d-----w- c:\docume~1\yeung\locals~1\applic~1\WinAVI
2010-12-18 04:11:26 -------- d-----w- c:\docume~1\yeung\applic~1\WinAVI
2010-12-18 04:11:10 -------- d-----w- c:\program files\All in One Converter
2010-12-15 15:10:37 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:07:56 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-12 19:57:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\NexonTW
2010-12-12 18:33:43 -------- d-----w- c:\docume~1\yeung\applic~1\IDM
2010-12-12 18:33:40 -------- d-----w- c:\program files\Internet Download Manager
2010-12-12 18:21:41 -------- d-----w- c:\program files\Gamania
2010-12-11 20:55:11 -------- d-----w- C:\Nexon
2010-12-11 20:55:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\NexonUS
2010-12-11 20:43:33 -------- d-----w- c:\docume~1\yeung\locals~1\applic~1\PMB Files
2010-12-11 20:43:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-12-11 20:42:39 -------- d-----w- c:\program files\Pando Networks
2010-12-03 05:42:38 -------- d-----w- c:\docume~1\yeung\applic~1\dBpoweramp

==================== Find3M ====================

2010-11-18 18:12:44 73728 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:21:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21:09 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:21:09 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:35 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-27 07:08:46 208896 ----a-w- c:\windows\system32\pptv.scr
2010-10-26 14:05:49 1852928 ----a-w- c:\windows\system32\win32k.sys
2010-10-23 17:46:40 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-29 19:31:28 210272 ----a-w- c:\windows\system32\idmmbc.dll

============= FINISH: 22:39:15.71 ===============

**Ried** · 12-27-2010, 08:36 PM

Hello MK47 and welcome,

Before we begin, you have 2 Anti Virus programs installed and running. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

After you have done that, download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

====================================================

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review, along with an update on system behavior.

MK47 · 12-28-2010, 04:43 AM

Thank you very much for replying. This is my combofix log.

ComboFix 10-12-26.01 - Yeung 2010/12/28 12:18:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.2047.1420 [GMT 0:00]
執行位置: c:\documents and settings\Yeung\桌面\ComboFix.exe
AV: Webroot Internet Security Essentials *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *Disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yeung\Application Data\PriceGong
c:\documents and settings\Yeung\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\z.xml
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20101223152005_taobao101224cha15s.swf
c:\favoritevideo\InvisibleFolder\20101224112404_woyouwangluo101224zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224112522_woyouwangluo101224zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224113612_wanmeishenguishijie101225zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224135223_wangwangzhiwang3101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224145732_wanmeishenmodalu101226zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224161510_woyouwangluo101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224164333_shinianyijian101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224181428_taobao101226cha15s.swf
c:\favoritevideo\InvisibleFolder\20101224181513_taobao101226zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224181634_taobao101226zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101227162414_guangyuwendao101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101227162617_shinianyijian101227zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101227180643_pinganchexian101227zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101227185622_maoxiandao101227zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101228120601_wanmeishenguishijie101229zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101228120647_wanmeishenguishijie101229zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101228164355_guyu101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101228170306_taobao101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101228170816_taobao101228cha15s.swf
c:\favoritevideo\InvisibleFolder\20101228181517_yingjia101228qipao.gif
c:\favoritevideo\InvisibleFolder\20101228181608_yingjia101228zanting.swf
c:\favoritevideo\InvisibleFolder\peer.dll

.
((((((((((((((((((((((((( 2010-11-28 至 2010-12-28 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-12-27 16:09 . 2010-12-28 11:51 45056 ----a-w- c:\windows\runhostdl.exe
2010-12-26 16:41 . 2010-12-26 16:41 -------- d-----w- c:\program files\MSSOAP
2010-12-26 16:41 . 2010-12-26 16:41 -------- d-----w- c:\program files\Webroot
2010-12-25 23:38 . 2010-12-25 23:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-25 23:36 . 2010-05-26 10:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-25 17:15 . 2010-12-25 17:27 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\Temp
2010-12-25 17:14 . 2010-12-25 17:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-25 17:14 . 2010-12-25 17:28 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\Google
2010-12-25 17:14 . 2010-12-25 17:28 -------- d-----w- c:\program files\Google
2010-12-24 14:47 . 2010-12-24 14:47 -------- d-----w- c:\program files\Sophos
2010-12-24 12:40 . 2010-12-24 12:40 -------- d-----w- c:\documents and settings\Yeung\Application Data\Malwarebytes
2010-12-24 12:40 . 2010-12-24 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-22 16:53 . 2010-12-28 12:11 45056 ----a-w- c:\program files\Common Files\dll.ext
2010-12-18 04:14 . 2010-12-28 12:11 86016 ----a-w- c:\windows\wscript.exe
2010-12-18 04:14 . 2010-12-28 12:10 45056 ----a-w- c:\documents and settings\Yeung\Application Data\setdebug.exe
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\WinAVI
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\documents and settings\Yeung\Application Data\WinAVI
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\program files\All in One Converter
2010-12-15 15:10 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:07 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-12 19:57 . 2010-12-12 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonTW
2010-12-12 18:33 . 2010-12-13 14:07 -------- d-----w- c:\documents and settings\Yeung\Application Data\IDM
2010-12-12 18:33 . 2010-12-12 18:35 -------- d-----w- c:\program files\Internet Download Manager
2010-12-12 18:21 . 2010-12-12 19:52 -------- d-----w- c:\program files\Gamania
2010-12-11 20:55 . 2010-12-12 18:26 -------- d-----w- C:\Nexon
2010-12-11 20:55 . 2010-12-11 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-12-11 20:43 . 2010-12-12 03:57 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\PMB Files
2010-12-11 20:43 . 2010-12-11 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-12-11 20:42 . 2010-12-11 20:42 -------- d-----w- c:\program files\Pando Networks
2010-12-03 05:42 . 2010-12-03 05:42 -------- d-----w- c:\documents and settings\Yeung\Application Data\dBpoweramp

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-07-30 13:12 73728 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:21 . 2004-08-03 16:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21 . 2004-08-03 16:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:21 . 2004-08-03 16:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2004-08-03 16:37 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-09-17 00:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-03 16:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-27 07:08 . 2010-10-27 07:08 208896 ----a-w- c:\windows\system32\pptv.scr
2010-10-26 14:05 . 2004-08-03 16:41 1852928 ----a-w- c:\windows\system32\win32k.sys
2010-10-23 17:46 . 2010-08-08 17:08 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-23 17:46 . 2010-08-08 17:08 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-29 19:31 . 2010-11-06 10:04 210272 ----a-w- c:\windows\system32\idmmbc.dll
2010-06-11 18:05 . 2010-07-30 22:49 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:53 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43BEAFD9-E005-483D-A367-146BA6C8A32E}]
2010-04-19 22:08 312896 ----a-w- c:\program files\Tudou\滄厒Tudou\tudouDetector.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2F8A635-8B0F-47BF-915E-6F456767A300}]
2009-11-10 07:53 440008 ----a-w- c:\program files\Thunder Network\MiniThunder\ToolBarNow.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-08-01 222592]
"Steam"="c:\program files\Steam\Steam.exe" [2010-11-17 1242448]
"PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2010-09-20 185784]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-07-18 1774080]
"rundll"="c:\windows\runhostdl.exe" [2010-12-28 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-07-18 1774080]

c:\documents and settings\Yeung\「開始」功能表\程式集\啟動\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
雄滄厒芩飪.lnk - c:\program files\Tudou\滄厒Tudou\TudouVa.exe [2010-6-11 1404928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Tudou\\滄厒Tudou\\TudouVa.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\umbrella\\tinytss.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\PPLive\\PPTV\\PPLive.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\PPLive\\PPTV\\PPLiveU.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\MiniThunder.exe"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\ThunderService.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.50\\ThunderLiveUD.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Gamania\\PopKart\\M01\\NMService.exe"=
"c:\\Program Files\\Gamania\\PopKart\\M01\\Patcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnstart.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27226:TCP"= 27226:TCP:BitCometBeta 27226 TCP
"27226:UDP"= 27226:UDP:BitCometBeta 27226 UDP
"57602:TCP"= 57602:TCP:Pando Media Booster
"57602:UDP"= 57602:UDP:Pando Media Booster

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010/10/03 下午 10:43 59240]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [2010/10/03 下午 10:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010/10/03 下午 10:43 169320]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010/12/25 下午 11:36 18816]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010/10/03 下午 10:43 767208]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [2010/11/03 下午 03:12 56352]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010/12/25 下午 05:14 136176]
S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp --> c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\920B.tmp --> c:\windows\system32\920B.tmp [?]
.
‘計劃任務’ 文件夾裡的內容

2010-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 17:14]

2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 17:14]
.
.
------- 而外的掃描 -------
.
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: 使用迷你迅雷下?
IE: 使用迷你迅雷下? - c:\program files\Thunder Network\MiniThunder\geturl.htm
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yeung\Application Data\Mozilla\Firefox\Profiles\v06g53rz.default\
FF - prefs.js: browser.startup.homepage - hk.yahoo.com
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Add N Edit Cookies: {038dc421-b19e-4711-a218-1fd10de9163b} - %profile%\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\Yeung\Application Data\IDM\idmmzcc3
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-28 12:24
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\920B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-2025429265-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(u?`O??N?*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2c847b38-6f2d-4b8a-95c1-9cbf73a6fc51}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fa
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,08,0a,d0,ea,7d,a6,39,61,83,e0,8b,c5,07,bb,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a2,24,40,2e,6e,aa,e5,e3,12,1c,eb,a4,4d,35,13,c5,79,28,32,40,19,
bb,59,d3,20,d7,ba,77,33,01,f1,c2,aa,60,1b,1b,80,bd,77,21,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
完成時間: 2010-12-28 12:25:20
ComboFix-quarantined-files.txt 2010-12-28 12:25

Pre-Run: 67,785,101,312 位元組可用
Post-Run: 76,039,225,344 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0EB1C9FB2A9C354C7DC8F76073D1A7E6

After using combofix, the usage of the cpu has changed up to 90-100%,it doesnt go under 50% anymore. I think the music has stopped playing in the background.
Few days ago before i post on here I did a scan with housecalllauncher and this is the results that it gave me.

Thank you.

**Ried** · 12-28-2010, 01:21 PM

You're welcome, MK47,

We still have work to do. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/538907-random-music-playing-cpu-usage-high-nothing-running.html#post3051910

Collect::
c:\windows\runhostdl.exe

Folder::
c:\program files\PriceGong

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post the C:\ComboFix.txt in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

MK47 · 12-29-2010, 03:59 AM

Here is the result.

ComboFix 10-12-28.03 - Yeung 2010/12/29 11:47:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.2047.1433 [GMT 0:00]
執行位置: c:\documents and settings\Yeung\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Yeung\桌面\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Webroot Internet Security Essentials *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *Disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

file zipped: c:\windows\runhostdl.exe
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yeung\Application Data\PriceGong
c:\documents and settings\Yeung\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Yeung\Application Data\PriceGong\Data\z.xml
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20101228211855_kfc101228jiaobiao.swf
c:\favoritevideo\InvisibleFolder\20101228212043_kfc101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101229111843_n8101229zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101229162005_shenguishijie101229zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101229162533_shenguishijie101229minisitefumeiti.swf
c:\favoritevideo\InvisibleFolder\20101229171754_taobao101230cha15s.swf
c:\favoritevideo\InvisibleFolder\20101229171842_taobao101230zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101229173034_guyu101230zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101229175616_tianxiaer101230zanting15s.swf
c:\program files\PriceGong
c:\program files\PriceGong\2.1.0\FF\chrome.manifest
c:\program files\PriceGong\2.1.0\FF\components\PriceGong.xpt
c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
c:\program files\PriceGong\2.1.0\FF\content\options.js
c:\program files\PriceGong\2.1.0\FF\content\options.xul
c:\program files\PriceGong\2.1.0\FF\content\PriceGong.png
c:\program files\PriceGong\2.1.0\FF\install.rdf
c:\program files\PriceGong\2.1.0\PriceGongIE.dll
c:\program files\PriceGong\uninst.exe
c:\windows\runhostdl.exe

.
((((((((((((((((((((((((( 2010-11-28 至 2010-12-29 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-12-28 12:28 . 2010-12-28 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-12-27 16:09 . 2010-12-29 11:38 45056 ----a-w- c:\windows\runhostdl.exe
2010-12-26 16:41 . 2010-12-26 16:41 -------- d-----w- c:\program files\MSSOAP
2010-12-26 16:41 . 2010-12-26 16:41 -------- d-----w- c:\program files\Webroot
2010-12-25 23:38 . 2010-12-25 23:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-25 23:36 . 2010-05-26 10:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-25 17:15 . 2010-12-25 17:27 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\Temp
2010-12-25 17:14 . 2010-12-25 17:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-25 17:14 . 2010-12-25 17:28 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\Google
2010-12-25 17:14 . 2010-12-25 17:28 -------- d-----w- c:\program files\Google
2010-12-24 14:47 . 2010-12-24 14:47 -------- d-----w- c:\program files\Sophos
2010-12-24 12:40 . 2010-12-24 12:40 -------- d-----w- c:\documents and settings\Yeung\Application Data\Malwarebytes
2010-12-24 12:40 . 2010-12-24 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-22 16:53 . 2010-12-29 11:38 45056 ----a-w- c:\program files\Common Files\dll.ext
2010-12-18 04:14 . 2010-12-29 11:38 86016 ----a-w- c:\windows\wscript.exe
2010-12-18 04:14 . 2010-12-29 11:38 45056 ----a-w- c:\documents and settings\Yeung\Application Data\setdebug.exe
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\WinAVI
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\documents and settings\Yeung\Application Data\WinAVI
2010-12-18 04:11 . 2010-12-18 04:11 -------- d-----w- c:\program files\All in One Converter
2010-12-15 15:10 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 15:07 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-12 19:57 . 2010-12-12 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonTW
2010-12-12 18:33 . 2010-12-13 14:07 -------- d-----w- c:\documents and settings\Yeung\Application Data\IDM
2010-12-12 18:33 . 2010-12-12 18:35 -------- d-----w- c:\program files\Internet Download Manager
2010-12-12 18:21 . 2010-12-12 19:52 -------- d-----w- c:\program files\Gamania
2010-12-11 20:55 . 2010-12-12 18:26 -------- d-----w- C:\Nexon
2010-12-11 20:55 . 2010-12-11 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-12-11 20:43 . 2010-12-12 03:57 -------- d-----w- c:\documents and settings\Yeung\Local Settings\Application Data\PMB Files
2010-12-11 20:43 . 2010-12-11 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-12-11 20:42 . 2010-12-11 20:42 -------- d-----w- c:\program files\Pando Networks
2010-12-03 05:42 . 2010-12-03 05:42 -------- d-----w- c:\documents and settings\Yeung\Application Data\dBpoweramp

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-07-30 13:12 73728 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:21 . 2004-08-03 16:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21 . 2004-08-03 16:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:21 . 2004-08-03 16:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2004-08-03 16:37 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-09-17 00:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-03 16:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-27 07:08 . 2010-10-27 07:08 208896 ----a-w- c:\windows\system32\pptv.scr
2010-10-26 14:05 . 2004-08-03 16:41 1852928 ----a-w- c:\windows\system32\win32k.sys
2010-10-23 17:46 . 2010-08-08 17:08 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-23 17:46 . 2010-08-08 17:08 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-06-11 18:05 . 2010-07-30 22:49 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-12-28_12.24.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-29 11:37 . 2010-12-29 11:37 16384 c:\windows\Temp\Perflib_Perfdata_9cc.dat
+ 2009-09-29 13:05 . 2009-09-29 13:05 96408 c:\windows\system32\drivers\epfwtdir.sys
+ 2010-12-28 12:29 . 2010-12-28 12:29 10134 c:\windows\Installer\{85C70286-A56F-4834-BD24-B34EB76A93A2}\callmsi.exe
+ 2009-09-29 13:02 . 2009-09-29 13:02 108792 c:\windows\system32\drivers\ehdrv.sys
+ 2009-09-29 12:56 . 2009-09-29 12:56 116008 c:\windows\system32\drivers\eamon.sys
+ 2010-12-28 12:29 . 2010-12-28 12:29 101480 c:\windows\Installer\{85C70286-A56F-4834-BD24-B34EB76A93A2}\egui.exe
+ 2010-12-28 12:29 . 2010-12-28 12:29 1130496 c:\windows\Installer\11002f.msi
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43BEAFD9-E005-483D-A367-146BA6C8A32E}]
2010-04-19 22:08 312896 ----a-w- c:\program files\Tudou\滄厒Tudou\tudouDetector.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2F8A635-8B0F-47BF-915E-6F456767A300}]
2009-11-10 07:53 440008 ----a-w- c:\program files\Thunder Network\MiniThunder\ToolBarNow.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-08-01 222592]
"Steam"="c:\program files\Steam\Steam.exe" [2010-11-17 1242448]
"PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2010-09-20 185784]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-07-18 1774080]
"rundll"="c:\windows\runhostdl.exe" [2010-12-29 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-07-18 1774080]

c:\documents and settings\Yeung\「開始」功能表\程式集\啟動\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
雄滄厒芩飪.lnk - c:\program files\Tudou\滄厒Tudou\TudouVa.exe [2010-6-11 1404928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Tudou\\滄厒Tudou\\TudouVa.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\umbrella\\tinytss.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\PPLive\\PPTV\\PPLive.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\PPLive\\PPTV\\PPLiveU.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\MiniThunder.exe"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\MiniThunder\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\ThunderService.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.56\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.50\\ThunderLiveUD.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Gamania\\PopKart\\M01\\NMService.exe"=
"c:\\Program Files\\Gamania\\PopKart\\M01\\Patcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnstart.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27226:TCP"= 27226:TCP:BitCometBeta 27226 TCP
"27226:UDP"= 27226:UDP:BitCometBeta 27226 UDP
"57602:TCP"= 57602:TCP:Pando Media Booster
"57602:UDP"= 57602:UDP:Pando Media Booster

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010/10/03 下午 10:43 59240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009/09/29 下午 01:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009/09/29 下午 01:05 96408]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [2010/10/03 下午 10:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010/10/03 下午 10:43 169320]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010/12/25 下午 11:36 18816]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009/09/29 下午 01:03 735960]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010/10/03 下午 10:43 767208]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [2010/11/03 下午 03:12 56352]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010/12/25 下午 05:14 136176]
S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp --> c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\920B.tmp --> c:\windows\system32\920B.tmp [?]
.
‘計劃任務’ 文件夾裡的內容

2010-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 17:14]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 17:14]
.
.
------- 而外的掃描 -------
.
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: 使用迷你迅雷下?
IE: 使用迷你迅雷下? - c:\program files\Thunder Network\MiniThunder\geturl.htm
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yeung\Application Data\Mozilla\Firefox\Profiles\v06g53rz.default\
FF - prefs.js: browser.startup.homepage - hk.yahoo.com
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Add N Edit Cookies: {038dc421-b19e-4711-a218-1fd10de9163b} - %profile%\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\Yeung\Application Data\IDM\idmmzcc3
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

BHO-{1631550F-191D-4826-B069-D9439253D926} - c:\program files\PriceGong\2.1.0\PriceGongIE.dll
AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 11:52
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Yeung\LOCALS~1\Temp\QUA3E7.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\920B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-2025429265-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\O(u?`O??N?*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2c847b38-6f2d-4b8a-95c1-9cbf73a6fc51}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fa
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,08,0a,d0,ea,7d,a6,39,61,83,e0,8b,c5,07,bb,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a2,24,40,2e,6e,aa,e5,e3,12,1c,eb,a4,4d,35,13,c5,79,28,32,40,19,
bb,59,d3,20,d7,ba,77,33,01,f1,c2,aa,60,1b,1b,80,bd,77,21,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
完成時間: 2010-12-29 11:53:35
ComboFix-quarantined-files.txt 2010-12-29 11:53
ComboFix2.txt 2010-12-28 12:25

Pre-Run: 75,134,046,208 位元組可用
Post-Run: 75,129,327,616 位元組可用

- - End Of File - - 42502CC9023AD666CA35F7172AB80423

I am not sure if it worked because i was connected to the internet but after i clicked yes,it gave me an error.Thank you.

**Ried** · 12-29-2010, 02:03 PM

You're correct, the upload did not go through. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

MK47 · 12-29-2010, 03:14 PM

Here it is.
2010-12-29 11:53:10 . 2010-12-29 11:53:10 632 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PriceGong.reg.dat
2010-12-29 11:52:56 . 2010-12-29 11:52:56 825 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{1631550F-191D-4826-B069-D9439253D926}.reg.dat
2010-12-29 11:47:55 . 2010-12-29 11:47:55 14,981 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-12-29_11.47.54.zip
2010-12-29 11:41:27 . 2010-12-29 11:41:37 36,954 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229175616_tianxiaer101230zanting15s.swf.vir
2010-12-29 11:41:16 . 2010-12-29 11:41:27 46,118 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229171842_taobao101230zanting15s.swf.vir
2010-12-29 11:41:04 . 2010-12-29 11:41:15 42,172 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229162005_shenguishijie101229zhu15s.swf.vir
2010-12-29 11:41:01 . 2010-12-29 11:41:03 27,209 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229162533_shenguishijie101229minisitefumeiti.swf.vir
2010-12-29 11:40:49 . 2010-12-29 11:41:00 35,972 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229173034_guyu101230zanting15s.swf.vir
2010-12-29 11:40:38 . 2010-12-29 11:40:49 43,228 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229111843_n8101229zanting15s.swf.vir
2010-12-29 11:40:25 . 2010-12-29 11:40:37 31,995 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101229171754_taobao101230cha15s.swf.vir
2010-12-28 21:38:59 . 2010-12-29 02:23:29 72 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\mru.xml.vir
2010-12-28 14:13:47 . 2010-12-28 14:13:54 13,447 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228211855_kfc101228jiaobiao.swf.vir
2010-12-28 14:13:38 . 2010-12-28 14:13:47 36,440 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228212043_kfc101228zanting15s.swf.vir
2010-12-28 12:20:31 . 2010-12-29 11:51:10 4,858 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-12-28 12:13:05 . 2010-12-29 11:46:06 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-12-28 11:54:33 . 2010-12-28 11:59:15 1,596,264 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\peer.dll.vir
2010-12-28 11:40:04 . 2010-12-28 11:40:12 20,786 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228181517_yingjia101228qipao.gif.vir
2010-12-28 11:35:00 . 2010-12-28 11:35:13 42,569 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228120601_wanmeishenguishijie101229zhu15s.swf.vir
2010-12-28 11:34:50 . 2010-12-28 11:35:00 34,604 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228181608_yingjia101228zanting.swf.vir
2010-12-28 11:34:45 . 2010-12-28 11:34:50 27,591 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228120647_wanmeishenguishijie101229zanting15s.swf.vir
2010-12-28 11:34:38 . 2010-12-28 11:34:45 36,061 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228164355_guyu101228zanting15s.swf.vir
2010-12-28 11:34:30 . 2010-12-28 11:34:38 31,334 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228170816_taobao101228cha15s.swf.vir
2010-12-28 11:34:20 . 2010-12-28 11:34:30 49,290 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101228170306_taobao101228zanting15s.swf.vir
2010-12-27 18:11:40 . 2010-12-27 18:11:52 46,330 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101227185622_maoxiandao101227zanting15s.swf.vir
2010-12-27 16:09:47 . 2010-12-29 11:38:16 45,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\runhostdl.exe.vir
2010-12-27 11:37:52 . 2010-12-27 11:38:00 39,054 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101227162617_shinianyijian101227zanting15s.swf.vir
2010-12-27 11:37:36 . 2010-12-27 11:37:43 26,246 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101227162414_guangyuwendao101228zanting15s.swf.vir
2010-12-27 11:37:28 . 2010-12-27 11:37:36 27,390 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101227180643_pinganchexian101227zhu15s.swf.vir
2010-12-24 11:37:22 . 2010-12-24 11:37:27 19,948 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224181428_taobao101226cha15s.swf.vir
2010-12-24 11:37:11 . 2010-12-24 11:37:22 49,045 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224112522_woyouwangluo101224zanting15s.swf.vir
2010-12-24 11:36:46 . 2010-12-24 11:36:53 34,669 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224135223_wangwangzhiwang3101228zanting15s.swf.vir
2010-12-24 11:36:39 . 2010-12-24 11:36:46 36,806 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224113612_wanmeishenguishijie101225zanting15s.swf.vir
2010-12-24 11:36:35 . 2010-12-24 11:36:39 20,510 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224181513_taobao101226zanting15s.swf.vir
2010-12-24 11:36:18 . 2010-12-24 11:36:26 33,674 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224145732_wanmeishenmodalu101226zanting15s.swf.vir
2010-12-24 11:35:57 . 2010-12-24 11:36:18 72,448 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224112404_woyouwangluo101224zhu15s.swf.vir
2010-12-24 11:35:46 . 2010-12-24 11:35:50 20,510 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224181634_taobao101226zhu15s.swf.vir
2010-12-24 11:34:15 . 2010-12-24 11:34:33 75,546 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224164333_shinianyijian101225zhu15s.swf.vir
2010-12-24 11:33:35 . 2010-12-24 11:33:55 71,810 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101224161510_woyouwangluo101225zhu15s.swf.vir
2010-12-23 13:00:51 . 2010-12-23 13:00:59 29,837 ----a-w- C:\Qoobox\Quarantine\C\FavoriteVideo\InvisibleFolder\20101223152005_taobao101224cha15s.swf.vir
2010-11-03 15:07:37 . 2010-11-03 15:07:37 50,615 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\uninst.exe.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 19,448 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\1.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 85,816 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\a.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 115,856 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\b.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 128,448 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\c.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 81,848 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\d.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 89,256 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\e.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 51,304 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\f.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 59,960 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\g.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 45,264 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\h.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 39,928 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\i.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 25,112 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\J.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 21,896 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\k.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 65,760 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\l.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 86,136 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\m.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 27,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\n.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 33,904 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\o.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 77,264 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\p.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 3,512 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\q.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 30,824 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\r.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 128,336 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\s.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 63,440 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\t.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 14,432 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\u.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 18,480 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\v.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 27,696 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\w.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 2,176 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\x.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 6,448 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\y.xml.vir
2010-11-01 06:32:42 . 2010-11-01 06:32:42 7,712 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Yeung\Application Data\PriceGong\Data\z.xml.vir
2010-03-28 19:53:22 . 2010-03-28 19:53:22 353,656 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\components\PriceGongFF.dll.vir
2010-03-28 19:53:16 . 2010-03-28 19:53:16 353,656 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\PriceGongIE.dll.vir
2010-03-26 10:56:46 . 2010-03-26 10:56:46 1,735 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\content\PriceGong.png.vir
2010-02-17 10:58:10 . 2010-02-17 10:58:10 992 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\install.rdf.vir
2009-12-03 23:28:20 . 2009-12-03 23:28:20 28 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\chrome.manifest.vir
2009-12-03 23:28:20 . 2009-12-03 23:28:20 167 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\components\PriceGong.xpt.vir
2009-12-03 23:28:20 . 2009-12-03 23:28:20 969 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\content\options.js.vir
2009-12-03 23:28:20 . 2009-12-03 23:28:20 1,387 ----a-w- C:\Qoobox\Quarantine\C\Program Files\PriceGong\2.1.0\FF\content\options.xul.vir
Thank you!

**Ried** · 12-29-2010, 03:22 PM

Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2010-12-29_11.47.54.zip

Click 'Send File'

Let me know when that file has been uploaded.

MK47 · 12-29-2010, 03:36 PM

It has been sent,thank you!

**Ried** · 12-29-2010, 04:29 PM

File received, thank you. :)

Do you recall if these problems began shortly after you installed WinAVI All in One Converter?

MK47 · 12-30-2010, 03:55 AM

I think so,my sister installed WinAVI All in One Converter then a few days after music started playing and cpu usage went up. What should i do? thank you.

**Ried** · 12-30-2010, 01:23 PM

Go to Control Panel>Add or Remove programs and uninstall that program. Reboot. How is the system behaving now?

MK47 · 12-30-2010, 03:54 PM

I uninstalled it, my computer is more stable more. Internet doesnt crash anymore.
Now i am confused,do i actually have a virus? :S. Thanks

**Ried** · 12-30-2010, 07:44 PM

I don't think so. Did the random sound stop as well? Where did you download that program from?

MK47 · 12-31-2010, 01:04 PM

Yes it stopped. I dont know I think someone gave it to her.
The pc is being weird sometimes is fine but it can just crash for no reason, and the interent just goes randomly.Like when I try to login to msn it says keyport error but i can go on the internet on my ipod.... :S

**Ried** · 01-01-2011, 08:03 AM

Let's see if we can get a clue about those issues. Download VEW.exe

Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run.
In the "Select log to query" section check:
Application
System
In the "Select type to list" section check:
Error
In the "Number or dates of events" section check :
Number of events... then enter any number from 1 thru 20 in the entry box -- enter 10.
Press the Run button.

When the process completes, it only takes a few seconds.

Notepad will open with a report file named VEW.txt. Post the contents of that log.

MK47 · 01-01-2011, 08:10 AM

It wont let me run it because my OS is not in english :S

**Ried** · 01-01-2011, 08:15 AM

Then we'll have to do this manually.

Go to Start > Run - type in eventvwr <Press Enter>

This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

In the left pane click on Application.
Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
Look for “Error” & double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem.
Make note of the Description, EventID and Source of these Event Properties.
From the right pane, doubleclick on the line where it says error & you should get a window like the example below
In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

MK47 · 01-01-2011, 08:37 AM

Here it is.

事件類型: 錯誤
事件來源: Application Hang
事件類別目錄: (101)
事件識別碼: 1002
日期: 2010/12/20
時間: 上午 04:46:18
使用者: N/A
電腦: FAMIL
描述:
無回應的應用程式 NeroVision.exe，版本 4.7.0.19。無回應的模組 hungapp 版本 0.0.0.0。無回應的位址 0x00000000。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
資料:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 4e 65 72 6f 56 69 NeroVi
0018: 73 69 6f 6e 2e 65 78 65 sion.exe
0020: 20 34 2e 37 2e 30 2e 31 4.7.0.1
0028: 39 20 69 6e 20 68 75 6e 9 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000

事件類型: 錯誤
事件來源: Application Hang
事件類別目錄: (101)
事件識別碼: 1002
日期: 2010/12/09
時間: 下午 04:04:09
使用者: N/A
電腦: FAMIL
描述:
無回應的應用程式 firefox.exe，版本 1.9.2.3951。無回應的模組 hungapp 版本 0.0.0.0。無回應的位址 0x00000000。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
資料:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 66 69 72 65 66 6f firefo
0018: 78 2e 65 78 65 20 31 2e x.exe 1.
0020: 39 2e 32 2e 33 39 35 31 9.2.3951
0028: 20 69 6e 20 68 75 6e 67 in hung
0030: 61 70 70 20 30 2e 30 2e app 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

事件類型: 錯誤
事件來源: Application Hang
事件類別目錄: (101)
事件識別碼: 1002
日期: 2010/12/09
時間: 下午 04:04:08
使用者: N/A
電腦: FAMIL
描述:
無回應的應用程式 firefox.exe，版本 1.9.2.3951。無回應的模組 hungapp 版本 0.0.0.0。無回應的位址 0x00000000。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
資料:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 66 69 72 65 66 6f firefo
0018: 78 2e 65 78 65 20 31 2e x.exe 1.
0020: 39 2e 32 2e 33 39 35 31 9.2.3951
0028: 20 69 6e 20 68 75 6e 67 in hung
0030: 61 70 70 20 30 2e 30 2e app 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

事件類型: 錯誤
事件來源: Application Hang
事件類別目錄: (101)
事件識別碼: 1002
日期: 2010/11/04
時間: 下午 07:57:51
使用者: N/A
電腦: FAMIL
描述:
無回應的應用程式 BitComet.exe，版本 0.99.1.25。無回應的模組 hungapp 版本 0.0.0.0。無回應的位址 0x00000000。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
資料:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 42 69 74 43 6f 6d BitCom
0018: 65 74 2e 65 78 65 20 30 et.exe 0
0020: 2e 39 39 2e 31 2e 32 35 .99.1.25
0028: 20 69 6e 20 68 75 6e 67 in hung
0030: 61 70 70 20 30 2e 30 2e app 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

事件類型: 錯誤
事件來源: Application Hang
事件類別目錄: (101)
事件識別碼: 1002
日期: 2010/10/31
時間: 下午 04:08:04
使用者: N/A
電腦: FAMIL
描述:
無回應的應用程式 WINWORD.EXE，版本 12.0.6545.5000。無回應的模組 hungapp 版本 0.0.0.0。無回應的位址 0x00000000。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。
資料:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 57 49 4e 57 4f 52 WINWOR
0018: 44 2e 45 58 45 20 31 32 D.EXE 12
0020: 2e 30 2e 36 35 34 35 2e .0.6545.
0028: 35 30 30 30 20 69 6e 20 5000 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

事件類型: 錯誤
事件來源: Service Control Manager
事件類別目錄: 無
事件識別碼: 7000
日期: 2011/01/01
時間: 下午 01:52:09
使用者: N/A
電腦: FAMIL
描述:
Webroot Client Service 服務無法啟動，因為發生下列錯誤:
系統找不到指定的檔案。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

事件類型: 錯誤
事件來源: Service Control Manager
事件類別目錄: 無
事件識別碼: 7026
日期: 2011/01/01
時間: 下午 01:52:09
使用者: N/A
電腦: FAMIL
描述:
下列開機啟動或系統啟動驅動程式無法載入:
sptd

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

事件類型: 錯誤
事件來源: Service Control Manager
事件類別目錄: 無
事件識別碼: 7000
日期: 2011/01/01
時間: 下午 01:25:15
使用者: N/A
電腦: FAMIL
描述:
Webroot Client Service 服務無法啟動，因為發生下列錯誤:
系統找不到指定的檔案。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

事件類型: 錯誤
事件來源: Service Control Manager
事件類別目錄: 無
事件識別碼: 7026
日期: 2011/01/01
時間: 下午 01:25:15
使用者: N/A
電腦: FAMIL
描述:
下列開機啟動或系統啟動驅動程式無法載入:
sptd

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

事件類型: 錯誤
事件來源: Service Control Manager
事件類別目錄: 無
事件識別碼: 7031
日期: 2010/12/31
時間: 下午 09:00:35
使用者: N/A
電腦: FAMIL
描述:
ESET Service 服務意外終止，服務曾完成這項動作 2 次。以下的修正操作將在 0 毫秒內執行: 重新啟動服務。

請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心，以取得其他資訊。

Next time I am going to install OS in english,it would be so much easier