[SOLVED] Infected with Trojan

YSJR · 10-03-2008, 09:30 AM

Dear expert friends,

My computer has recently been infected. When I logged onto the net, I was automatically redirected to strange websites and could never reach any pages that contained any anti-virus information. My computer was installed with McAfee but it had done nothing. I eventually managed to install the Malwarebytes and killed the Trojans. The problem now is that the download speed seems to be slower than before and the connection is easily lost when I surf on the net. When this happens I will need to turn off the modem and start again. Is my computer still infected? Below is the scan log. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:47 AM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{D456FAF3-2A6B-4262-9B63-D09EA731EAE8}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD589B6-0372-46B4-868D-B77888B10C97}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F78C0761-91CA-43D1-A64A-C2AF2AD59DE6}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: File Replication Service (Ntfrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks!

Katana · 10-11-2008, 01:54 PM

Quote:

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

YSJR · 10-15-2008, 02:06 AM

Dear Katana,

Thanks for your help. I almost gave up.

Here are the contents. Thanks again.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Wai Hung at 2008-10-15 19:00:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 113 GB (75%) free of 150 GB
Total RAM: 3070 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:08 PM, on 10/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Wai Hung\Desktop\RSIT.exe
C:\Program Files\trend micro\Wai Hung.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D456FAF3-2A6B-4262-9B63-D09EA731EAE8}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD589B6-0372-46B4-868D-B77888B10C97}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F78C0761-91CA-43D1-A64A-C2AF2AD59DE6}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: File Replication Service (Ntfrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11981 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-29 308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF182DBF-1283-4BD3-86EE-D3239228770C}]
QQHelper Class - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-01-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-06-03 851968]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-05-11 8429568]
"nwiz"=nwiz.exe /installquiet []
"NVHotkey"=C:\WINDOWS\system32\nvHotkey.dll [2007-05-11 67584]
"NvMediaCenter"=C:\WINDOWS\system32\NvMCTray.dll [2007-06-06 81920]
"OEM02Mon.exe"=C:\WINDOWS\OEM02Mon.exe [2007-08-28 36864]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-07-25 823296]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-07-25 974848]
"DELL Webcam Manager"=C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe [2007-07-27 118784]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"KADxMain"=C:\WINDOWS\system32\KADxMain.exe [2006-11-02 282624]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2006-11-05 221184]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320]
"Google IME Autoupdater"=C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe [2008-08-05 308720]
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe [2005-10-31 503808]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-03-28 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2007-05-06 405504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe"="C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Dell\MediaDirect\PCMService.exe"="C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe"="C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe:*:Enabled:3 Mobile Broadband"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe"="C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe:*:Disabled:C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe"
"C:\Program Files\美女麻将\美女麻将.exe"="C:\Program Files\美女麻将\美女麻将.exe:*:Disabled:C:\PROGRA~1\美女麻将\美女麻将.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\BitComet\tools\CometBrowser.exe"="C:\Program Files\BitComet\tools\CometBrowser.exe:*:Disabled:BitComet Resource Browser"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Disabled:BitCometBeta - a BitTorrent Client"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580e-3d41-11dd-a0e9-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580f-3d41-11dd-a0e9-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fd6c55-fa58-11dc-a01f-001d09c1a02d}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16c-0953-11dd-a04d-001d09c1a02d}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16d-0953-11dd-a04d-001d09c1a02d}]
shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3960e02a-69f9-11dd-a18d-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f18f8c8-621e-11dd-a16d-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f6687f-fe38-11dc-a02b-001d09c1a02d}]
shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f66880-fe38-11dc-a02b-001d09c1a02d}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb4df16-852f-11dd-a1de-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf18-36e5-11dd-a0d8-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1a-36e5-11dd-a0d8-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1b-36e5-11dd-a0d8-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1c-36e5-11dd-a0d8-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1d-36e5-11dd-a0d8-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e15db8-ff1c-11dc-a030-001d09c1a02d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SysAuto.exe
shell\′ò?a(&O)\command - E:\SysAuto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9150259-602d-11dd-a165-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

======List of files/folders created in the last 1 months======

2008-10-15 19:00:51 ----D---- C:\rsit
2008-10-15 19:00:51 ----D---- C:\Program Files\trend micro
2008-10-15 17:04:41 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 17:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 17:04:29 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 17:04:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 17:04:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-01 18:20:41 ----A---- C:\WINDOWS\k.txt
2008-09-29 12:48:40 ----D---- C:\Program Files\Common Files\xing shared
2008-09-29 00:02:25 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01:17 ----D---- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01:17 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00:26 ----D---- C:\Program Files\NCH Software
2008-09-29 00:00:19 ----D---- C:\Program Files\NCH Swift Sound
2008-09-26 12:59:01 ----D---- C:\WINDOWS\system32\LogFiles
2008-09-20 21:38:57 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 21:38:52 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 21:38:51 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-19 12:51:30 ----D---- C:\WINDOWS\Minidump
2008-09-18 16:51:11 ----A---- C:\WINDOWS\system32\windows_update.exe

======List of files/folders modified in the last 1 months======

2008-10-15 19:01:01 ----D---- C:\WINDOWS\Temp
2008-10-15 19:00:51 ----RD---- C:\Program Files
2008-10-15 19:00:47 ----D---- C:\WINDOWS\Prefetch
2008-10-15 18:45:49 ----D---- C:\Program Files\Mozilla Firefox
2008-10-15 18:40:39 ----D---- C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-15 18:28:08 ----D---- C:\WINDOWS\system32
2008-10-15 18:28:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-15 18:26:20 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-15 18:26:02 ----D---- C:\WINDOWS
2008-10-15 18:24:19 ----A---- C:\WINDOWS\ModemLog_Bluetooth Modem.txt
2008-10-15 18:24:19 ----A---- C:\WINDOWS\ModemLog_Bluetooth Fax Modem.txt
2008-10-15 18:24:13 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D330 MDC V.92 Modem.txt
2008-10-15 18:22:59 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-15 17:04:44 ----HD---- C:\WINDOWS\inf
2008-10-15 17:04:43 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-10-15 17:04:43 ----D---- C:\WINDOWS\system32\drivers
2008-10-15 17:04:40 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 17:04:38 ----A---- C:\WINDOWS\imsins.BAK
2008-10-15 17:03:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-15 09:33:08 ----D---- C:\Program Files\McAfee
2008-10-15 00:57:43 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2008-10-12 23:32:06 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
2008-10-08 06:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-03 22:50:15 ----A---- C:\WINDOWS\cdplayer.ini
2008-09-29 17:42:07 ----D---- C:\WINDOWS\Help
2008-09-29 12:48:40 ----D---- C:\Program Files\Common Files
2008-09-29 12:48:30 ----D---- C:\Program Files\Common Files\Real
2008-09-29 12:48:26 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-09-29 12:48:10 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-09-29 12:48:10 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-09-29 12:48:04 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-09-26 15:08:19 ----D---- C:\WINDOWS\network diagnostic
2008-09-21 12:47:07 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Mozilla
2008-09-18 16:41:53 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
2008-09-18 15:40:52 ----SD---- C:\Documents and Settings\Wai Hung\Application Data\Microsoft
2008-09-18 14:32:32 ----D---- C:\Program Files\Bonjour

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-04 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.4.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-04-13 21393]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 Packet;Auto Internet Protocol; C:\WINDOWS\system32\DRIVERS\packet.sys [2006-12-18 12672]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-05-09 32256]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-05-09 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-05-09 37376]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-05-29 12416]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-03-22 539072]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-03-22 37424]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-03-31 876384]
R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-03-22 149123]
R3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2007-03-31 55352]
R3 btwmodem;Bluetooth Fax Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2007-03-22 37280]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-03-22 67960]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 DXEC02;DXEC02; C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 103168]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NETw4x32;Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-08-12 2211456]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-05-11 6345472]
R3 OEM02Dev;Creative Camera OEM002 Driver; C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-06 1222840]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-06-03 202912]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2005-08-17 41984]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-10-27 101120]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-05-17 260968]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-07-25 647168]
R2 hnmsvc;Advanced Networking Service; C:\Program Files\Dell Network Assistant\hnm_svc.exe [2007-05-25 112176]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-06-06 163908]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-07-25 327680]
R2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-07-25 987136]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UTSCSI;CLCV0; C:\WINDOWS\system32\UTSCSI.EXE [2008-03-30 45056]
R2 WLANKEEPER;Intel(R) PROSet/Wireless SSO Service; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2007-07-25 294912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
R3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
R3 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S2 Ntfrs;File Replication Service; C:\WINDOWS\system32\ntfrs.exe []
S2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-17 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.04 2008-10-15 19:01:10

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3 Mobile Broadband-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EAAC5FD-E209-4856-8C49-D4EA40F85032}\setup.exe" -l0x9 -removeonly
Adobe Acrobat 6.0 Standard - ChineseT-->MsiExec.exe /I{AC76BA86-1028-0000-BA7E-000000000001}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Advanced Audio FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove
Advanced Video FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{612B9183-67A9-4B44-9877-2F059E35B86A}
Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Dell Network Assistant-->MsiExec.exe /I{0240BDFB-2995-4A3F-8C96-18D41282B716}
Dell Resource CD-->MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Dell Webcam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9 /remove
Dell Webcam Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9 /remove
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Express Burn-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip-->C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"F:\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement-->MsiExec.exe /X{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}
iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Laptop Integrated Webcam Driver (1.03.02.0719) -->C:\WINDOWS\CtDrvIns.exe -uninstall -script OEM002.uns -plugin OEM02Pin.dll -pluginres OEM02Pin.crl -nodisconprompt -langid 0x0409
Live! Cam Avatar Creator-->C:\Program Files\InstallShield Installation Information\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}\setup.exe -runfromtemp -l0x0009 -removeonly /remove
Live! Cam Avatar v1.0-->C:\Program Files\InstallShield Installation Information\{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}\setup.exe -runfromtemp -l0x0009 -removeonly /remove
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Chinese (Simplified) User Interface Pack-->MsiExec.exe /I{901E0804-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP English User Interface Pack-->MsiExec.exe /I{901E0409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Media Content-->MsiExec.exe /I{90300C04-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280404-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg-->MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Readiris Pro 10-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}\setup.exe" -l0x9
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Samsung SCX-4200 Series-->C:\Program Files\Samsung\Samsung SCX-4200 Series\Install\Setup.exe /R
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SmarThru 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90F1943D-EA4A-4460-B59F-30023F3BA69A}\Setup.exe" -l0x9 uninstall -l0009
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
WavePad Sound Editor-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WIDCOMM Bluetooth Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\dpinst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\4569969E1360D2854474C661EF9B4D54F143EB16
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
思佳围棋 3.3.7-->C:\Program Files\思佳围棋\uninst.exe
美女麻将-->C:\PROGRA~1\美女麻将\UNWISE.EXE C:\PROGRA~1\美女麻将\INSTALL.LOG
美眉麻将 -->C:\Program Files\MMMJ\uninst.exe
谷歌拼音输入法-->"C:\Program Files\Google\Google Pinyin\Uninstall.exe"

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

Katana · 10-15-2008, 02:50 AM

Step 1

Flash Disinfector by sUBs
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

Please restart your computer.

----------------------------------------------------------- -----------------------------------------------------------
Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Remove Programs

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 5

Now close the Control Panel.

----------------------------------------------------------- -----------------------------------------------------------
Step 5

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

ComboFix Log
Kaspersky Log
How are things running now ?

YSJR · 10-19-2008, 05:46 AM

Dear Katana,

All steps done. Below is the ComboFix log. Kaspersky says no threats. The internet connection is still interrupted once in a while but seems to be much improved.
Thanks.

ComboFix 08-10-15.05 - Wai Hung 2008-10-16 17:01:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2479 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\k.txt
C:\WINDOWS\system32\m.ico
C:\WINDOWS\system32\p.ico
C:\WINDOWS\system32\s.ico
C:\WINDOWS\system32\windows_update.exe

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Legacy_TDSSSERV
-------\Service_Packet
-------\Service_TDSSserv

((((((((((((((((((((((((( 2008-09-16 至 2008-10-16 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-20 22:24 . 2008-10-12 15:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\.housecall6.6
2008-09-20 21:38 . 2008-10-07 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 21:38 . 2008-09-20 21:38 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 21:38 . 2008-09-20 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 21:38 . 2008-09-10 01:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 21:38 . 2008-09-10 01:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 06:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-14 22:33 --------- d-----w C:\Program Files\McAfee
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"26406:TCP"= 26406:TCP:*:Disabled:BitCometBeta 26406 TCP
"26406:UDP"= 26406:UDP:*:Disabled:BitCometBeta 26406 UDP
"8949:TCP"= 8949:TCP:*:Disabled:BitCometBeta 8949 TCP
"8949:UDP"= 8949:UDP:*:Disabled:BitCometBeta 8949 UDP
"14335:TCP"= 14335:TCP:*:Disabled:BitCometBeta 14335 TCP
"14335:UDP"= 14335:UDP:*:Disabled:BitCometBeta 14335 UDP
"26829:TCP"= 26829:TCP:*:Disabled:BitCometBeta 26829 TCP
"26829:UDP"= 26829:UDP:*:Disabled:BitCometBeta 26829 UDP
"14568:TCP"= 14568:TCP:*:Disabled:BitCometBeta 14568 TCP
"14568:UDP"= 14568:UDP:*:Disabled:BitCometBeta 14568 UDP
"8396:TCP"= 8396:TCP:*:Disabled:BitCometBeta 8396 TCP
"8396:UDP"= 8396:UDP:*:Disabled:BitCometBeta 8396 UDP
"11839:TCP"= 11839:TCP:*:Disabled:BitCometBeta 11839 TCP
"11839:UDP"= 11839:UDP:*:Disabled:BitCometBeta 11839 UDP
"6881:TCP"= 6881:TCP:*:Disabled:BT1
"6882:TCP"= 6882:TCP:*:Disabled:BT2
"6883:TCP"= 6883:TCP:*:Disabled:BT3
"6884:TCP"= 6884:TCP:*:Disabled:BT4
"6885:TCP"= 6885:TCP:*:Disabled:BT5
"6886:TCP"= 6886:TCP:*:Disabled:BT6
"6887:TCP"= 6887:TCP:*:Disabled:BT7
"6888:TCP"= 6888:TCP:*:Disabled:BT8
"6889:TCP"= 6889:TCP:*:Disabled:BT9
"6881:UDP"= 6881:UDP:*:Disabled:BT1a
"6882:UDP"= 6882:UDP:*:Disabled:BT2a
"6883:UDP"= 6883:UDP:*:Disabled:BT3
"6884:UDP"= 6884:UDP:*:Disabled:BT4
"6885:UDP"= 6885:UDP:*:Disabled:BT5
"6886:UDP"= 6886:UDP:*:Disabled:BT6
"6887:UDP"= 6887:UDP:*:Disabled:BT7
"6888:UDP"= 6888:UDP:*:Disabled:BT8
"6889:UDP"= 6889:UDP:*:Disabled:BT9
"7975:TCP"= 7975:TCP:*:Disabled:BitCometBeta 7975 TCP
"7975:UDP"= 7975:UDP:*:Disabled:BitCometBeta 7975 UDP
"15953:TCP"= 15953:TCP:*:Disabled:BitCometBeta 15953 TCP
"15953:UDP"= 15953:UDP:*:Disabled:BitCometBeta 15953 UDP
"10509:TCP"= 10509:TCP:*:Disabled:BitCometBeta 10509 TCP
"10509:UDP"= 10509:UDP:*:Disabled:BitCometBeta 10509 UDP
"9300:TCP"= 9300:TCP:*:Disabled:BitCometBeta 9300 TCP
"9300:UDP"= 9300:UDP:*:Disabled:BitCometBeta 9300 UDP
"20952:TCP"= 20952:TCP:*:Disabled:BitCometBeta 20952 TCP
"20952:UDP"= 20952:UDP:*:Disabled:BitCometBeta 20952 UDP
"23593:TCP"= 23593:TCP:*:Disabled:BitCometBeta 23593 TCP
"23593:UDP"= 23593:UDP:*:Disabled:BitCometBeta 23593 UDP
"10181:TCP"= 10181:TCP:*:Disabled:BitCometBeta 10181 TCP
"10181:UDP"= 10181:UDP:*:Disabled:BitCometBeta 10181 UDP
"23813:TCP"= 23813:TCP:*:Disabled:BitCometBeta 23813 TCP
"23813:UDP"= 23813:UDP:*:Disabled:BitCometBeta 23813 UDP
"24551:TCP"= 24551:TCP:*:Disabled:BitCometBeta 24551 TCP
"24551:UDP"= 24551:UDP:*:Disabled:BitCometBeta 24551 UDP
"19585:TCP"= 19585:TCP:*:Disabled:BitCometBeta 19585 TCP
"19585:UDP"= 19585:UDP:*:Disabled:BitCometBeta 19585 UDP
"60000:TCP"= 60000:TCP:*:Disabled:BitCometBeta 60000 TCP
"60000:UDP"= 60000:UDP:*:Disabled:BitCometBeta 60000 UDP

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]
S0 vqdtdkez;vqdtdkez;C:\WINDOWS\system32\drivers\vcwnletv.sys [ ]
S2 Ntfrs;File Replication Service;C:\WINDOWS\system32\ntfrs.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580e-3d41-11dd-a0e9-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580f-3d41-11dd-a0e9-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fd6c55-fa58-11dc-a01f-001d09c1a02d}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16c-0953-11dd-a04d-001d09c1a02d}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16d-0953-11dd-a04d-001d09c1a02d}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3960e02a-69f9-11dd-a18d-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f18f8c8-621e-11dd-a16d-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f6687f-fe38-11dc-a02b-001d09c1a02d}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f66880-fe38-11dc-a02b-001d09c1a02d}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb4df16-852f-11dd-a1de-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf18-36e5-11dd-a0d8-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1a-36e5-11dd-a0d8-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1b-36e5-11dd-a0d8-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1c-36e5-11dd-a0d8-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1d-36e5-11dd-a0d8-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e15db8-ff1c-11dc-a030-001d09c1a02d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SysAuto.exe
\Shell\′ò?a(&O)\command - E:\SysAuto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9150259-602d-11dd-a165-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
.
------- 而外的扫描 -------
.
FireFox -: Profile - C:\Documents and Settings\Wai Hung\Application Data\Mozilla\Firefox\Profiles\5jcbqwcp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ec-clinic.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 17:05:32
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ 其他运行进程 ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
完成时间: 2008-10-16 17:10:06 - 电脑已重新启动
ComboFix-quarantined-files.txt 2008-10-16 06:10:00

Pre-Run: 118,340,354,048 bytes free
Post-Run: 118,407,192,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

314 --- E O F --- 2008-10-15 06:04:45

Katana · 10-19-2008, 07:52 AM

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

Driver::
vqdtdkez
Ntfrs
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26406:TCP"=-
"26406:UDP"=-
"8949:TCP"=-
"8949:UDP"=-
"14335:TCP"=-
"14335:UDP"=-
"26829:TCP"=-
"26829:UDP"=-
"14568:TCP"=-
"14568:UDP"=-
"8396:TCP"=-
"8396:UDP"=-
"11839:TCP"=-
"11839:UDP"=-
"6881:TCP"=-
"6882:TCP"=-
"6883:TCP"=-
"6884:TCP"=-
"6885:TCP"=-
"6886:TCP"=-
"6887:TCP"=-
"6888:TCP"=-
"6889:TCP"=-
"6881:UDP"=-
"6882:UDP"=-
"6883:UDP"=-
"6884:UDP"=-
"6885:UDP"=-
"6886:UDP"=-
"6887:UDP"=-
"6888:UDP"=-
"6889:UDP"=-
"7975:TCP"=-
"7975:UDP"=-
"15953:TCP"=-
"15953:UDP"=-
"10509:TCP"=-
"10509:UDP"=-
"9300:TCP"=-
"9300:UDP"=-
"20952:TCP"=-
"20952:UDP"=-
"23593:TCP"=-
"23593:UDP"=-
"10181:TCP"=-
"10181:UDP"=-
"23813:TCP"=-
"23813:UDP"=-
"24551:TCP"=-
"24551:UDP"=-
"19585:TCP"=-
"19585:UDP"=-
"60000:TCP"=-
"60000:UDP"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580e-3d41-11dd-a0e9-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580f-3d41-11dd-a0e9-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fd6c55-fa58-11dc-a01f-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16c-0953-11dd-a04d-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16d-0953-11dd-a04d-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3960e02a-69f9-11dd-a18d-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f18f8c8-621e-11dd-a16d-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f6687f-fe38-11dc-a02b-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f66880-fe38-11dc-a02b-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb4df16-852f-11dd-a1de-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf18-36e5-11dd-a0d8-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1a-36e5-11dd-a0d8-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1b-36e5-11dd-a0d8-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1c-36e5-11dd-a0d8-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1d-36e5-11dd-a0d8-001e4cdce70b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e15db8-ff1c-11dc-a030-001d09c1a02d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9150259-602d-11dd-a165-001e4cdce70b}]

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

YSJR · 10-21-2008, 10:59 PM

Dear Katana,

Here are the logs, thanks.

ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTFRS
-------\Legacy_PACKET
-------\Legacy_TDSSSERV
-------\Service_Ntfrs
-------\Service_vqdtdkez

((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee
2008-10-17 01:44 --------- d-----w C:\Program Files\Java
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 12

35
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ 其他运行进程 ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
完成时间: 2008-10-22 12:11:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2008-10-22 01:11:02
ComboFix2.txt 2008-10-16 06:10:08

Pre-Run: 118,417,354,752 bytes free
Post-Run: 118,457,208,832 bytes free

194 --- E O F --- 2008-10-15 06:04:45

AND THE SCAN LOG:

ANALYSIS: 2008-10-22 15:37:51
PROTECTIONS: 2
MALWARE: 11
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Y
;===================================================================================================================================================================================
No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Y
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Katana · 10-22-2008, 06:41 AM

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
```
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

How are things running now ?
any problems still ?

YSJR · 10-25-2008, 06:04 PM

Dear Katana,

Below are the reports. Seems to have improved but the connection still stops automatically, when I have to turn off and on the modem to re-connect. I haven't done anything to disinfect after the scan. Thanks.

ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTFRS
-------\Legacy_PACKET
-------\Legacy_TDSSSERV
-------\Service_Ntfrs
-------\Service_vqdtdkez

((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee
2008-10-17 01:44 --------- d-----w C:\Program Files\Java
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 12

35
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ 其他运行进程 ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
完成时间: 2008-10-22 12:11:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2008-10-22 01:11:02
ComboFix2.txt 2008-10-16 06:10:08

Pre-Run: 118,417,354,752 bytes free
Post-Run: 118,457,208,832 bytes free

194 --- E O F --- 2008-10-15 06:04:45

Scan report:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-22 15:37:51
PROTECTIONS: 2
MALWARE: 11
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Y
;===================================================================================================================================================================================
No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Y
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Katana · 10-26-2008, 03:41 AM

Errrm those are the logs that you posted last time, please can you post the latest combofix log (C:\combofix.txt) along with a fresh HJT log

YSJR · 10-26-2008, 07:12 AM

Sorry... Here they are.

ComboFix 08-10-15.05 - Wai Hung 2008-10-23 10:20:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2492 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-22 12:26 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-22 12:25 . 2008-10-22 12:25 <DIR> d-------- C:\Program Files\Panda Security
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 22:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee
2008-10-17 01:44 --------- d-----w C:\Program Files\Java
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-29 23:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-22 22:36:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-22 22:36:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
\Shell\AutoRun\command - E:\AutoRun.exe

*Newly Created Service* - PAVBOOT
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 10:23:14
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
完成时间: 2008-10-23 10:24:41
ComboFix-quarantined-files.txt 2008-10-22 23:24:33
ComboFix2.txt 2008-10-22 01:11:09
ComboFix3.txt 2008-10-16 06:10:08

Pre-Run: 118,364,516,352 bytes free
Post-Run: 118,350,794,752 bytes free

158 --- E O F --- 2008-10-15 06:04:45

Logfile of random's system information tool 1.04 (written by random/random)
Run by Wai Hung at 2008-10-27 00:08:22
Microsoft Windows XP Professional Service Pack 3
System drive C: has 113 GB (75%) free of 150 GB
Total RAM: 3070 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:32 AM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe
C:\Documents and Settings\Wai Hung\Desktop\RSIT.exe
C:\Program Files\trend micro\Wai Hung.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{D456FAF3-2A6B-4262-9B63-D09EA731EAE8}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD589B6-0372-46B4-868D-B77888B10C97}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F78C0761-91CA-43D1-A64A-C2AF2AD59DE6}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11402 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-29 308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-01-12 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-06-03 851968]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-05-11 8429568]
"nwiz"=nwiz.exe /installquiet []
"NVHotkey"=C:\WINDOWS\system32\nvHotkey.dll [2007-05-11 67584]
"NvMediaCenter"=C:\WINDOWS\system32\NvMCTray.dll [2007-06-06 81920]
"OEM02Mon.exe"=C:\WINDOWS\OEM02Mon.exe [2007-08-28 36864]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-07-25 823296]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-07-25 974848]
"DELL Webcam Manager"=C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe [2007-07-27 118784]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"KADxMain"=C:\WINDOWS\system32\KADxMain.exe [2006-11-02 282624]
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2006-11-05 221184]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320]
"Google IME Autoupdater"=C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe [2008-08-05 308720]
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe [2005-10-31 503808]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-03-28 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2007-05-06 405504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe"="C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Dell\MediaDirect\PCMService.exe"="C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe"="C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe:*:Enabled:3 Mobile Broadband"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\美女麻将\美女麻将.exe"="C:\Program Files\美女麻将\美女麻将.exe:*:Disabled:C:\PROGRA~1\美女麻将\美女麻将.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"C:\Program Files\?à???é??\?à???é??.exe"="C:\Program Files\?à???é??\?à???é??.exe:*:Disabled:C:\PROGRA~1\?à???é??\?à???é??.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
shell\AutoRun\command - E:\AutoRun.exe

Katana · 10-26-2008, 07:42 AM

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis (C:\Program Files\trend micro\HijackThis.exe)
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

YSJR · 10-26-2008, 07:50 AM

Dear Katana,

?????§?? 3.3.7
?à???é??
?à???é??
1è?è?′ò?ê?è?·¨
3 Mobile Broadband
Adobe Acrobat 6.0 Standard - ChineseT
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Network Assistant
Dell Resource CD
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Digital Line Detect
Express Burn
Express Rip
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) PROSet/Wireless Software
IntelliSonic Speech Enhancement
iTunes
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Laptop Integrated Webcam Driver (1.03.02.0719)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Chinese (Simplified) User Interface Pack
Microsoft Office XP English User Interface Pack
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Diagnostic Tool
Mozilla Firefox (3.0.1)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
Panda ActiveScan 2.0
QuickSet
QuickTime
Readiris Pro 10
RealPlayer
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Samsung SCX-4200 Series
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SigmaTel Audio
SmarThru 4
Sonic Activation Module
Switch Sound File Converter
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
URL Assistant
WavePad Sound Editor
WIDCOMM Bluetooth Software
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver

Thanks.

Katana · 10-26-2008, 07:59 AM

Do you know what these are, all I can see are ????? (question marks)

?????§?? 3.3.7
?à???é??
?à???é??
1è?è??ò?ê?è?·¨

Are E:\, F:\, G:\ related to your modem ?

YSJR · 10-26-2008, 08:24 AM

Dear Katana,

I think they are some games I have downloaded for some time.

Are E:\, F:\, G:\ are removable drives.

Thanks.

Katana · 10-26-2008, 08:49 AM

There is no malware showing in your logs now, how often does the internet connection drop ?
Have you noticed if it happens after using a particular program or after a specfic time ?

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}]
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

YSJR · 10-26-2008, 05:56 PM

Dear Katana,

The connection drops usually after a frequent switch between different websites or after five or six hours' connection. It doesn't seem to be related to particular programs. Thanks.

ComboFix 08-10-25.01 - Wai Hung 2008-10-27 10:45:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00]
执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt
* 成功创造新还原点
* Resident AV is active

.

((((((((((((((((((((((((( 2008-09-26 至 2008-10-26 的新的档案 )))))))))))))))))))))))))))))))
.

2008-10-27 01:01 . 2008-10-27 01:01 244 --ah----- C:\sqmnoopt00.sqm
2008-10-27 01:01 . 2008-10-27 01:01 232 --ah----- C:\sqmdata00.sqm
2008-10-24 23:40 . 2008-10-16 03:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 12:26 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-22 12:25 . 2008-10-22 12:25 <DIR> d-------- C:\Program Files\Panda Security
2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit
2008-10-15 19:00 . 2008-10-27 00:47 <DIR> d-------- C:\Program Files\trend micro
2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound
2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software
2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 23:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-24 12:34 --------- d-----w C:\Program Files\McAfee
2008-10-17 01:44 --------- d-----w C:\Program Files\Java
2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM
2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes
2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT
2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-29 23:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-26 23:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-26 23:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-14 00:12:01 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\美女麻将\\美女麻将.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\?à???é??\\?à???é??.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]
.
‘计划任务’ 文件夹里的内容

2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-08-31 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 10:48:14
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
完成时间: 2008-10-27 10:49:46
ComboFix-quarantined-files.txt 2008-10-26 23:49:40
ComboFix2.txt 2008-10-22 23:24:42
ComboFix3.txt 2008-10-22 01:11:09
ComboFix4.txt 2008-10-16 06:10:08

Pre-Run: 118,375,276,544 bytes free
Post-Run: 118,393,368,576 bytes free

161 --- E O F --- 2008-10-24 12:43:31

Katana · 10-26-2008, 06:09 PM

There is no malware that would be causing your problem.
Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit the networking section.
http://www.techsupportforum.com/netw...rking-support/

When you start your thread, explain what the problem is and let them know that you have been checked for malware.
Give them the following link, so they can see the logs if needed

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/298515-infected-trojan.html#post1737249

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/par...avwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

YSJR · 10-28-2008, 06:27 PM

Dear Katana,

Thanks for your help and advice. I have done what you recommended and things are OK at this stage. Thanks again.

10-03-2008, 09:30 AM	#1 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	[SOLVED] Infected with Trojan Dear expert friends, My computer has recently been infected. When I logged onto the net, I was automatically redirected to strange websites and could never reach any pages that contained any anti-virus information. My computer was installed with McAfee but it had done nothing. I eventually managed to install the Malwarebytes and killed the Trojans. The problem now is that the download speed seems to be slower than before and the connection is easily lost when I surf on the net. When this happens I will need to turn off the modem and start again. Is my computer still infected? Below is the scan log. Please help! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:45:47 AM, on 10/4/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\OEM02Mon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\KADxMain.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe F:\hijackthis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll (file missing) O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Dell Network Assistant.lnk = %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ESC Trusted Zone: http://*.update.microsoft.com O17 - HKLM\System\CCS\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130 O17 - HKLM\System\CCS\Services\Tcpip\..\{D456FAF3-2A6B-4262-9B63-D09EA731EAE8}: NameServer = 203.12.160.35,203.12.160.36 O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD589B6-0372-46B4-868D-B77888B10C97}: NameServer = 203.12.160.35,203.12.160.36 O17 - HKLM\System\CCS\Services\Tcpip\..\{F78C0761-91CA-43D1-A64A-C2AF2AD59DE6}: NameServer = 203.12.160.35,203.12.160.36 O17 - HKLM\System\CS1\Services\Tcpip\..\{0B36B8DF-4FFF-4634-AC7E-50E7A90D3E0C}: NameServer = 202.124.68.170 202.124.68.130 O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ipp - (no CLSID) - (no file) O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: msdaipp - (no CLSID) - (no file) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: File Replication Service (Ntfrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe Thanks!

10-15-2008, 02:06 AM	#3 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, Thanks for your help. I almost gave up. Here are the contents. Thanks again. Logfile of random's system information tool 1.04 (written by random/random) Run by Wai Hung at 2008-10-15 19:00:51 Microsoft Windows XP Professional Service Pack 3 System drive C: has 113 GB (75%) free of 150 GB Total RAM: 3070 MB (81% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:01:08 PM, on 10/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\OEM02Mon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\KADxMain.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Wai Hung\Desktop\RSIT.exe C:\Program Files\trend micro\Wai Hung.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll (file missing) O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Dell Network Assistant.lnk = %SystemRoot%\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ESC Trusted Zone: http://.update.microsoft.com O17 - HKLM\System\CCS\Services\Tcpip\..\{D456FAF3-2A6B-4262-9B63-D09EA731EAE8}: NameServer = 203.12.160.35,203.12.160.36 O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD589B6-0372-46B4-868D-B77888B10C97}: NameServer = 203.12.160.35,203.12.160.36 O17 - HKLM\System\CCS\Services\Tcpip\..\{F78C0761-91CA-43D1-A64A-C2AF2AD59DE6}: NameServer = 203.12.160.35,203.12.160.36 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: File Replication Service (Ntfrs) - Unknown owner - C:\WINDOWS\system32\ntfrs.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11981 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\McDefragTask.job C:\WINDOWS\tasks\McQcTask.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-29 308832] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}] McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-11-26 324936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}] scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}] AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF182DBF-1283-4BD3-86EE-D3239228770C}] QQHelper Class - C:\Program Files\QQ\Africa2003\QQZoneHelper.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-01-12 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-07-17 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-06-03 851968] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-05-11 8429568] "nwiz"=nwiz.exe /installquiet [] "NVHotkey"=C:\WINDOWS\system32\nvHotkey.dll [2007-05-11 67584] "NvMediaCenter"=C:\WINDOWS\system32\NvMCTray.dll [2007-06-06 81920] "OEM02Mon.exe"=C:\WINDOWS\OEM02Mon.exe [2007-08-28 36864] "IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952] "MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392] "PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168] "PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-07-25 823296] "IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-07-25 974848] "DELL Webcam Manager"=C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe [2007-07-27 118784] "Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936] "KADxMain"=C:\WINDOWS\system32\KADxMain.exe [2006-11-02 282624] "ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184] "ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920] ""= [] "RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2006-11-05 221184] "RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920] "mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992] "dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384] "PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320] "Google IME Autoupdater"=C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe [2008-08-05 308720] "Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe [2005-10-31 503808] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-03-28 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048] "SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2007-05-06 405504] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Dell Network Assistant\ezi_hnm2.exe"="C:\Program Files\Dell Network Assistant\ezi_hnm2.exe::Enabled:Dell Network Assistant" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger" "C:\Program Files\Dell\MediaDirect\PCMService.exe"="C:\Program Files\Dell\MediaDirect\PCMService.exe::Enabled:CyberLink PowerCinema Resident Program" "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe::Enabled:Mozilla Firefox" "C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe"="C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe::Enabled:3 Mobile Broadband" "C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe::Enabled:McAfee Network Agent" "C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe"="C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe::Disabled:C:\Documents and Settings\Wai Hung\Desktop\Mahjonggirl\C8HookGame.exe" "C:\Program Files\美女麻将\美女麻将.exe"="C:\Program Files\美女麻将\美女麻将.exe::Disabled:C:\PROGRA~1\美女麻将\美女麻将.exe" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\Program Files\BitComet\tools\CometBrowser.exe"="C:\Program Files\BitComet\tools\CometBrowser.exe::Disabled:BitComet Resource Browser" "C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe::Disabled:BitCometBeta - a BitTorrent Client" "C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe::Disabled:BitTorrent" "C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe::Disabled:RealPlayer" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580e-3d41-11dd-a0e9-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580f-3d41-11dd-a0e9-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fd6c55-fa58-11dc-a01f-001d09c1a02d}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16c-0953-11dd-a04d-001d09c1a02d}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16d-0953-11dd-a04d-001d09c1a02d}] shell\AutoRun\command - G:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3960e02a-69f9-11dd-a18d-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f18f8c8-621e-11dd-a16d-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f6687f-fe38-11dc-a02b-001d09c1a02d}] shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f66880-fe38-11dc-a02b-001d09c1a02d}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb4df16-852f-11dd-a1de-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf18-36e5-11dd-a0d8-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1a-36e5-11dd-a0d8-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1b-36e5-11dd-a0d8-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1c-36e5-11dd-a0d8-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1d-36e5-11dd-a0d8-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e15db8-ff1c-11dc-a030-001d09c1a02d}] shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SysAuto.exe shell\′ò?a(&O)\command - E:\SysAuto.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9150259-602d-11dd-a165-001e4cdce70b}] shell\AutoRun\command - E:\AutoRun.exe ======List of files/folders created in the last 1 months====== 2008-10-15 19:00:51 ----D---- C:\rsit 2008-10-15 19:00:51 ----D---- C:\Program Files\trend micro 2008-10-15 17:04:41 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-15 17:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-15 17:04:29 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-15 17:04:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-15 17:04:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-01 18:20:41 ----A---- C:\WINDOWS\k.txt 2008-09-29 12:48:40 ----D---- C:\Program Files\Common Files\xing shared 2008-09-29 00:02:25 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01:17 ----D---- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01:17 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00:26 ----D---- C:\Program Files\NCH Software 2008-09-29 00:00:19 ----D---- C:\Program Files\NCH Swift Sound 2008-09-26 12:59:01 ----D---- C:\WINDOWS\system32\LogFiles 2008-09-20 21:38:57 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 21:38:52 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-20 21:38:51 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-19 12:51:30 ----D---- C:\WINDOWS\Minidump 2008-09-18 16:51:11 ----A---- C:\WINDOWS\system32\windows_update.exe ======List of files/folders modified in the last 1 months====== 2008-10-15 19:01:01 ----D---- C:\WINDOWS\Temp 2008-10-15 19:00:51 ----RD---- C:\Program Files 2008-10-15 19:00:47 ----D---- C:\WINDOWS\Prefetch 2008-10-15 18:45:49 ----D---- C:\Program Files\Mozilla Firefox 2008-10-15 18:40:39 ----D---- C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-15 18:28:08 ----D---- C:\WINDOWS\system32 2008-10-15 18:28:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-15 18:26:20 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-15 18:26:02 ----D---- C:\WINDOWS 2008-10-15 18:24:19 ----A---- C:\WINDOWS\ModemLog_Bluetooth Modem.txt 2008-10-15 18:24:19 ----A---- C:\WINDOWS\ModemLog_Bluetooth Fax Modem.txt 2008-10-15 18:24:13 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D330 MDC V.92 Modem.txt 2008-10-15 18:22:59 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-10-15 17:04:44 ----HD---- C:\WINDOWS\inf 2008-10-15 17:04:43 ----RSHD---- C:\WINDOWS\system32\dllcache 2008-10-15 17:04:43 ----D---- C:\WINDOWS\system32\drivers 2008-10-15 17:04:40 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-15 17:04:38 ----A---- C:\WINDOWS\imsins.BAK 2008-10-15 17:03:21 ----D---- C:\WINDOWS\system32\CatRoot2 2008-10-15 09:33:08 ----D---- C:\Program Files\McAfee 2008-10-15 00:57:43 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt 2008-10-12 23:32:06 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt 2008-10-08 06:19:40 ----A---- C:\WINDOWS\system32\MRT.exe 2008-10-03 22:50:15 ----A---- C:\WINDOWS\cdplayer.ini 2008-09-29 17:42:07 ----D---- C:\WINDOWS\Help 2008-09-29 12:48:40 ----D---- C:\Program Files\Common Files 2008-09-29 12:48:30 ----D---- C:\Program Files\Common Files\Real 2008-09-29 12:48:26 ----A---- C:\WINDOWS\system32\rmoc3260.dll 2008-09-29 12:48:10 ----A---- C:\WINDOWS\system32\pndx5032.dll 2008-09-29 12:48:10 ----A---- C:\WINDOWS\system32\pndx5016.dll 2008-09-29 12:48:04 ----A---- C:\WINDOWS\system32\pncrt.dll 2008-09-26 15:08:19 ----D---- C:\WINDOWS\network diagnostic 2008-09-21 12:47:07 ----D---- C:\Documents and Settings\Wai Hung\Application Data\Mozilla 2008-09-18 16:41:53 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt 2008-09-18 15:40:52 ----SD---- C:\Documents and Settings\Wai Hung\Application Data\Microsoft 2008-09-18 14:32:32 ----D---- C:\Program Files\Bonjour ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128] R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920] R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-04 12160] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592] R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320] R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952] R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832] R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.4.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-04-13 21393] R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096] R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472] R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400] R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472] R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008] R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520] R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848] R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648] R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672] R2 Packet;Auto Internet Protocol; C:\WINDOWS\system32\DRIVERS\packet.sys [2006-12-18 12672] R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-05-09 32256] R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-05-09 43520] R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-05-09 37376] R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-05-29 12416] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800] R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568] R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-03-22 539072] R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-03-22 37424] R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-03-31 876384] R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-03-22 149123] R3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2007-03-31 55352] R3 btwmodem;Bluetooth Fax Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2007-03-22 37280] R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-03-22 67960] R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952] R3 DXEC02;DXEC02; C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 103168] R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696] R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152] R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304] R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240] R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 NETw4x32;Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-08-12 2211456] R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-05-11 6345472] R3 OEM02Dev;Creative Camera OEM002 Driver; C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232] R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-06 1222840] R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-06-03 202912] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856] R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112] S2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2005-08-17 41984] S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024] S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760] S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-10-27 101120] S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248] S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136] S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552] S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232] S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS [] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984] S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200] S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368] S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928] S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752] S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008] S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952] S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504] S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960] S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376] R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-05-17 260968] R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-07-25 647168] R2 hnmsvc;Advanced Networking Service; C:\Program Files\Dell Network Assistant\hnm_svc.exe [2007-05-25 112176] R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976] R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128] R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248] R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704] R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864] R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-06-06 163908] R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-07-25 327680] R2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-07-25 987136] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912] R2 UTSCSI;CLCV0; C:\WINDOWS\system32\UTSCSI.EXE [2008-03-30 45056] R2 WLANKEEPER;Intel(R) PROSet/Wireless SSO Service; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2007-07-25 294912] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104] R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624] R3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640] R3 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744] S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776] S2 Ntfrs;File Replication Service; C:\WINDOWS\system32\ntfrs.exe [] S2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-17 138168] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184] S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240] -----------------EOF----------------- info.txt logfile of random's system information tool 1.04 2008-10-15 19:01:10 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 -->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9 -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 3 Mobile Broadband-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EAAC5FD-E209-4856-8C49-D4EA40F85032}\setup.exe" -l0x9 -removeonly Adobe Acrobat 6.0 Standard - ChineseT-->MsiExec.exe /I{AC76BA86-1028-0000-BA7E-000000000001} Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Advanced Audio FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove Advanced Video FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3} Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{612B9183-67A9-4B44-9877-2F059E35B86A} Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449} Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf Dell Network Assistant-->MsiExec.exe /I{0240BDFB-2995-4A3F-8C96-18D41282B716} Dell Resource CD-->MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021} Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1} Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall Dell Webcam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x9 /remove Dell Webcam Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x9 /remove Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly Express Burn-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe Express Rip-->C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe HijackThis 2.0.2-->"F:\HijackThis.exe" /uninstall Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe IntelliSonic Speech Enhancement-->MsiExec.exe /X{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370} iTunes-->MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B} J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Laptop Integrated Webcam Driver (1.03.02.0719) -->C:\WINDOWS\CtDrvIns.exe -uninstall -script OEM002.uns -plugin OEM02Pin.dll -pluginres OEM02Pin.crl -nodisconprompt -langid 0x0409 Live! Cam Avatar Creator-->C:\Program Files\InstallShield Installation Information\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}\setup.exe -runfromtemp -l0x0009 -removeonly /remove Live! Cam Avatar v1.0-->C:\Program Files\InstallShield Installation Information\{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}\setup.exe -runfromtemp -l0x0009 -removeonly /remove Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779} mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49} MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B} Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office XP Chinese (Simplified) User Interface Pack-->MsiExec.exe /I{901E0804-6000-11D3-8CFE-0050048383C9} Microsoft Office XP English User Interface Pack-->MsiExec.exe /I{901E0409-6000-11D3-8CFE-0050048383C9} Microsoft Office XP Media Content-->MsiExec.exe /I{90300C04-6000-11D3-8CFE-0050048383C9} Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280404-6000-11D3-8CFE-0050048383C9} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F} mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7} mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5} Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B} Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5} mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9} mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83} mSCfg-->MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538} mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4} mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA} mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023} NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56} QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD} Readiris Pro 10-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}\setup.exe" -l0x9 RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82} Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC} Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048} Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87} Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C} Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF} Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668} Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA} Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB} Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E} Samsung SCX-4200 Series-->C:\Program Files\Samsung\Samsung SCX-4200 Series\Install\Setup.exe /R Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly SmarThru 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90F1943D-EA4A-4460-B59F-30023F3BA69A}\Setup.exe" -l0x9 uninstall -l0009 Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0} Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll" WavePad Sound Editor-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe WIDCOMM Bluetooth Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6} Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\dpinst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\4569969E1360D2854474C661EF9B4D54F143EB16 Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986} Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe 思佳围棋 3.3.7-->C:\Program Files\思佳围棋\uninst.exe 美女麻将-->C:\PROGRA~1\美女麻将\UNWISE.EXE C:\PROGRA~1\美女麻将\INSTALL.LOG 美眉麻将 -->C:\Program Files\MMMJ\uninst.exe 谷歌拼音输入法-->"C:\Program Files\Google\Google Pinyin\Uninstall.exe" ======Security center information====== AV: McAfee VirusScan FW: McAfee Personal Firewall ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel "PROCESSOR_REVISION"=0f0d "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\ "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip -----------------EOF-----------------

10-15-2008, 02:50 AM	#4 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan *Step 1* Flash Disinfector by sUBs Please download Flash_Disinfector.exe by sUBs and save it to your desktop: * Double-click Flash_Disinfector.exe to run it. * Follow any prompts that may appear. * Wait until the program has finished scanning, then please exit the program. The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well. Please restart your computer. ----------------------------------------------------------- ----------------------------------------------------------- *Step 2* Download and Run ComboFix (by sUBs) Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper ----------------------------------------------------------- ----------------------------------------------------------- *Step 3* Kaspersky Online Scanner . Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal NOTE:- This scan is best done from IE (Internet Explorer) NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html Read the Requirements and limitations before you click Accept. Once the database has downloaded, click My Computer in the left pane Now go and put the kettle on ! When the scan has completed, click Save Report As... Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (.txt) Click Save* - by default the file will be saved to your Desktop, but you can change this if you wish. Note To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. ----------------------------------------------------------- ----------------------------------------------------------- *Step 4* Remove Programs Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there, click on the program to highlight it, and click on remove. J2SE Runtime Environment 5.0 Update 6 Java(TM) 6 Update 5 Now close the Control Panel. ----------------------------------------------------------- ----------------------------------------------------------- *Step 5* Logs/Information to Post in Reply Please post the following logs/Information in your reply ComboFix Log Kaspersky Log How are things running now ? __________________

10-19-2008, 05:46 AM	#5 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, All steps done. Below is the ComboFix log. Kaspersky says no threats. The internet connection is still interrupted once in a while but seems to be much improved. Thanks. ComboFix 08-10-15.05 - Wai Hung 2008-10-16 17:01:16.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2479 [GMT 11:00] 执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * 成功创造新还原点 * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\k.txt C:\WINDOWS\system32\m.ico C:\WINDOWS\system32\p.ico C:\WINDOWS\system32\s.ico C:\WINDOWS\system32\windows_update.exe . ((((((((((((((((((((((((((((((((((((((( 驱动/服务 ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PACKET -------\Legacy_TDSSSERV -------\Service_Packet -------\Service_TDSSserv ((((((((((((((((((((((((( 2008-09-16 至 2008-10-16 的新的档案 ))))))))))))))))))))))))))))))) . 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro 2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys 2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software 2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-09-20 22:24 . 2008-10-12 15:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\.housecall6.6 2008-09-20 21:38 . 2008-10-07 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-20 21:38 . 2008-09-20 21:38 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 21:38 . 2008-09-20 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-20 21:38 . 2008-09-10 01:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-20 21:38 . 2008-09-10 01:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-16 06:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-14 22:33 --------- d-----w C:\Program Files\McAfee 2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real 2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT 2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568] "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176] Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\美女麻将\\美女麻将.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\?à???é??\\?à???é??.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "26406:TCP"= 26406:TCP::Disabled:BitCometBeta 26406 TCP "26406:UDP"= 26406:UDP::Disabled:BitCometBeta 26406 UDP "8949:TCP"= 8949:TCP::Disabled:BitCometBeta 8949 TCP "8949:UDP"= 8949:UDP::Disabled:BitCometBeta 8949 UDP "14335:TCP"= 14335:TCP::Disabled:BitCometBeta 14335 TCP "14335:UDP"= 14335:UDP::Disabled:BitCometBeta 14335 UDP "26829:TCP"= 26829:TCP::Disabled:BitCometBeta 26829 TCP "26829:UDP"= 26829:UDP::Disabled:BitCometBeta 26829 UDP "14568:TCP"= 14568:TCP::Disabled:BitCometBeta 14568 TCP "14568:UDP"= 14568:UDP::Disabled:BitCometBeta 14568 UDP "8396:TCP"= 8396:TCP::Disabled:BitCometBeta 8396 TCP "8396:UDP"= 8396:UDP::Disabled:BitCometBeta 8396 UDP "11839:TCP"= 11839:TCP::Disabled:BitCometBeta 11839 TCP "11839:UDP"= 11839:UDP::Disabled:BitCometBeta 11839 UDP "6881:TCP"= 6881:TCP::Disabled:BT1 "6882:TCP"= 6882:TCP::Disabled:BT2 "6883:TCP"= 6883:TCP::Disabled:BT3 "6884:TCP"= 6884:TCP::Disabled:BT4 "6885:TCP"= 6885:TCP::Disabled:BT5 "6886:TCP"= 6886:TCP::Disabled:BT6 "6887:TCP"= 6887:TCP::Disabled:BT7 "6888:TCP"= 6888:TCP::Disabled:BT8 "6889:TCP"= 6889:TCP::Disabled:BT9 "6881:UDP"= 6881:UDP::Disabled:BT1a "6882:UDP"= 6882:UDP::Disabled:BT2a "6883:UDP"= 6883:UDP::Disabled:BT3 "6884:UDP"= 6884:UDP::Disabled:BT4 "6885:UDP"= 6885:UDP::Disabled:BT5 "6886:UDP"= 6886:UDP::Disabled:BT6 "6887:UDP"= 6887:UDP::Disabled:BT7 "6888:UDP"= 6888:UDP::Disabled:BT8 "6889:UDP"= 6889:UDP::Disabled:BT9 "7975:TCP"= 7975:TCP::Disabled:BitCometBeta 7975 TCP "7975:UDP"= 7975:UDP::Disabled:BitCometBeta 7975 UDP "15953:TCP"= 15953:TCP::Disabled:BitCometBeta 15953 TCP "15953:UDP"= 15953:UDP::Disabled:BitCometBeta 15953 UDP "10509:TCP"= 10509:TCP::Disabled:BitCometBeta 10509 TCP "10509:UDP"= 10509:UDP::Disabled:BitCometBeta 10509 UDP "9300:TCP"= 9300:TCP::Disabled:BitCometBeta 9300 TCP "9300:UDP"= 9300:UDP::Disabled:BitCometBeta 9300 UDP "20952:TCP"= 20952:TCP::Disabled:BitCometBeta 20952 TCP "20952:UDP"= 20952:UDP::Disabled:BitCometBeta 20952 UDP "23593:TCP"= 23593:TCP::Disabled:BitCometBeta 23593 TCP "23593:UDP"= 23593:UDP::Disabled:BitCometBeta 23593 UDP "10181:TCP"= 10181:TCP::Disabled:BitCometBeta 10181 TCP "10181:UDP"= 10181:UDP::Disabled:BitCometBeta 10181 UDP "23813:TCP"= 23813:TCP::Disabled:BitCometBeta 23813 TCP "23813:UDP"= 23813:UDP::Disabled:BitCometBeta 23813 UDP "24551:TCP"= 24551:TCP::Disabled:BitCometBeta 24551 TCP "24551:UDP"= 24551:UDP::Disabled:BitCometBeta 24551 UDP "19585:TCP"= 19585:TCP::Disabled:BitCometBeta 19585 TCP "19585:UDP"= 19585:UDP::Disabled:BitCometBeta 19585 UDP "60000:TCP"= 60000:TCP::Disabled:BitCometBeta 60000 TCP "60000:UDP"= 60000:UDP::Disabled:BitCometBeta 60000 UDP R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] S0 vqdtdkez;vqdtdkez;C:\WINDOWS\system32\drivers\vcwnletv.sys [ ] S2 Ntfrs;File Replication Service;C:\WINDOWS\system32\ntfrs.exe [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580e-3d41-11dd-a0e9-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1978580f-3d41-11dd-a0e9-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29fd6c55-fa58-11dc-a01f-001d09c1a02d}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16c-0953-11dd-a04d-001d09c1a02d}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a92e16d-0953-11dd-a04d-001d09c1a02d}] \Shell\AutoRun\command - G:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3960e02a-69f9-11dd-a18d-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f18f8c8-621e-11dd-a16d-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f6687f-fe38-11dc-a02b-001d09c1a02d}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f66880-fe38-11dc-a02b-001d09c1a02d}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb4df16-852f-11dd-a1de-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf18-36e5-11dd-a0d8-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1a-36e5-11dd-a0d8-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1b-36e5-11dd-a0d8-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1c-36e5-11dd-a0d8-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1ccaf1d-36e5-11dd-a0d8-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e15db8-ff1c-11dc-a030-001d09c1a02d}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SysAuto.exe \Shell\′ò?a(&O)\command - E:\SysAuto.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9150259-602d-11dd-a165-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe . ‘计划任务’ 文件夹里的内容 2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-08-31 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . . ------- 而外的扫描 ------- . FireFox -: Profile - C:\Documents and Settings\Wai Hung\Application Data\Mozilla\Firefox\Profiles\5jcbqwcp.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ec-clinic.com/ FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-16 17:05:32 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ********************************************************************** . --------------------- 运行进程下的动态链接库 --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ 其他运行进程 ------------------------ . C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe . ************************************************************************ . 完成时间: 2008-10-16 17:10:06 - 电脑已重新启动 ComboFix-quarantined-files.txt 2008-10-16 06:10:00 Pre-Run: 118,340,354,048 bytes free Post-Run: 118,407,192,576 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 314 --- E O F --- 2008-10-15 06:04:45

10-21-2008, 10:59 PM	#7 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, Here are the logs, thanks. ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00] 执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt * 成功创造新还原点 * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( 驱动/服务 ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NTFRS -------\Legacy_PACKET -------\Legacy_TDSSSERV -------\Service_Ntfrs -------\Service_vqdtdkez ((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 ))))))))))))))))))))))))))))))) . 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro 2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys 2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software 2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee 2008-10-17 01:44 --------- d-----w C:\Program Files\Java 2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT 2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin . ((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568] "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176] Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\美女麻将\\美女麻将.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\?à???é??\\?à???é??.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe . ‘计划任务’ 文件夹里的内容 2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-08-31 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-22 1235 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ********************************************************************** . --------------------- 运行进程下的动态链接库 --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ 其他运行进程 ------------------------ . C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe . ********************************************************************** . 完成时间: 2008-10-22 12:11:08 - 电脑已重新启动 ComboFix-quarantined-files.txt 2008-10-22 01:11:02 ComboFix2.txt 2008-10-16 06:10:08 Pre-Run: 118,417,354,752 bytes free Post-Run: 118,457,208,832 bytes free 194 --- E O F --- 2008-10-15 06:04:45 AND THE SCAN LOG: ANALYSIS: 2008-10-22 15:37:51 PROTECTIONS: 2 MALWARE: 11 SUSPECTS: 1 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== McAfee Internet Security Suite 2007 8.1 No Yes McAfee VirusScan Plus 12.1 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt 00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe] 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys 03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe] ;=================================================================================================================================================================================== SUSPECTS Sent Location Y ;=================================================================================================================================================================================== No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description Y ;=================================================================================================================================================================================== ;===================================================================================================================================================================================

10-22-2008, 06:41 AM	#8 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}] Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper How are things running now ? any problems still ? __________________

10-25-2008, 06:04 PM	#9 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, Below are the reports. Seems to have improved but the connection still stops automatically, when I have to turn off and on the modem to re-connect. I haven't done anything to disinfect after the scan. Thanks. ComboFix 08-10-15.05 - Wai Hung 2008-10-22 12:01:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00] 执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt * 成功创造新还原点 * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( 驱动/服务 ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NTFRS -------\Legacy_PACKET -------\Legacy_TDSSSERV -------\Service_Ntfrs -------\Service_vqdtdkez ((((((((((((((((((((((((( 2008-09-22 至 2008-10-22 的新的档案 ))))))))))))))))))))))))))))))) . 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\Program Files\trend micro 2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys 2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software 2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-22 01:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-21 10:49 --------- d-----w C:\Program Files\McAfee 2008-10-17 01:44 --------- d-----w C:\Program Files\Java 2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT 2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin . ((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-21 22:38:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568] "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176] Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\美女麻将\\美女麻将.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\?à???é??\\?à???é??.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}] \Shell\AutoRun\command - E:\AutoRun.exe . ‘计划任务’ 文件夹里的内容 2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-08-31 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-22 1235 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ********************************************************************** . --------------------- 运行进程下的动态链接库 --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . ------------------------ 其他运行进程 ------------------------ . C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UTSCSI.EXE C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe . ********************************************************************** . 完成时间: 2008-10-22 12:11:08 - 电脑已重新启动 ComboFix-quarantined-files.txt 2008-10-22 01:11:02 ComboFix2.txt 2008-10-16 06:10:08 Pre-Run: 118,417,354,752 bytes free Post-Run: 118,457,208,832 bytes free 194 --- E O F --- 2008-10-15 06:04:45 Scan report: ;******************************************************************************************************************************************************************************* ANALYSIS: 2008-10-22 15:37:51 PROTECTIONS: 2 MALWARE: 11 SUSPECTS: 1 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== McAfee Internet Security Suite 2007 8.1 No Yes McAfee VirusScan Plus 12.1 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@atdmt[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@tribalfusion[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@bs.serving-sys[1].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@statse.webtrendslive[1].txt 00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Wai Hung\Desktop\Flash_Disinfector.exe][nircmd.exe] 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039240.EXE 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wai Hung\Cookies\wai_hung@enhance[2].txt 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP178\A0039226.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP173\A0037794.sys 03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe] ;=================================================================================================================================================================================== SUSPECTS Sent Location Y ;=================================================================================================================================================================================== No C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] Y ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description Y ;=================================================================================================================================================================================== ;===================================================================================================================================================================================

10-26-2008, 03:41 AM	#10 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan Errrm those are the logs that you posted last time, please can you post the latest combofix log (C:\combofix.txt) along with a fresh HJT log __________________

10-26-2008, 07:42 AM	#12 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan Installed Programs Please could you give me a list of the programs that are installed. Start HijackThis (C:\Program Files\trend micro\HijackThis.exe) Click on the Misc Tools button Click on the Open Uninstall Manager button. You will see a list with the programs installed in your computer. Click on save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next post. __________________

10-26-2008, 07:50 AM	#13 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, ?????§?? 3.3.7 ?à???é?? ?à???é?? 1è?è?′ò?ê?è?·¨ 3 Mobile Broadband Adobe Acrobat 6.0 Standard - ChineseT Adobe Flash Player ActiveX Adobe Flash Player Plugin Advanced Audio FX Engine Advanced Video FX Engine Apple Mobile Device Support Apple Software Update Bonjour Broadcom 440x 10/100 Integrated Controller Broadcom Management Programs Compatibility Pack for the 2007 Office system Conexant HDA D330 MDC V.92 Modem Dell Network Assistant Dell Resource CD Dell Support Center Dell Touchpad Dell Webcam Center Dell Webcam Manager Digital Line Detect Express Burn Express Rip Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows XP (KB952287) Intel(R) PROSet/Wireless Software IntelliSonic Speech Enhancement iTunes Java(TM) 6 Update 5 Java(TM) 6 Update 7 Laptop Integrated Webcam Driver (1.03.02.0719) Live! Cam Avatar Creator Live! Cam Avatar v1.0 Malwarebytes' Anti-Malware McAfee SecurityCenter mCore mDrWiFi MediaDirect mHlpDell Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Chinese (Simplified) User Interface Pack Microsoft Office XP English User Interface Pack Microsoft Office XP Media Content Microsoft Office XP Professional with FrontPage Microsoft Visual C++ 2005 Redistributable mIWA mLogView mMHouse Modem Diagnostic Tool Mozilla Firefox (3.0.1) mPfMgr mPfWiz mProSafe mSCfg mSSO MSXML 4.0 SP2 (KB936181) MSXML 6.0 Parser (KB933579) mWlsSafe mWMI mZConfig NetWaiting NVIDIA Drivers OutlookAddinSetup Panda ActiveScan 2.0 QuickSet QuickTime Readiris Pro 10 RealPlayer Roxio Creator Audio Roxio Creator BDAV Plugin Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator Tools Roxio Drag-to-Disc Roxio Express Labeler Roxio MyDVD DE Roxio Update Manager Samsung SCX-4200 Series Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB958644) SigmaTel Audio SmarThru 4 Sonic Activation Module Switch Sound File Converter Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) URL Assistant WavePad Sound Editor WIDCOMM Bluetooth Software Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04) Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format Runtime Windows XP Service Pack 3 WinRAR archiver Thanks.

10-26-2008, 07:59 AM	#14 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan Do you know what these are, all I can see are ????? (question marks) ?????§?? 3.3.7 ?à???é?? ?à???é?? 1è?è??ò?ê?è?·¨ Are E:\, F:\, G:\ related to your modem ? __________________

10-26-2008, 08:24 AM	#15 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, I think they are some games I have downloaded for some time. Are E:\, F:\, G:\ are removable drives. Thanks.

10-26-2008, 08:49 AM	#16 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan There is no malware showing in your logs now, how often does the internet connection drop ? Have you noticed if it happens after using a particular program or after a specfic time ? Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{943cef6d-6935-11dd-a189-001e4cdce70b}] ADS:: Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper __________________

10-26-2008, 05:56 PM	#17 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, The connection drops usually after a frequent switch between different websites or after five or six hours' connection. It doesn't seem to be related to particular programs. Thanks. ComboFix 08-10-25.01 - Wai Hung 2008-10-27 10:45:39.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2475 [GMT 11:00] 执行位置: C:\Documents and Settings\Wai Hung\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Wai Hung\Desktop\CFScript.txt * 成功创造新还原点 * Resident AV is active . ((((((((((((((((((((((((( 2008-09-26 至 2008-10-26 的新的档案 ))))))))))))))))))))))))))))))) . 2008-10-27 01:01 . 2008-10-27 01:01 244 --ah----- C:\sqmnoopt00.sqm 2008-10-27 01:01 . 2008-10-27 01:01 232 --ah----- C:\sqmdata00.sqm 2008-10-24 23:40 . 2008-10-16 03:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll 2008-10-22 12:26 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-10-22 12:25 . 2008-10-22 12:25 <DIR> d-------- C:\Program Files\Panda Security 2008-10-15 19:00 . 2008-10-15 19:01 <DIR> d-------- C:\rsit 2008-10-15 19:00 . 2008-10-27 00:47 <DIR> d-------- C:\Program Files\trend micro 2008-10-15 17:00 . 2008-08-14 21:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 17:00 . 2008-08-14 21:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 17:00 . 2008-08-14 20:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 17:00 . 2008-09-15 23:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 17:00 . 2008-09-08 21:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys 2008-09-29 12:48 . 2008-09-29 12:48 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-09-29 00:02 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\Recordpad 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\Wai Hung\Application Data\NCH Swift Sound 2008-09-29 00:01 . 2008-09-29 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2008-09-29 00:00 . 2008-10-09 10:29 <DIR> d-------- C:\Program Files\NCH Swift Sound 2008-09-29 00:00 . 2008-09-29 00:00 <DIR> d-------- C:\Program Files\NCH Software 2008-09-26 12:59 . 2008-09-26 12:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-26 23:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-24 12:34 --------- d-----w C:\Program Files\McAfee 2008-10-17 01:44 --------- d-----w C:\Program Files\Java 2008-10-15 07:40 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\AdobeUM 2008-10-07 09:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-09-29 06:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-09-29 01:48 --------- d-----w C:\Program Files\Common Files\Real 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\Wai Hung\Application Data\Malwarebytes 2008-09-20 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-19 02:07 84,624 ----a-w C:\Documents and Settings\Wai Hung\Application Data\GDIPFONTCACHEV1.DAT 2008-09-18 03:32 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-01-15 19:52 76 --sh--r C:\WINDOWS\CT4CET.bin . ((((((((((((((((((((((((((((( snapshot@2008-10-16_17.09.37.65 ))))))))))))))))))))))))))))))))))))))))) . + 2008-06-29 23:39:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-10-26 23:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-10-16 03:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-26 23:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-04-14 00:12:01 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll + 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白与合法缺省登录将不会被显示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 8429568] "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [2007-08-28 36864] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 282624] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "Google IME Autoupdater"="C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-08-05 308720] "Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "nwiz"="nwiz.exe" [2007-05-11 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-05-11 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176] Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-01-16 7168] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-16 50688] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\3 Mobile\\3 Mobile Broadband\\3 Mobile Broadband.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\美女麻将\\美女麻将.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\?à???é??\\?à???é??.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] . ‘计划任务’ 文件夹里的内容 2008-05-14 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-08-31 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-27 10:48:14 Windows 5.1.2600 Service Pack 3 NTFS 扫描被隐藏的进程。。。 ... 扫描被隐藏的启动组。。。扫描被隐藏的文件。。。扫描完成被隐藏的档案: 0 ************************************************************************ . --------------------- 运行进程下的动态链接库 --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\nview.dll . 完成时间: 2008-10-27 10:49:46 ComboFix-quarantined-files.txt 2008-10-26 23:49:40 ComboFix2.txt 2008-10-22 23:24:42 ComboFix3.txt 2008-10-22 01:11:09 ComboFix4.txt 2008-10-16 06:10:08 Pre-Run: 118,375,276,544 bytes free Post-Run: 118,393,368,576 bytes free 161 --- E O F --- 2008-10-24 12:43:31

10-26-2008, 06:09 PM	#18 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 1,361 OS: W2K SP4 + XP SP2 + Vista	Re: Infected with Trojan There is no malware that would be causing your problem. Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit the networking section. http://www.techsupportforum.com/netw...rking-support/ When you start your thread, explain what the problem is and let them know that you have been checked for malware. Give them the following link, so they can see the logs if needed Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/298515-infected-trojan.html#post1737249 This will clear your System Volume Information restore points and remove all the infected files that were quarantined Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there. You can also delete any logs we have produced, and empty your Recycle bin. The following is some info to help you stay safe and clean. ( Vista users must ensure that any programs are Vista compatible BEFORE installing ) You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future. Online Scanners I would recommend a scan at one or more of the following sites at least once a month. http://www.pandasecurity.com/activescan http://www.kaspersky.com/kos/eng/par...avwebscan.html !!! Make sure that all your programs are updated !!! Secunia Software Inspector does all the work for you, .... see HERE for details AntiSpyware AntiSpyware is not the same thing as Antivirus. Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one. You should only have one running all the time, the other/s should be used "on demand" on a regular basis. Most of the programs in this list have a free (for Home Users ) and paid versions, it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often. Spybot - Search & Destroy <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites MalwareBytes Anti-malware <<< A New and effective program a-squared Free <<< A good "realtime" or "on demand" scanner superantispyware <<< A good "realtime" or "on demand" scanner Prevention These programs don't detect malware, they help stop it getting on your machine in the first place. Each does a different job, so you can have more than one Winpatrol An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition SpywareBlaster 4.0 SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer. SpywareGuard 2.2 SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol ZonedOut Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer. MVPS HOSTS This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002. Not required if you are using other host file protections Internet Browsers Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine. Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. If you are still using IE6 then either update, or get one of the following. FireFox With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential Opera Another popular alternative Netscape Another popular alternative Also has Addons available Cleaning Temporary Internet Files and Tracking Cookies Temporary Internet Files are mainly the files that are downloaded when you open a web page. Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware. It is a good idea to empty the Temporary Internet Files folder on a regular basis. Tracking Cookies are files that websites use to monitor which sites you visit and how often. A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted. CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords Both of these can be cleaned manually, but a quicker option is to use a program ATF Cleaner Free and very simple to use CCleaner Free and very flexible, you can chose which cookies to keep Also PLEASE read this article.....So How Did I Get Infected In The First Place The last and most important thing I can tell you is UPDATE. If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk. Malware changes on a day to day basis. You should update every week at the very least. If you follow this advice then (with a bit of luck) you will never have to hear from me again :D If you could post back one more time to let me know everything is OK, then I can have this thread archived. Happy surfing K' __________________ Last edited by Katana; 10-29-2008 at 02:50 AM.

10-28-2008, 06:27 PM	#19 (permalink)
YSJR Registered User Join Date: Oct 2008 Posts: 10 OS: XP	Re: Infected with Trojan Dear Katana, Thanks for your help and advice. I have done what you recommended and things are OK at this stage. Thanks again.