A very, very infected computer

[realplayaa]

Hello there everyone, lately my computers been experiancing with issues such as keyloggers for my WoW account, unwanted internet links on desktops and favorites, desktop items and start menu not loading therefore I have to access all my programs through ctrl-alt-dlt, also my date is screwed up, reporting that it is 1990 but which is actually 2007. Please help :)



Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 0:53:08, on 1990-4-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWSC\System32\smss.exe
C:\WINDOWSC\system32\winlogon.exe
C:\WINDOWSC\system32\services.exe
C:\WINDOWSC\system32\lsass.exe
C:\WINDOWSC\system32\Ati2evxx.exe
C:\WINDOWSC\system32\svchost.exe
C:\WINDOWSC\System32\svchost.exe
C:\WINDOWSC\system32\spoolsv.exe
C:\WINDOWSC\system32\Ati2evxx.exe
C:\WINDOWSC\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWSC\ALCXMNTR.EXE
C:\WINDOWSC\mafinss.exe
C:\WINDOWSC\muceess.exe
C:\WINDOWSC\nocafee.exe
C:\WINDOWSC\shualai.exe
C:\WINDOWSC\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWSC\system32\E584E29C.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\WINDOWSC\system32\92BF6CB1.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWSC\system32\svchost.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWSC\system32\conime.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\安和邓\桌面\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) -
- (no file)
O2 - BHO: (no name) - >?22F49-1566-40D3-B43D-077EF739AC32} - (no file)
O2 - BHO: (no name) - ??51D02-7739-43EA-8D9A-1E8AD4327B03} - (no file)
O2 - BHO: (no name) - ??E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: CNNIC 网络工具Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - €>?J - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWSC\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWSC\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWSC\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWSC\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\安和邓\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWSC\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWSC\cmdbcs.exe
O4 - HKLM\..\Run: [rupxdnd] C:\DOCUME~1\安和邓\LOCALS~1\Temp\rupxdnd.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWSC\msccrt.exe
O4 - HKLM\..\Run: [mafins] C:\WINDOWSC\mafinss.exe /i
O4 - HKLM\..\Run: [mucees] C:\WINDOWSC\muceess.exe /i
O4 - HKLM\..\Run: [nocafee] C:\WINDOWSC\nocafee.exe /i
O4 - HKLM\..\Run: [shualai] C:\WINDOWSC\shualai.exe /i
O4 - HKLM\..\Run: [winform] C:\WINDOWSC\winform.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWSC\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ek28iy] C:\DOCUME~1\安和邓\LOCALS~1\Temp\rundl132.exe
O4 - HKCU\..\Run: [xr0qx4d96ezssu] C:\DOCUME~1\安和邓\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [crg5efbmx] C:\DOCUME~1\安和邓\LOCALS~1\Temp\cftmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?SystemRoot%\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\安和邓\「开始」菜单\程序\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {DAFEB281-4743-4E80-83A9-A2BBDA400840} (BlueskyRecorder Class) - http://202.96.140.88/vchat/blueskyrecorder.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: 2136D7EE - Unknown owner - C:\WINDOWSC\system32\2136D7EE.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWSC\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: pangu_service_display (pangu_service_svcname) - Unknown owner - C:\WINDOWSC\system32\1003.exe (file missing)
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe








AVG scan
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023369.exe -> Backdoor.Agent.ahj : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023395.exe -> Backdoor.Agent.ahj : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023444.exe -> Backdoor.Agent.ahj : No action taken.
C:\WINDOWSC\system32\92BF6CB1.exe -> Backdoor.Agent.ahj : No action taken.
[1616] C:\WINDOWSC\system32\92BF6CB1.exe -> Backdoor.Agent.ahj : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023390.DLL -> Downloader.Delf.bhu : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023439.DLL -> Downloader.Delf.bhu : No action taken.
C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1052] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1228] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1396] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1640] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1652] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1680] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1732] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1740] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1748] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1756] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1780] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1912] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[1920] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[520] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[544] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[588] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[600] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[752] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[764] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[836] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[904] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
[944] C:\WINDOWSC\system32\C75AA8EA.DLL -> Downloader.Delf.bhu : No action taken.
C:\Documents and Settings\安和邓\Local Settings\Temporary Internet Files\Content.IE5\8DUV4XAB\vod3369[3].exe -> Downloader.Small.emi : No action taken.
C:\Documents and Settings\安和邓\Local Settings\Temporary Internet Files\Content.IE5\ONZJESDX\vod3369[2].exe -> Downloader.Small.emi : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023408.exe -> Downloader.Small.emi : No action taken.
C:\Documents and Settings\安和邓\Cookies\安和邓@advertising[4].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\安和邓\Cookies\安和邓@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\安和邓\Cookies\安和邓@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\安和邓\Cookies\安和邓@revsci[1].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\安和邓\Local Settings\Temporary Internet Files\Content.IE5\ONZJESDX\mh0410[1].exe -> Trojan.OnLineGames.es : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023337.exe -> Trojan.OnLineGames.es : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023382.exe -> Trojan.OnLineGames.es : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023411.exe -> Trojan.OnLineGames.es : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023448.exe -> Trojan.OnLineGames.es : No action taken.
C:\WINDOWSC\system32\g6404815143.exe -> Trojan.OnLineGames.es : No action taken.
C:\WINDOWSC\winform.exe -> Trojan.OnLineGames.es : No action taken.
C:\Documents and Settings\安和邓\Local Settings\Temporary Internet Files\Content.IE5\UPN4L87Q\wm0411[1].exe -> Trojan.OnLineGames.hu : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023341.dll -> Trojan.OnLineGames.mq : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023370.dll -> Trojan.OnLineGames.mq : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023400.dll -> Trojan.OnLineGames.mq : No action taken.
C:\System Volume Information\_restore{CB8F0948-D3C4-470A-97A8-FB34CF298974}\RP69\A0023436.dll -> Trojan.OnLineGames.mq : No action taken.
C:\WINDOWSC\system32\winform.dll -> Trojan.OnLineGames.mq : No action taken.
[1500] C:\WINDOWSC\system32\winform.dll -> Trojan.OnLineGames.mq : No action taken.
[1796] C:\WINDOWSC\system32\winform.dll -> Trojan.OnLineGames.mq : No action taken.
[3380] C:\WINDOWSC\system32\winform.dll -> Trojan.OnLineGames.mq : No action taken.
[3476] C:\WINDOWSC\system32\winform.dll -> Trojan.OnLineGames.mq : No action taken.


::Report end

[realplayaa]

Bump..please help :(

[sUBs]

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[realplayaa]

Combo Fix log:
"安和邓" - 05-04-19 21:20:48 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\安和邓\桌面\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWSC\system32\jdsfdutj.dat
C:\WINDOWSC\system32\cmdbcs.dll
C:\WINDOWSC\system32\mppds.dll
C:\WINDOWSC\system32\msccrt.dll
C:\WINDOWSC\system32\updsffdsg1.exe
C:\WINDOWSC\system32\winform.dll
C:\WINDOWSC\cmdbcs.exe
C:\WINDOWSC\mppds.exe
C:\WINDOWSC\msccrt.exe
C:\WINDOWSC\winform.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cdnprot
-------\LEGACY_CDNPROT


((((((((((((((((((((((((((((((( Files Created from 2005-03-19 to 2005-04-19 ))))))))))))))))))))))))))))))))))


2005-04-19 20:59 1 --a------ C:\WINDOWSC\system32\index.dat
2005-04-12 12:48 90,112 --a------ C:\WINDOWSC\vqqsdl.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-30 13:04 100952 --a------ C:\WINDOWSC\system32\drivers\Mpfp.sys
2006-10-26 10:56 71496 --a------ C:\WINDOWSC\system32\drivers\mfeavfk.sys
2006-10-26 10:56 35048 --a------ C:\WINDOWSC\system32\drivers\mfesmfk.sys
2006-10-26 10:56 34120 --a------ C:\WINDOWSC\system32\drivers\mfebopk.sys
2006-10-26 10:56 31944 --a------ C:\WINDOWSC\system32\drivers\mferkdk.sys
2006-10-26 10:56 168392 --a------ C:\WINDOWSC\system32\drivers\mfehidk.sys
2006-10-19 11:45 10664 --a------ C:\WINDOWSC\system32\drivers\gan_adapter.sys
2006-09-05 09:03 3968 --a------ C:\WINDOWSC\system32\drivers\AvgAsCln.sys
2005-06-30 05:16 1094848 -ra------ C:\WINDOWSC\system32\drivers\AGRSM.sys
2005-06-07 14:44 1235968 --a------ C:\WINDOWSC\system32\drivers\ati2mtag.sys
2005-04-20 03:00 2317696 -ra------ C:\WINDOWSC\system32\drivers\ALCXWDM.SYS
2005-04-19 14:38 47644 --a------ C:\WINDOWSC\system32\cea746fc.exe
2005-04-19 14:38 12288 --a------ C:\WINDOWSC\system32\shualai.dll
2005-04-19 14:38 12288 --a------ C:\WINDOWSC\system32\nocafee.dll
2005-04-19 14:38 12288 --a------ C:\WINDOWSC\system32\muceess.dll
2005-04-19 14:38 12288 --a------ C:\WINDOWSC\system32\mafinss.dll
2005-04-19 14:36 26240 --a------ C:\WINDOWSC\system32\e584e29c.exe
2005-04-19 14:36 26115 --a------ C:\WINDOWSC\system32\92bf6cb1.exe
2005-04-19 14:35 9401 --a------ C:\WINDOWSC\system32\c75aa8ea.dll
2005-04-19 14:35 39254 --a------ C:\WINDOWSC\system32\cea746fc.dll
2005-04-19 14:35 37172 --a------ C:\WINDOWSC\system32\f8a852f6.dll
2005-04-04 11:52 180224 --a------ C:\WINDOWSC\system32\xvidvfw.dll
2005-04-04 11:35 745472 --a------ C:\WINDOWSC\system32\xvidcore.dll
2005-02-25 01:00 46080 --a------ C:\WINDOWSC\system32\escimgd.dll
2005-02-25 01:00 22016 --a------ C:\WINDOWSC\system32\esccmd.dll
2005-02-24 23:00 29696 --a------ C:\WINDOWSC\system32\escwiad.dll
2005-01-28 13:25 86016 --a------ C:\WINDOWSC\system32\wmpshell.dll
2005-01-28 13:25 8192 --a------ C:\WINDOWSC\system32\asferror.dll
2005-01-28 13:25 484352 --a------ C:\WINDOWSC\system32\audiodev.dll
2005-01-28 13:25 3371008 --a------ C:\WINDOWSC\system32\wmploc.dll
2005-01-28 13:25 315904 --a------ C:\WINDOWSC\system32\mswmdm.dll
2005-01-28 13:25 189440 --a------ C:\WINDOWSC\system32\wmerror.dll
2005-01-28 11:32 895736 --a------ C:\WINDOWSC\system32\wmvdmod.dll
2005-01-28 11:32 774904 --a------ C:\WINDOWSC\system32\wmsdmod.dll
2005-01-28 11:32 413944 --a------ C:\WINDOWSC\system32\wmspdmod.dll
2005-01-28 11:32 396528 --a------ C:\WINDOWSC\system32\wmadmod.dll
2005-01-28 11:32 364784 --a------ C:\WINDOWSC\system32\msscp.dll
2005-01-28 11:32 1218808 --a------ C:\WINDOWSC\system32\wmvadvd.dll
2005-01-28 06:53 940544 --a------ C:\WINDOWSC\system32\wmspdmoe.dll
2005-01-28 06:53 716288 --a------ C:\WINDOWSC\system32\wmadmoe.dll
2005-01-28 06:53 6656 --a------ C:\WINDOWSC\system32\laprxy.dll
2005-01-28 06:53 33792 --a------ C:\WINDOWSC\system32\wmdmps.dll
2005-01-28 06:53 335872 --a------ C:\WINDOWSC\system32\wmdrmdev.dll
2005-01-28 06:53 290816 --a------ C:\WINDOWSC\system32\wmdrmnet.dll
2005-01-28 06:53 282624 --a------ C:\WINDOWSC\system32\wmpdxm.dll
2005-01-28 06:53 28160 --a------ C:\WINDOWSC\system32\wmdmlog.dll
2005-01-28 06:53 25088 --a------ C:\WINDOWSC\system32\mspmsnsv.dll
2005-01-28 06:53 224768 --a------ C:\WINDOWSC\system32\wmasf.dll
2005-01-28 06:53 221184 --a------ C:\WINDOWSC\system32\qasf.dll
2005-01-28 06:53 175104 --a------ C:\WINDOWSC\system32\wmpsrcwp.dll
2005-01-28 06:53 173568 --a------ C:\WINDOWSC\system32\mspmsp.dll
2005-01-28 06:53 164864 --a------ C:\WINDOWSC\system32\cewmdm.dll
2005-01-28 06:53 1594880 --a------ C:\WINDOWSC\system32\wmpencen.dll
2005-01-28 06:53 1512448 --a------ C:\WINDOWSC\system32\wmvadve.dll
2005-01-28 06:53 150016 --a------ C:\WINDOWSC\system32\wmidx.dll
2005-01-28 06:53 135168 --a------ C:\WINDOWSC\system32\wmpasf.dll
2005-01-28 06:53 1119744 --a------ C:\WINDOWSC\system32\wmsdmoe2.dll
2005-01-28 06:53 1027072 --a------ C:\WINDOWSC\system32\wmnetmgr.dll
2005-01-28 06:53 1003008 --a------ C:\WINDOWSC\system32\wmvdmoe2.dll
2005-01-28 06:52 20480 --a------ C:\WINDOWSC\system32\wmpui.dll
2005-01-28 06:52 20480 --a------ C:\WINDOWSC\system32\wmpcore.dll
2005-01-28 06:52 20480 --a------ C:\WINDOWSC\system32\wmpcd.dll
2005-01-27 23:36 66560 --a------ C:\WINDOWSC\system32\wpdmtpus.dll
2005-01-27 23:36 61952 --a------ C:\WINDOWSC\system32\wpdconns.dll
2005-01-27 23:36 47104 --a------ C:\WINDOWSC\system32\uwdf.exe
2005-01-27 23:36 38912 --a------ C:\WINDOWSC\system32\wpd_ci.dll
2005-01-27 23:36 38912 --a------ C:\WINDOWSC\system32\wdfmgr.exe
2005-01-27 23:36 331776 --a------ C:\WINDOWSC\system32\wpdmtpdr.dll
2005-01-27 23:36 331264 --a------ C:\WINDOWSC\system32\wpdsp.dll
2005-01-27 23:36 114176 --a------ C:\WINDOWSC\system32\wpdmtp.dll
2005-01-27 23:36 10752 --a------ C:\WINDOWSC\system32\wpdtrace.dll
2005-01-27 23:35 15872 --a------ C:\WINDOWSC\system32\wdfapi.dll
2005-01-27 23:21 96768 --a------ C:\WINDOWSC\system32\logagent.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWSC\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWSC\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWSC\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"IMSCMig"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\IME\\IMSC40A\\IMSCMIG.EXE /Preload"
"MSPY2002"="C:\\WINDOWSC\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"AlcxMonitor"="ALCXMNTR.EXE"
"upxdnd"="C:\\DOCUME~1\\安和邓\\LOCALS~1\\Temp\\upxdnd.exe"
"rupxdnd"="C:\\DOCUME~1\\安和邓\\LOCALS~1\\Temp\\rupxdnd.exe"
"mafins"="C:\\WINDOWSC\\mafinss.exe /i"
"mucees"="C:\\WINDOWSC\\muceess.exe /i"
"nocafee"="C:\\WINDOWSC\\nocafee.exe /i"
"shualai"="C:\\WINDOWSC\\shualai.exe /i"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWSC\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"ek28iy"="C:\\DOCUME~1\\安和邓\\LOCALS~1\\Temp\\rundl132.exe"
"xr0qx4d96ezssu"="C:\\DOCUME~1\\安和邓\\LOCALS~1\\Temp\\c0nime.exe"
"crg5efbmx"="C:\\DOCUME~1\\安和邓\\LOCALS~1\\Temp\\cftmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"=dword:00000000
"NoDispCPL"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoMultiIE"=dword:00000000
"LWA"=dword:00000000
"LWB"=dword:00000000
"LWC"=dword:00000000
"LWD"=dword:00000000
"LWE"=dword:00000000
"LWF"=dword:00000000
"LWG"=dword:00000000
"LWH"=dword:00000000
"LWI"=dword:00000000
"LWJ"=dword:00000000
"LWK"=dword:00000000
"LWL"=dword:00000000
"LWM"=dword:00000000
"LWN"=dword:00000000
"LWO"=dword:00000000
"LWP"=dword:00000000
"LWQ"=dword:00000000
"LWR"=dword:00000000
"LWS"=dword:00000000
"LWT"=dword:00000000
"LWU"=dword:00000000
"LWV"=dword:00000000
"LWW"=dword:00000000
"LWX"=dword:00000000
"LWY"=dword:00000000
"LWZ"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"66"="C:\\SysDayN6\\svchost.exe"
"333"="C:\\Syswm1i\\svchost.exe"
"50"="C:\\SysAd5D\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
Shell\Auto\command C:\rising.exe
Shell\AutoRun\command C:\WINDOWSC\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rising.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command C:\WINDOWSC\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
Shell\AutoRun\command I:\install\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d047456-e66a-11da-9b52-0040f4d6fbc0}]
Shell\AutoRun\command Iexplores.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWSC\tasks\McDefragTask.job
C:\WINDOWSC\tasks\McQcTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2005-04-19 21:28:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 05-04-19 21:29:17
C:\ComboFix-quarantined-files.txt ... 05-04-19 21:29








HJT log
Logfile of HijackThis v1.99.1
Scan saved at 21:31:08, on 2005-4-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWSC\System32\smss.exe
C:\WINDOWSC\system32\winlogon.exe
C:\WINDOWSC\system32\services.exe
C:\WINDOWSC\system32\lsass.exe
C:\WINDOWSC\system32\Ati2evxx.exe
C:\WINDOWSC\system32\svchost.exe
C:\WINDOWSC\System32\svchost.exe
C:\WINDOWSC\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWSC\system32\svchost.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWSC\system32\Ati2evxx.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWSC\Explorer.EXE
C:\WINDOWSC\system32\E584E29C.exe
C:\WINDOWSC\system32\92BF6CB1.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWSC\ALCXMNTR.EXE
C:\WINDOWSC\mafinss.exe
C:\WINDOWSC\muceess.exe
C:\WINDOWSC\nocafee.exe
C:\WINDOWSC\shualai.exe
C:\WINDOWSC\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWSC\system32\conime.exe
C:\Documents and Settings\安和邓\桌面\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) -
- (no file)
O2 - BHO: (no name) - >?22F49-1566-40D3-B43D-077EF739AC32} - (no file)
O2 - BHO: (no name) - ??51D02-7739-43EA-8D9A-1E8AD4327B03} - (no file)
O2 - BHO: (no name) - ??E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - €>?J - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWSC\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWSC\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWSC\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWSC\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\安和邓\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [rupxdnd] C:\DOCUME~1\安和邓\LOCALS~1\Temp\rupxdnd.exe
O4 - HKLM\..\Run: [mafins] C:\WINDOWSC\mafinss.exe /i
O4 - HKLM\..\Run: [mucees] C:\WINDOWSC\muceess.exe /i
O4 - HKLM\..\Run: [nocafee] C:\WINDOWSC\nocafee.exe /i
O4 - HKLM\..\Run: [shualai] C:\WINDOWSC\shualai.exe /i
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWSC\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ek28iy] C:\DOCUME~1\安和邓\LOCALS~1\Temp\rundl132.exe
O4 - HKCU\..\Run: [xr0qx4d96ezssu] C:\DOCUME~1\安和邓\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [crg5efbmx] C:\DOCUME~1\安和邓\LOCALS~1\Temp\cftmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?SystemRoot%\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\安和邓\「开始」菜单\程序\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.moove.com
O16 - DPF: {DAFEB281-4743-4E80-83A9-A2BBDA400840} (BlueskyRecorder Class) - http://202.96.140.88/vchat/blueskyrecorder.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: 2136D7EE - Unknown owner - C:\WINDOWSC\system32\2136D7EE.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWSC\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: pangu_service_display (pangu_service_svcname) - Unknown owner - C:\WINDOWSC\system32\1003.exe (file missing)
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe




Proceed please.

[sUBs]

Quote:

Combo Fix log:
"安和邓" - 05-04-19 21:20:48 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\安和邓\桌面\

For whatever reasons you may have, please don't play with your computer's clock. It will cause many tools to be confused; resulting in poor performance. Kindly set it back to 2007.


---------------


Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWSC\vqqsdl.exe
C:\WINDOWSC\system32\cea746fc.exe
C:\WINDOWSC\system32\shualai.dll
C:\WINDOWSC\system32\nocafee.dll
C:\WINDOWSC\system32\muceess.dll
C:\WINDOWSC\system32\mafinss.dll
C:\WINDOWSC\system32\e584e29c.exe
C:\WINDOWSC\system32\92bf6cb1.exe
C:\WINDOWSC\system32\c75aa8ea.dll
C:\WINDOWSC\system32\cea746fc.dll
C:\WINDOWSC\system32\f8a852f6.dll
C:\WINDOWSC\mafinss.exe
C:\WINDOWSC\muceess.exe
C:\WINDOWSC\nocafee.exe
C:\WINDOWSC\shualai.exe
C:\rising.exe
D:\Iexplores.exe
D:\Info.exe
D:\protect.ed
C:\WINDOWSC\system32\Devices2.exe
C:\WINDOWSC\system32\Devicesnt.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


---------------


Read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


---------------


Please download Dr.Web CureIt :
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Save it on desktop. We shall use it later

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) http://www.greyknight17.com/spy/KillBox.exe

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------


Start HiJackThis & go to Config... → Misc.Tools → Delete an NT service

• In the popup box that appears, copy/paste pangu_service_svcname
• Click on the OK button & answer No if prompted to reboot

Repeat the above steps for this other service :-

• 2136D7EE

If the tool request to reboot, dont do it just yet. We shall do so later

---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) -
- (no file)
O2 - BHO: (no name) - >?22F49-1566-40D3-B43D-077EF739AC32} - (no file)
O2 - BHO: (no name) - ??51D02-7739-43EA-8D9A-1E8AD4327B03} - (no file)
O2 - BHO: (no name) - ??E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - ?>?J - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\???\LOCALS~1\Temp\upxdnd.exe
O4 - HKLM\..\Run: [rupxdnd] C:\DOCUME~1\???\LOCALS~1\Temp\rupxdnd.exe
O4 - HKLM\..\Run: [mafins] C:\WINDOWSC\mafinss.exe /i
O4 - HKLM\..\Run: [mucees] C:\WINDOWSC\muceess.exe /i
O4 - HKLM\..\Run: [nocafee] C:\WINDOWSC\nocafee.exe /i
O4 - HKLM\..\Run: [shualai] C:\WINDOWSC\shualai.exe /i
O4 - HKCU\..\Run: [ek28iy] C:\DOCUME~1\???\LOCALS~1\Temp\rundl132.exe
O4 - HKCU\..\Run: [xr0qx4d96ezssu] C:\DOCUME~1\???\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [crg5efbmx] C:\DOCUME~1\???\LOCALS~1\Temp\cftmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - Trusted Zone: *.moove.com
O23 - Service: 2136D7EE - Unknown owner - C:\WINDOWSC\system32\2136D7EE.EXE (file missing)
O23 - Service: pangu_service_display (pangu_service_svcname) - Unknown owner - C:\WINDOWSC\system32\1003.exe (file missing)


---------------


Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

• C:\WINDOWSC\system32\index.dat
  C:\WINDOWSC\vqqsdl.exe
  C:\WINDOWSC\system32\cea746fc.exe
  C:\WINDOWSC\system32\shualai.dll
  C:\WINDOWSC\system32\nocafee.dll
  C:\WINDOWSC\system32\muceess.dll
  C:\WINDOWSC\system32\mafinss.dll
  C:\WINDOWSC\system32\e584e29c.exe
  C:\WINDOWSC\system32\92bf6cb1.exe
  C:\WINDOWSC\system32\c75aa8ea.dll
  C:\WINDOWSC\system32\cea746fc.dll
  C:\WINDOWSC\system32\f8a852f6.dll
  C:\WINDOWSC\mafinss.exe
  C:\WINDOWSC\muceess.exe
  C:\WINDOWSC\nocafee.exe
  C:\WINDOWSC\shualai.exe
  C:\rising.exe
  D:\Iexplores.exe
  D:\Info.exe
  D:\protect.ed
  C:\WINDOWSC\system32\Devices2.exe
  C:\WINDOWSC\system32\Devicesnt.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run - http://www.eudaemonia.me.uk/download...gfilesetup.exe . Then try Killbox again.


---------------


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


---------------


Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:

• ViewPoint

Please note any other programs that you dont recognize in that list in your next response

---------------


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\SysDayN6\
  C:\Syswm1i\
  C:\SysAd5D\
  C:\Program Files\Viewpoint

---------------

• Doubleclick the cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

---------------


Return to Normal Mode & perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html
Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results", please do so and save them to your desktop. Post the log of the scan results


---------------







Please download this tool > System Repair Engineer

1. Extract it to it's own folder & double click SREng.exe to run it
   
   
2. Select 'Smart Scan' & tick "Verify Digital Signatures"
   
   
3. Click on the [Scan] button
   
   
4. When finished, click on the [Save Reports] button & save the log to Desktop
   
   
5. Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. SRENG's log
3. BitDefender's log
4. Fresh ComboFix log taken just before replying
5. DrWeb's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[realplayaa]

Quote:

also my date is screwed up, reporting that it is 1990 but which is actually 2007. Please help :)

[realplayaa]

Quote:

Start HiJackThis & go to Config... → Misc.Tools → Delete an NT service

* In the popup box that appears, copy/paste pangu_service_svcname
* Click on the OK button & answer No if prompted to reboot

Repeat the above steps for this other service :-

* 2136D7EE

If the tool request to reboot, dont do it just yet. We shall do so later

It says that i havent disabled pangu_service_svcname yet.

[realplayaa]

Neither is 2136D7EE found in the registry. I will stop for now untill I get a reponse since I want to do this correctly.

[sUBs]

Skip this steps & do this instead ...

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
sc delete pangu_service_svcname
sc delete 2136D7EE 
exit

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

[realplayaa]

and I ocntinue the steps again after doing so?