0
ComboFix 09-07-19.01 - Owner -07-19 星期日 22:55.1.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.2047.1713 [GMT -7:00]
执行位置: e:\tddownload\ComboFix.exe
.
    /wow section - STAGE 完成项目——3
The syntax of the command is incorrect.

    /wow section 未完成

(((((((((((((((((((((((((  2009-06-20 至 2009-07-20 的新的档案  )))))))))))))))))))))))))))))))
.

2009-07-20 04:50 . 2009-07-20 04:50 --------    d-----w-    d:\program files\CCleaner
2009-07-20 04:00 . 2009-07-20 04:00 16384   ----atw-    d:\temp\Perflib_Perfdata_578.dat
2009-07-20 03:20 . 2009-04-30 21:22 12800   -c----w-    d:\windows\system32\dllcache\xpshims.dll
2009-07-20 03:20 . 2009-04-30 21:22 1985024 -c----w-    d:\windows\system32\dllcache\iertutil.dll
2009-07-20 03:20 . 2009-04-30 21:22 246272  -c----w-    d:\windows\system32\dllcache\ieproxy.dll
2009-07-20 03:20 . 2009-04-30 21:22 11064832    -c----w-    d:\windows\system32\dllcache\ieframe.dll
2009-07-20 03:14 . 2009-07-20 03:14 16384   ----atw-    d:\temp\Perflib_Perfdata_500.dat
2009-07-20 00:05 . 2009-07-20 00:05 16384   ----atw-    d:\temp\Perflib_Perfdata_51c.dat
2009-07-19 23:32 . 2009-07-19 23:32 --------    d-----w-    d:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-19 23:31 . 2009-07-19 23:32 --------    d-----w-    d:\program files\Google
2009-07-19 23:25 . 2009-07-19 23:25 16384   ----atw-    d:\temp\Perflib_Perfdata_518.dat
2009-07-19 21:12 . 2009-07-19 21:12 16384   ----atw-    d:\temp\Perflib_Perfdata_594.dat
2009-07-19 10:06 . 2009-07-19 10:06 16384   ----atw-    d:\temp\Perflib_Perfdata_588.dat
2009-07-19 09:35 . 2009-07-19 09:35 16384   ----atw-    d:\temp\Perflib_Perfdata_59c.dat
2009-07-19 09:35 . 2009-07-20 05:46 --------    d-----w-    d:\temp\_avast4_
2009-07-19 09:01 . 2009-07-19 09:01 --------    d-----w-    d:\program files\Alwil Software
2009-07-19 03:27 . 2009-07-19 03:27 --------    d-----w-    d:\program files\Trend Micro
2009-07-19 03:24 . 2009-07-19 03:24 --------    d-----w-    d:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-19 03:24 . 2009-07-13 20:36 38160   ----a-w-    d:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 03:24 . 2009-07-19 03:24 --------    d-----w-    d:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 03:24 . 2009-07-13 20:36 19096   ----a-w-    d:\windows\system32\drivers\mbam.sys
2009-07-19 03:24 . 2009-07-19 03:24 --------    d-----w-    d:\program files\Malwarebytes' Anti-Malware
2009-07-17 06:42 . 2009-07-17 12:10 --------    d-----w-    d:\program files\QvodPlayer
2009-07-14 02:37 . 2009-07-14 02:37 --------    d-----w-    d:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-07-05 05:01 . 2009-07-05 05:01 --------    d-----w-    d:\documents and settings\Owner\Application Data\AVS4YOU
2009-07-05 05:01 . 2009-07-05 05:01 --------    d-----w-    d:\documents and settings\All Users\Application Data\AVS4YOU
2009-07-05 05:00 . 2009-07-05 05:01 --------    d-----w-    d:\program files\Common Files\AVSMedia
2009-07-05 05:00 . 2008-08-13 18:22 974848  ----a-w-    d:\windows\system32\mfc70.dll
2009-07-05 05:00 . 2008-08-13 18:22 487424  ----a-w-    d:\windows\system32\msvcp70.dll
2009-07-05 05:00 . 2009-07-05 05:01 --------    d-----w-    d:\program files\AVS4YOU
2009-07-05 05:00 . 2008-08-13 18:22 1700352 ----a-w-    d:\windows\system32\GdiPlus.dll
2009-07-05 05:00 . 2008-08-13 18:22 24576   ----a-w-    d:\windows\system32\msxml3a.dll
2009-07-05 04:52 . 2009-07-05 04:52 --------    d-----w-    d:\documents and settings\Owner\Application Data\Red Kawa
2009-07-05 04:52 . 2009-07-06 21:49 --------    d-----w-    d:\program files\WeFi
2009-07-05 04:51 . 2009-07-05 04:51 5931872 ----a-w-    d:\documents and settings\Owner\Application Data\OpenCandy\WeFiSetup_5_141_4.exe
2009-07-05 04:51 . 2009-07-05 04:51 --------    d-----w-    d:\documents and settings\Owner\Application Data\OpenCandy
2009-07-05 04:51 . 2009-07-05 04:51 --------    d-----w-    d:\program files\Red Kawa
2009-07-05 04:47 . 2009-07-05 04:47 --------    d-----w-    d:\program files\E-Zsoft
2009-07-05 04:24 . 2009-07-05 04:24 --------    d-----w-    d:\program files\DVDVideoSoft
2009-07-05 03:55 . 2009-07-05 03:55 --------    d-----w-    d:\documents and settings\Owner\Application Data\ImTOO Software Studio
2009-07-05 03:48 . 2002-01-05 22:37 344064  ----a-w-    d:\windows\system32\msvcr70.dll
2009-07-05 03:48 . 2009-07-05 04:24 --------    d-----w-    d:\program files\Common Files\DVDVideoSoft
2009-07-03 10:49 . 2009-07-03 10:49 --------    d-----w-    d:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-07-02 23:39 . 2009-07-02 23:39 --------    d-----w-    d:\program files\Combined Community Codec Pack
2009-07-02 23:35 . 2009-07-02 23:35 --------    d-----w-    d:\program files\AviSynth 2.5
2009-07-02 23:32 . 2009-07-02 23:32 --------    d-----w-    d:\program files\MSBuild
2009-07-02 23:29 . 2009-07-20 03:26 --------    d-----w-    d:\windows\system32\XPSViewer
2009-07-02 23:29 . 2009-07-02 23:29 --------    d-----w-    d:\program files\Reference Assemblies
2009-07-02 23:28 . 2006-06-29 20:07 14048   ------w-    d:\windows\system32\spmsg2.dll
2009-07-02 22:07 . 2009-07-02 22:07 --------    d-----w-    d:\program files\GVOD
2009-07-01 08:53 . 2009-07-01 08:53 1060864 ----a-w-    d:\windows\system32\MFC71.dll

.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 05:48 . 2009-05-11 20:11 22016   ----a-w-    d:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-20 05:47 . 2009-05-12 08:36 3871    ----a-w-    d:\windows\system32\cid_store.dat
2009-07-19 22:21 . 2009-05-12 00:34 139584  ----a-w-    d:\windows\system32\drivers\PnkBstrK.sys
2009-07-19 22:21 . 2009-05-12 00:34 189104  ----a-w-    d:\windows\system32\PnkBstrB.exe
2009-07-19 02:10 . 2009-05-11 21:24 --------    d-----w-    d:\program files\Warcraft III
2009-07-17 12:06 . 2009-05-11 21:43 --------    d-----w-    d:\program files\MpcStar
2009-07-16 16:13 . 2009-05-16 04:06 --------    d-----w-    d:\program files\Garena
2009-07-05 04:01 . 2009-05-13 00:23 --------    d-----w-    d:\program files\Windows Media Connect 2
2009-06-16 14:36 . 2004-08-04 12:00 81920   ----a-w-    d:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808  ----a-w-    d:\windows\system32\t2embed.dll
2009-06-08 06:32 . 2009-06-08 06:32 --------    d-----w-    d:\documents and settings\Owner\Application Data\DragonicaSCB
2009-06-08 05:42 . 2009-06-08 05:42 --------    d-----w-    d:\program files\IAHGames
2009-06-08 05:37 . 2009-05-16 06:00 --------    d-----w-    d:\program files\Windows Live
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w-    d:\windows\system32\quartz.dll
2009-05-29 08:59 . 2009-05-26 05:20 --------    d-----w-    d:\documents and settings\Owner\Application Data\Skype
2009-05-29 08:59 . 2009-05-26 05:29 --------    d-----w-    d:\documents and settings\Owner\Application Data\skypePM
2009-05-26 05:29 . 2009-05-26 05:29 56  ---ha-w-    d:\windows\system32\ezsidmv.dat
2009-05-26 05:20 . 2009-05-26 05:20 --------    d-----r-    d:\program files\Skype
2009-05-26 05:20 . 2009-05-26 05:20 --------    d-----w-    d:\documents and settings\All Users\Application Data\Skype
2009-05-26 05:20 . 2009-05-26 05:20 --------    d-----w-    d:\program files\Common Files\Skype
2009-05-25 02:25 . 2009-05-25 02:25 410984  ----a-w-    d:\windows\system32\deploytk.dll
2009-05-25 02:25 . 2009-05-25 02:25 --------    d-----w-    d:\program files\Java
2009-05-25 02:25 . 2009-05-25 02:25 152576  ----a-w-    d:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-24 23:24 . 2009-05-12 00:34 75064   ----a-w-    d:\windows\system32\PnkBstrA.exe
2009-05-24 22:09 . 2009-05-24 22:09 22328   ----a-w-    d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-24 22:09 22328   ----a-w-    d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-11 20:40 --------    d--h--w-    d:\program files\InstallShield Installation Information
2009-05-24 21:47 . 2009-05-24 21:47 --------    d-----w-    d:\program files\Activision
2009-05-23 18:14 . 2009-05-23 18:14 --------    d-----w-    d:\program files\YouKu
2009-05-13 05:15 . 2004-08-04 12:00 915456  ----a-w-    d:\windows\system32\wininet.dll
2009-05-13 00:45 . 2009-05-11 19:45 76487   ----a-w-    d:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-12 08:44 . 2009-05-12 08:44 0   ----a-w-    d:\windows\nsreg.dat
2009-05-12 08:33 . 2009-05-12 08:33 20  ----a-w-    d:\windows\system32\pub_store.dat
2009-05-11 21:41 . 2009-05-11 21:27 77641   ----a-w-    d:\windows\War3Unin.dat
2009-05-11 21:41 . 2009-05-11 21:27 2829    ----a-w-    d:\windows\War3Unin.pif
2009-05-11 21:41 . 2009-05-11 21:27 139264  ----a-w-    d:\windows\War3Unin.exe
2009-05-11 19:43 . 2009-05-11 19:43 21640   ----a-w-    d:\windows\system32\emptyregdb.dat
2009-05-07 15:32 . 2004-08-04 12:00 345600  ----a-w-    d:\windows\system32\localspl.dll
2009-05-04 20:09 . 2009-05-12 08:32 89600   ----a-w-    d:\windows\system32\atl71.dll
2009-05-04 20:09 . 2009-05-12 08:32 499712  ----a-w-    d:\windows\system32\msvcp71.dll
2009-05-04 20:09 . 2009-05-12 08:32 348160  ----a-w-    d:\windows\system32\msvcr71.dll
2009-07-19 10:08 . 2009-07-14 02:36 137208  ----a-w-    d:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[7] 2008-06-20 10:44    360960  744E57C99232201AE98C49168B918F48    d:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51    361600  9AEFA14BD6B182D61E3119FA5F436D3D    d:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59    361600  AD978A1B783B5719720CFF204B666C8E    d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45    360320  01D5EAAFF224415A7FF513E4C882BE30    d:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20    361344  93EA8D04EC73A85DB02EB8805988F733    d:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2004-08-04 12:00    359040  C1783498EDB152656303B5D5BCABD86C    d:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20    361344  93EA8D04EC73A85DB02EB8805988F733    d:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51    361600  9AEFA14BD6B182D61E3119FA5F436D3D    d:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51    361600  4AFB3B0919649F95C1964AA1FAD27D73    d:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-08-24 13574144]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-08-24 86016]
"razer"="d:\program files\Razer\razerhid.exe" [2005-05-18 147456]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 148888]
"QuickTime Task"="d:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-05-11 282624]
"PSPVideoConverter_upgrade"="d:\program files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" [2009-03-25 495616]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-08-24 1657376]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2007-08-20 16384512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"d:\\Program Files\\Thunder Network\\Thunder\\Program\\LiveUpdate\\ThunderLiveUD.exe"=
"d:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=

S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-5-11 13:40 1684736]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;d:\windows\system32\drivers\Razerlow.sys [2009-5-11 14:04 13225]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: ê1ó???à×???? - d:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: ê1ó???à×????è?2?á′?ó - d:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下载 - d:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: 使用迅雷下载全部链接 - d:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
Trusted Zone: photobucket.com
FF - ProfilePath - d:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hdcqx96q.default\
FF - plugin: d:\program files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(986).dll
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

---- 火狐配置文件 ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota",      5120);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",     true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",    true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",     true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",       true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",    true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",                 true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",                true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",               false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",               true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",                 true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",                   true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",                true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",             false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",            false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",    false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-07-19 22:55
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。  

扫描被隐藏的启动组 。。。 

扫描被隐藏的文件 。。。  

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(3832)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
完成时间: 2009-07-20 22:57
ComboFix-quarantined-files.txt  2009-07-20 05:57

Pre-Run: 10,032,578,560 bytes free
Post-Run: 10,009,939,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

251 --- E O F ---   2009-05-16 17:22

Edited by Reverend Jim: Fixed formatting

0

You are still posting the same one.
ComboFix 09-07-19.01 - Owner -07-19 星期日 22:55.1.2 - NTFSx86
The numeral above in red shows the number of times combofix was run. The correct log will have a "1" there.

0

Sry i cant find the old log cause i have deleted combofix before this 2 log is the only log that i can find..

0

When did you delete combofix? Combofix should never be deleted, only uninstalled as it makes changes to your system that are only undone if correctly uninstalled.

==

Did you install OpenCandy on your pc?

==

Run hijackthis and hit the Open the Misc Tools Section and then the Open Uninstall Manager.

Then hit the Save List button. Save to the desktop for easy access. Open the log file and copy the entire list and paste it here please.

===========

Copy the bold text below and paste it into notepad. Save it to your desktop as find.bat and make sure type is set to All Files.


cd\
cd Program Files
DIR /AD /B /P > ProgramFiles.txt
start ProgramFiles.txt
cls
exit


Double click find.bat and let it run for a minute. It will open up a report in notepad. Please copy that text and post it here in your next reply.

0

Adobe Flash Player 10 ActiveX
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner (remove only)
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
Dragonica
Free Video to iPod Converter version 3.1
Garena
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 13
Junk Mail filter update
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.1)
MSN
MSVCRT
MSXML 6.0 Parser (KB925673)
NVIDIA Drivers
NVIDIA PhysX v8.08.18
PSP Video 9 4.08
QvodPlayer(QVOD) v3.5
Razer
Realtek High Definition Audio Driver
Revo Uninstaller 1.83
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
Skype? 4.0
Uninstall 1.0.0.1
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
WeFi 3.6.0.7
Winamp
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
风行网络电影
迅播GVOD播放器
迅雷5
影音之星 3.9

0

Activision
AGEIA Technologies
AviSynth 2.5
AVS4YOU
CCleaner
CometBrowser
Common Files
ComPlus Applications
DVDVideoSoft
E-Zsoft
Funshion Online
GameSpy
Garena
Google
GVOD
IAHGames
InstallShield Installation Information
Internet Explorer
Java
Messenger
Microsoft
microsoft frontpage
Movie Maker
Mozilla Firefox
MpcStar
MSBuild
MSN
MSN Gaming Zone
NetMeeting
Online Services
Outlook Express
QvodPlayer
Razer
Realtek
Red Kawa
Reference Assemblies
Skype
Thunder Network
Trend Micro
Uninstall Information
VS Revo Group
Warcraft III
WeFi
Winamp
Windows Live
Windows Live SkyDrive
Windows Media Connect 2
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
xerox

0

When did you delete combofix? Combofix should never be deleted, only uninstalled as it makes changes to your system that are only undone if correctly uninstalled.

==

Did you install OpenCandy on your pc?

Can you please respond so that I do not have to keep asking?

0

Please download combofix again as we are not finished.

When you have it downloaded, do the following and NOTHING else please;

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



KillAll::

Folder::
d:\documents and settings\Owner\Application Data\OpenCandy


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

ComboFix 09-07-19.04 - Owner -07-20 星期一 22:02.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.2047.1591 [GMT -7:00]
执行位置: d:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
* 成功创造新还原点
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Owner\Application Data\OpenCandy
d:\documents and settings\Owner\Application Data\OpenCandy\WeFiSetup_5_141_4.exe

.
((((((((((((((((((((((((( 2009-06-21 至 2009-07-21 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-21 05:06 . 2009-07-21 05:06 16384 ----atw- d:\temp\Perflib_Perfdata_4a4.dat
2009-07-21 02:11 . 2009-07-21 02:11 -------- d-----w- d:\program files\Trend Micro
2009-07-20 23:48 . 2009-07-21 00:22 -------- d-----w- D:\Media
2009-07-20 23:29 . 2009-07-20 23:44 -------- d-----w- D:\gougou_temp
2009-07-20 21:37 . 2009-07-20 21:37 -------- d-----w- d:\program files\Common Files\Thunder Network
2009-07-20 21:37 . 2009-07-20 21:37 -------- d-----w- d:\program files\Thunder Network
2009-07-20 07:18 . 2009-07-20 07:18 -------- d-----w- d:\program files\VS Revo Group
2009-07-20 04:50 . 2009-07-20 04:50 -------- d-----w- d:\program files\CCleaner
2009-07-20 03:20 . 2009-04-30 21:22 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
2009-07-20 03:20 . 2009-04-30 21:22 1985024 -c----w- d:\windows\system32\dllcache\iertutil.dll
2009-07-20 03:20 . 2009-04-30 21:22 246272 -c----w- d:\windows\system32\dllcache\ieproxy.dll
2009-07-20 03:20 . 2009-04-30 21:22 11064832 -c----w- d:\windows\system32\dllcache\ieframe.dll
2009-07-19 23:32 . 2009-07-19 23:32 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-19 23:31 . 2009-07-19 23:32 -------- d-----w- d:\program files\Google
2009-07-19 09:35 . 2009-07-20 05:46 -------- d-----w- d:\temp\_avast4_
2009-07-19 03:24 . 2009-07-19 03:24 -------- d-----w- d:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-19 03:24 . 2009-07-19 03:24 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-17 06:42 . 2009-07-21 01:14 -------- d-----w- d:\program files\QvodPlayer
2009-07-14 02:37 . 2009-07-14 02:37 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-07-05 05:01 . 2009-07-05 05:01 -------- d-----w- d:\documents and settings\Owner\Application Data\AVS4YOU
2009-07-05 05:01 . 2009-07-05 05:01 -------- d-----w- d:\documents and settings\All Users\Application Data\AVS4YOU
2009-07-05 05:00 . 2009-07-05 05:01 -------- d-----w- d:\program files\Common Files\AVSMedia
2009-07-05 05:00 . 2008-08-13 18:22 974848 ----a-w- d:\windows\system32\mfc70.dll
2009-07-05 05:00 . 2008-08-13 18:22 487424 ----a-w- d:\windows\system32\msvcp70.dll
2009-07-05 05:00 . 2009-07-05 05:01 -------- d-----w- d:\program files\AVS4YOU
2009-07-05 05:00 . 2008-08-13 18:22 1700352 ----a-w- d:\windows\system32\GdiPlus.dll
2009-07-05 05:00 . 2008-08-13 18:22 24576 ----a-w- d:\windows\system32\msxml3a.dll
2009-07-05 04:52 . 2009-07-05 04:52 -------- d-----w- d:\documents and settings\Owner\Application Data\Red Kawa
2009-07-05 04:52 . 2009-07-06 21:49 -------- d-----w- d:\program files\WeFi
2009-07-05 04:51 . 2009-07-05 04:51 -------- d-----w- d:\program files\Red Kawa
2009-07-05 04:47 . 2009-07-05 04:47 -------- d-----w- d:\program files\E-Zsoft
2009-07-05 04:24 . 2009-07-05 04:24 -------- d-----w- d:\program files\DVDVideoSoft
2009-07-05 03:55 . 2009-07-05 03:55 -------- d-----w- d:\documents and settings\Owner\Application Data\ImTOO Software Studio
2009-07-05 03:48 . 2002-01-05 22:37 344064 ----a-w- d:\windows\system32\msvcr70.dll
2009-07-05 03:48 . 2009-07-05 04:24 -------- d-----w- d:\program files\Common Files\DVDVideoSoft
2009-07-03 10:49 . 2009-07-03 10:49 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-07-02 23:35 . 2009-07-02 23:35 -------- d-----w- d:\program files\AviSynth 2.5
2009-07-02 23:32 . 2009-07-02 23:32 -------- d-----w- d:\program files\MSBuild
2009-07-02 23:29 . 2009-07-20 03:26 -------- d-----w- d:\windows\system32\XPSViewer
2009-07-02 23:29 . 2009-07-02 23:29 -------- d-----w- d:\program files\Reference Assemblies
2009-07-02 23:28 . 2006-06-29 20:07 14048 ------w- d:\windows\system32\spmsg2.dll
2009-07-02 22:07 . 2009-07-02 22:07 -------- d-----w- d:\program files\GVOD
2009-07-01 08:53 . 2009-07-01 08:53 1060864 ----a-w- d:\windows\system32\MFC71.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 04:57 . 2009-05-11 21:24 -------- d-----w- d:\program files\Warcraft III
2009-07-21 03:21 . 2009-05-12 00:34 189104 ----a-w- d:\windows\system32\PnkBstrB.exe
2009-07-21 02:23 . 2009-05-12 00:34 139584 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2009-07-21 02:21 . 2009-05-12 08:36 1112 ----a-w- d:\windows\system32\cid_store.dat
2009-07-21 02:15 . 2009-07-21 02:15 709 ----a-w- d:\program files\ProgramFiles.txt
2009-07-21 01:23 . 2009-05-11 21:43 -------- d-----w- d:\program files\MpcStar
2009-07-20 05:48 . 2009-05-11 20:11 22016 ----a-w- d:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 16:13 . 2009-05-16 04:06 -------- d-----w- d:\program files\Garena
2009-07-05 04:01 . 2009-05-13 00:23 -------- d-----w- d:\program files\Windows Media Connect 2
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- d:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- d:\windows\system32\t2embed.dll
2009-06-08 06:32 . 2009-06-08 06:32 -------- d-----w- d:\documents and settings\Owner\Application Data\DragonicaSCB
2009-06-08 05:42 . 2009-06-08 05:42 -------- d-----w- d:\program files\IAHGames
2009-06-08 05:37 . 2009-05-16 06:00 -------- d-----w- d:\program files\Windows Live
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- d:\windows\system32\quartz.dll
2009-05-29 08:59 . 2009-05-26 05:20 -------- d-----w- d:\documents and settings\Owner\Application Data\Skype
2009-05-29 08:59 . 2009-05-26 05:29 -------- d-----w- d:\documents and settings\Owner\Application Data\skypePM
2009-05-26 05:29 . 2009-05-26 05:29 56 ---ha-w- d:\windows\system32\ezsidmv.dat
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----r- d:\program files\Skype
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----w- d:\program files\Common Files\Skype
2009-05-25 02:25 . 2009-05-25 02:25 410984 ----a-w- d:\windows\system32\deploytk.dll
2009-05-25 02:25 . 2009-05-25 02:25 -------- d-----w- d:\program files\Java
2009-05-25 02:25 . 2009-05-25 02:25 152576 ----a-w- d:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-24 23:24 . 2009-05-12 00:34 75064 ----a-w- d:\windows\system32\PnkBstrA.exe
2009-05-24 22:09 . 2009-05-24 22:09 22328 ----a-w- d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-24 22:09 22328 ----a-w- d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-11 20:40 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-05-24 21:47 . 2009-05-24 21:47 -------- d-----w- d:\program files\Activision
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- d:\windows\system32\wininet.dll
2009-05-13 00:45 . 2009-05-11 19:45 76487 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-12 08:44 . 2009-05-12 08:44 0 ----a-w- d:\windows\nsreg.dat
2009-05-12 08:33 . 2009-05-12 08:33 20 ----a-w- d:\windows\system32\pub_store.dat
2009-05-11 21:41 . 2009-05-11 21:27 77641 ----a-w- d:\windows\War3Unin.dat
2009-05-11 21:41 . 2009-05-11 21:27 2829 ----a-w- d:\windows\War3Unin.pif
2009-05-11 21:41 . 2009-05-11 21:27 139264 ----a-w- d:\windows\War3Unin.exe
2009-05-11 19:43 . 2009-05-11 19:43 21640 ----a-w- d:\windows\system32\emptyregdb.dat
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- d:\windows\system32\localspl.dll
2009-05-04 20:09 . 2009-05-12 08:32 89600 ----a-w- d:\windows\system32\atl71.dll
2009-05-04 20:09 . 2009-05-12 08:32 499712 ----a-w- d:\windows\system32\msvcp71.dll
2009-05-04 20:09 . 2009-05-12 08:32 348160 ----a-w- d:\windows\system32\msvcr71.dll
2009-07-19 10:08 . 2009-07-14 02:36 137208 ----a-w- d:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-04 20:14 . 2009-07-20 21:37 36864 ----a-w- d:\program files\mozilla firefox\components\NsThunderLoader.dll
2009-05-04 20:14 . 2009-07-20 21:37 53248 ----a-w- d:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 d:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D d:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 d:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 d:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2004-08-04 12:00 359040 C1783498EDB152656303B5D5BCABD86C d:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 d:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D d:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 d:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-20_05.56.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-15 06:45 . 2008-01-15 06:45 278528 d:\windows\system32\pncrt.dll
- 2007-04-30 04:30 . 2007-04-30 04:30 278528 d:\windows\system32\pncrt.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-08-24 13574144]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-08-24 86016]
"razer"="d:\program files\Razer\razerhid.exe" [2005-05-18 147456]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 148888]
"PSPVideoConverter_upgrade"="d:\program files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" [2009-03-25 495616]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-08-24 1657376]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2007-08-20 16384512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"d:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=

S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-5-11 13:40 1684736]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;d:\windows\system32\drivers\Razerlow.sys [2009-5-11 14:04 13225]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-QuickTime Task - d:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe


.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com.sg/
mStart Page = about:blank
IE: ê1ó???à×???? - d:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: ê1ó???à×????è?2?á′?ó - d:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下载 - d:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - d:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\program files\Thunder Network\Thunder\Thunder.exe
Trusted Zone: photobucket.com
FF - ProfilePath - d:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hdcqx96q.default\
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

---- 火狐配置文件 ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 22:06
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(712)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\system32\PnkBstrB.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\conime.exe
d:\windows\system32\rundll32.exe
d:\program files\Razer\razerofa.exe
.
**************************************************************************
.
完成时间: 2009-07-21 22:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-07-21 05:08
ComboFix2.txt 2009-07-20 21:54
ComboFix3.txt 2009-07-20 05:57

Pre-Run: 18,531,565,568 bytes free
Post-Run: 18,915,254,272 bytes free

261 --- E O F --- 2009-05-16 17:22

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11:31, on 2009-7-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Razer\razerhid.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Razer\razerofa.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PSPVideoConverter_upgrade] "D:\Program Files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" /upgrade
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242174799984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243164414327&h=7b5a33438611c8ba01299a155cfe74ba/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5466 bytes

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



DirLook::
d:\temp\_avast4_


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

ComboFix 09-07-19.04 - Owner -07-21 星期二 11:11.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.2047.1665 [GMT -7:00]
执行位置: d:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( 2009-06-21 至 2009-07-21 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-21 06:13 . 2009-07-21 06:13 -------- d-----w- d:\windows\LastGood
2009-07-21 06:13 . 2009-07-21 06:13 -------- d-----w- d:\program files\Windows Live Safety Center
2009-07-21 05:06 . 2009-07-21 05:06 16384 ----atw- d:\temp\Perflib_Perfdata_4a4.dat
2009-07-21 02:11 . 2009-07-21 02:11 -------- d-----w- d:\program files\Trend Micro
2009-07-20 23:48 . 2009-07-21 00:22 -------- d-----w- D:\Media
2009-07-20 23:29 . 2009-07-20 23:44 -------- d-----w- D:\gougou_temp
2009-07-20 21:37 . 2009-07-20 21:37 -------- d-----w- d:\program files\Common Files\Thunder Network
2009-07-20 21:37 . 2009-07-20 21:37 -------- d-----w- d:\program files\Thunder Network
2009-07-20 07:18 . 2009-07-20 07:18 -------- d-----w- d:\program files\VS Revo Group
2009-07-20 04:50 . 2009-07-20 04:50 -------- d-----w- d:\program files\CCleaner
2009-07-20 03:20 . 2009-04-30 21:22 12800 -c----w- d:\windows\system32\dllcache\xpshims.dll
2009-07-20 03:20 . 2009-04-30 21:22 1985024 -c----w- d:\windows\system32\dllcache\iertutil.dll
2009-07-20 03:20 . 2009-04-30 21:22 246272 -c----w- d:\windows\system32\dllcache\ieproxy.dll
2009-07-20 03:20 . 2009-04-30 21:22 11064832 -c----w- d:\windows\system32\dllcache\ieframe.dll
2009-07-19 23:32 . 2009-07-19 23:32 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-19 23:31 . 2009-07-19 23:32 -------- d-----w- d:\program files\Google
2009-07-19 09:35 . 2009-07-20 05:46 -------- d-----w- d:\temp\_avast4_
2009-07-19 03:24 . 2009-07-19 03:24 -------- d-----w- d:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-19 03:24 . 2009-07-19 03:24 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-17 06:42 . 2009-07-21 01:14 -------- d-----w- d:\program files\QvodPlayer
2009-07-14 02:37 . 2009-07-14 02:37 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-07-05 05:01 . 2009-07-05 05:01 -------- d-----w- d:\documents and settings\Owner\Application Data\AVS4YOU
2009-07-05 05:01 . 2009-07-05 05:01 -------- d-----w- d:\documents and settings\All Users\Application Data\AVS4YOU
2009-07-05 05:00 . 2009-07-05 05:01 -------- d-----w- d:\program files\Common Files\AVSMedia
2009-07-05 05:00 . 2008-08-13 18:22 974848 ----a-w- d:\windows\system32\mfc70.dll
2009-07-05 05:00 . 2008-08-13 18:22 487424 ----a-w- d:\windows\system32\msvcp70.dll
2009-07-05 05:00 . 2009-07-05 05:01 -------- d-----w- d:\program files\AVS4YOU
2009-07-05 05:00 . 2008-08-13 18:22 1700352 ----a-w- d:\windows\system32\GdiPlus.dll
2009-07-05 05:00 . 2008-08-13 18:22 24576 ----a-w- d:\windows\system32\msxml3a.dll
2009-07-05 04:52 . 2009-07-05 04:52 -------- d-----w- d:\documents and settings\Owner\Application Data\Red Kawa
2009-07-05 04:52 . 2009-07-06 21:49 -------- d-----w- d:\program files\WeFi
2009-07-05 04:51 . 2009-07-05 04:51 -------- d-----w- d:\program files\Red Kawa
2009-07-05 04:47 . 2009-07-05 04:47 -------- d-----w- d:\program files\E-Zsoft
2009-07-05 04:24 . 2009-07-05 04:24 -------- d-----w- d:\program files\DVDVideoSoft
2009-07-05 03:55 . 2009-07-05 03:55 -------- d-----w- d:\documents and settings\Owner\Application Data\ImTOO Software Studio
2009-07-05 03:48 . 2002-01-05 22:37 344064 ----a-w- d:\windows\system32\msvcr70.dll
2009-07-05 03:48 . 2009-07-05 04:24 -------- d-----w- d:\program files\Common Files\DVDVideoSoft
2009-07-03 10:49 . 2009-07-03 10:49 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-07-02 23:35 . 2009-07-02 23:35 -------- d-----w- d:\program files\AviSynth 2.5
2009-07-02 23:32 . 2009-07-02 23:32 -------- d-----w- d:\program files\MSBuild
2009-07-02 23:29 . 2009-07-20 03:26 -------- d-----w- d:\windows\system32\XPSViewer
2009-07-02 23:29 . 2009-07-02 23:29 -------- d-----w- d:\program files\Reference Assemblies
2009-07-02 23:28 . 2006-06-29 20:07 14048 ------w- d:\windows\system32\spmsg2.dll
2009-07-02 22:07 . 2009-07-02 22:07 -------- d-----w- d:\program files\GVOD
2009-07-01 08:53 . 2009-07-01 08:53 1060864 ----a-w- d:\windows\system32\MFC71.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 10:57 . 2009-05-11 21:24 -------- d-----w- d:\program files\Warcraft III
2009-07-21 05:59 . 2009-05-16 04:06 -------- d-----w- d:\program files\Garena
2009-07-21 03:21 . 2009-05-12 00:34 189104 ----a-w- d:\windows\system32\PnkBstrB.exe
2009-07-21 02:23 . 2009-05-12 00:34 139584 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2009-07-21 02:21 . 2009-05-12 08:36 1112 ----a-w- d:\windows\system32\cid_store.dat
2009-07-21 02:15 . 2009-07-21 02:15 709 ----a-w- d:\program files\ProgramFiles.txt
2009-07-21 01:23 . 2009-05-11 21:43 -------- d-----w- d:\program files\MpcStar
2009-07-20 05:48 . 2009-05-11 20:11 22016 ----a-w- d:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-05 04:01 . 2009-05-13 00:23 -------- d-----w- d:\program files\Windows Media Connect 2
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- d:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- d:\windows\system32\t2embed.dll
2009-06-08 06:32 . 2009-06-08 06:32 -------- d-----w- d:\documents and settings\Owner\Application Data\DragonicaSCB
2009-06-08 05:42 . 2009-06-08 05:42 -------- d-----w- d:\program files\IAHGames
2009-06-08 05:37 . 2009-05-16 06:00 -------- d-----w- d:\program files\Windows Live
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- d:\windows\system32\quartz.dll
2009-05-29 08:59 . 2009-05-26 05:20 -------- d-----w- d:\documents and settings\Owner\Application Data\Skype
2009-05-29 08:59 . 2009-05-26 05:29 -------- d-----w- d:\documents and settings\Owner\Application Data\skypePM
2009-05-26 05:29 . 2009-05-26 05:29 56 ---ha-w- d:\windows\system32\ezsidmv.dat
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----r- d:\program files\Skype
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype
2009-05-26 05:20 . 2009-05-26 05:20 -------- d-----w- d:\program files\Common Files\Skype
2009-05-25 02:25 . 2009-05-25 02:25 410984 ----a-w- d:\windows\system32\deploytk.dll
2009-05-25 02:25 . 2009-05-25 02:25 -------- d-----w- d:\program files\Java
2009-05-25 02:25 . 2009-05-25 02:25 152576 ----a-w- d:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-24 23:24 . 2009-05-12 00:34 75064 ----a-w- d:\windows\system32\PnkBstrA.exe
2009-05-24 22:09 . 2009-05-24 22:09 22328 ----a-w- d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-24 22:09 22328 ----a-w- d:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-05-24 22:09 . 2009-05-11 20:40 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-05-24 21:47 . 2009-05-24 21:47 -------- d-----w- d:\program files\Activision
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- d:\windows\system32\wininet.dll
2009-05-13 00:45 . 2009-05-11 19:45 76487 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-12 08:44 . 2009-05-12 08:44 0 ----a-w- d:\windows\nsreg.dat
2009-05-12 08:33 . 2009-05-12 08:33 20 ----a-w- d:\windows\system32\pub_store.dat
2009-05-11 21:41 . 2009-05-11 21:27 77641 ----a-w- d:\windows\War3Unin.dat
2009-05-11 21:41 . 2009-05-11 21:27 2829 ----a-w- d:\windows\War3Unin.pif
2009-05-11 21:41 . 2009-05-11 21:27 139264 ----a-w- d:\windows\War3Unin.exe
2009-05-11 19:43 . 2009-05-11 19:43 21640 ----a-w- d:\windows\system32\emptyregdb.dat
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- d:\windows\system32\localspl.dll
2009-05-04 20:09 . 2009-05-12 08:32 89600 ----a-w- d:\windows\system32\atl71.dll
2009-05-04 20:09 . 2009-05-12 08:32 499712 ----a-w- d:\windows\system32\msvcp71.dll
2009-05-04 20:09 . 2009-05-12 08:32 348160 ----a-w- d:\windows\system32\msvcr71.dll
2009-07-19 10:08 . 2009-07-14 02:36 137208 ----a-w- d:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-04 20:14 . 2009-07-20 21:37 36864 ----a-w- d:\program files\mozilla firefox\components\NsThunderLoader.dll
2009-05-04 20:14 . 2009-07-20 21:37 53248 ----a-w- d:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 d:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D d:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E d:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 d:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 d:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2004-08-04 12:00 359040 C1783498EDB152656303B5D5BCABD86C d:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 d:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D d:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 4AFB3B0919649F95C1964AA1FAD27D73 d:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-20_05.56.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-15 06:45 . 2008-01-15 06:45 278528 d:\windows\system32\pncrt.dll
- 2007-04-30 04:30 . 2007-04-30 04:30 278528 d:\windows\system32\pncrt.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-08-24 13574144]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-08-24 86016]
"razer"="d:\program files\Razer\razerhid.exe" [2005-05-18 147456]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 148888]
"PSPVideoConverter_upgrade"="d:\program files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" [2009-03-25 495616]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2008-08-24 1657376]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2007-08-20 16384512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Funshion Online\\Funshion\\Funshion.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"d:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=

S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-5-11 13:40 1684736]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]
S3 Razerlow;Razerlow USB Filter Driver;d:\windows\system32\drivers\Razerlow.sys [2009-5-11 14:04 13225]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com.sg/
mStart Page = about:blank
IE: ê1ó???à×???? - d:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: ê1ó???à×????è?2?á′?ó - d:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下载 - d:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - d:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\program files\Thunder Network\Thunder\Thunder.exe
Trusted Zone: photobucket.com
FF - ProfilePath - d:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hdcqx96q.default\
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll

---- 火狐配置文件 ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 11:14
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'explorer.exe'(1832)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
完成时间: 2009-07-21 11:15
ComboFix-quarantined-files.txt 2009-07-21 18:15
ComboFix2.txt 2009-07-21 05:08
ComboFix3.txt 2009-07-20 21:54
ComboFix4.txt 2009-07-20 05:57

Pre-Run: 18,747,645,952 bytes free
Post-Run: 18,811,047,936 bytes free

243 --- E O F --- 2009-05-16 17:22

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:29, on 2009-7-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Razer\razerhid.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Razer\razerofa.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PSPVideoConverter_upgrade] "D:\Program Files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" /upgrade
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242174799984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243164414327&h=7b5a33438611c8ba01299a155cfe74ba/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5394 bytes

0

I think that combofix is having problems with the chinese symbols.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

Let me know how the pc is.

0

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

==

If that does not work, try the following;

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

You will have to register to download.

0

Hi...I have been reading everything on your thread. I have a question.....are you saying that you have
right clicked on the IE Explorer icon on your desktop and selected Properties. That will bring up a screen showing all the internet properties and in the first block there is an address that has some Chinese website in it.(www.369.com)
If you delete that entry and type in a good address to a home page you want, then click APPLY at the bottom, then click OK and then exit the Properties screen........then double click the IE Explorer Icon to open the browser it WON'T go to the webpage you just entered as what you want the current browser to be?

0

Try this:

- Click on "start", then click on "run".
- Type in regedit in the'Open' field then click on "ok".
- The Registry Editor will open up
- You will now see several main keys starting with HKEY_.
- Open the 'HKEY_CURRENT_USER' one
- Expand the following folders ... HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
- In the right hand pane find the value for "HomePage"
- Double click on it and enter a 0 (zero) in the "value data" box, or simply delete this value
- Close the registry editor and you should now have re-enabled the option to change your homepage
- It may require a reboot for changes to take effect.

0

If the change will not take then it very well might be that it was indeed hijack by "CoolWebStuff hijacker". The following site gives some instructions on how to remove it -- http://www.pchell.com/support/aboutblank.shtml

This site as well as others say that the Spyware program Adware Away is successful at removing this from your machine. Others have had good luck with the program.
http://www.adwareaway.com/aboutblank.htm
The program costs 29.95 but they have a free trial that you can download and use to remove the problem without the purchase or you can just purchase it. Always good to have spyware/protection on your machine.
The above website says there are about 5 variants of the About:blank hijacker out there and others around the web have had good luck getting their machine clean with the Adware Away program. Good luck.

If you do start changing the registry with the editor, please be sure to make a backup copy in case anything goes wrong first. I noticed people are not telling you to make a copy before changing to be on the safe side.

0

Okay....I never used the adwareaway myself. I keep Kaspersky Internet Security and Webroot Spy Sweeper on my machine and never got a virus or spyware myself. In other searches people are saying that the SpyBot Search and Destroy will also remove this problem from your machine. Also, Rik thanks for pointing out the WOT site.....I never visited that page before...that's a handy site to keep on hand.

0

Did you try deletedomains?


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
0

OK - maybe this sounds like a dumb question, but have to ask.

Are you of Chinese heritage, as am first wondering if the Chinese symbol issue is a result of your own system language packs, or as a result from a hack leading this Chinese website. Would just help clarify a few things.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.