0

I experience popups that slows down my processing speed of my other computer. This is my HJT log. I appreciate someone will be able to advise me on what to do.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:29:39, on 2010-2-2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\软件\storm2\stormliv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\软件\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\wuauclr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe

O1 - Hosts: 60.209.152.204 www.kzdh.com
O1 - Hosts: 60.209.152.204 www.6781.com
O1 - Hosts: 60.209.152.204 www.i2345.cn
O1 - Hosts: 60.209.152.204 www.haokan123.com
O1 - Hosts: 60.209.152.204 www.365wz.net
O1 - Hosts: 60.209.152.204 www.5d5e.com
O1 - Hosts: 60.209.152.204 www.112r.com
O1 - Hosts: 60.209.152.204 www.32e.com
O1 - Hosts: 60.209.152.204 www.77177.com
O1 - Hosts: 60.209.152.204 www.daluobo.cn
O1 - Hosts: 60.209.152.204 www.haha111.com
O1 - Hosts: 60.209.152.204 www.15wz.com
O1 - Hosts: 60.209.152.204 www.fm5566.com
O1 - Hosts: 60.209.152.204 www.9798.net
O1 - Hosts: 60.209.152.204 www.s565.com
O1 - Hosts: 60.209.152.204 www.345s.com
O1 - Hosts: 60.209.152.204 www.110wz.com
O1 - Hosts: 60.209.152.204 www.6dh.com
O1 - Hosts: 60.209.152.204 www.tt98.com
O1 - Hosts: 60.209.152.204 www.85851.com
O1 - Hosts: 60.209.152.204 www.66d8.cn
O1 - Hosts: 60.209.152.204 www.baihu.cn
O1 - Hosts: 60.209.152.204 www.hang123.com
O1 - Hosts: 60.209.152.204 www.17909.com
O1 - Hosts: 60.209.152.204 www.838.cc
O1 - Hosts: 60.209.152.204 www.ee258.com
O1 - Hosts: 60.209.152.204 www.gjj.cc
O1 - Hosts: 60.209.152.204 www.1188.com
O1 - Hosts: 60.209.152.204 www.go2000.com
O1 - Hosts: 60.209.152.204 www.go2000.cn
O1 - Hosts: 60.209.152.204 www.1116.cn
O1 - Hosts: 60.209.152.204 www.365j.com
O1 - Hosts: 60.209.152.204 www.8687.cn
O1 - Hosts: 60.209.152.204 www.15151.cn
O1 - Hosts: 60.209.152.204 www.v2233.com
O1 - Hosts: 60.209.152.204 www.iq123.com
O1 - Hosts: 60.209.152.204 www.4688.com
O1 - Hosts: 60.209.152.204 www.fala123.cn
O1 - Hosts: 60.209.152.204 www.3110.cn
O1 - Hosts: 60.209.152.204 www.haoz123.cn
O1 - Hosts: 60.209.152.204 www.85vv.com
O1 - Hosts: 60.209.152.204 www.ok100.net.cn
O1 - Hosts: 60.209.152.204 www.ai1234.com
O1 - Hosts: 60.209.152.204 www.11227.cn
O1 - Hosts: 60.209.152.204 www.669dh.cn
O1 - Hosts: 60.209.152.204 www.kaka888.com
O1 - Hosts: 60.209.152.204 www.qq5.com
O1 - Hosts: 60.209.152.204 www.you2000.cn
O1 - Hosts: 60.209.152.204 www.yy2000.net
O2 - BHO: SearchHook Class - {00000000-0593-4356-9CF7-1D8C2B3343C0} - C:\Program Files\Baidu\AddressBar\AddressBar.dll (file missing)
O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\软件\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: 快车(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\软件\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [3] C:\WINDOWS\Svcpack\XPLODE.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3] C:\WINDOWS\Svcpack\XPLODE.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3] C:\WINDOWS\Svcpack\XPLODE.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3] C:\WINDOWS\Svcpack\XPLODE.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google 边栏评注... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: iSee 保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee保存Flash - d:\Program Files\iSee\iSeeSaveFlash.htm
O8 - Extra context menu item: iSee保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee读取Exif - d:\Program Files\iSee\iSeeReadExif.htm
O8 - Extra context menu item: 使用光影编辑和美化 - D:\软件\nEO iMAGING\NeoOpenNeo.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\软件\QQ\Bin\AddEmotion.htm
O8 - Extra context menu item: 通过网易闪电邮发送 - D:\软件\网易闪电邮\data\getcontent.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {6AD31948-2ED9-4A2B-85EA-105DD4F656B4} - (no file) (HKCU)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} (ScreenCapture Class) - http://m51.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: mbox - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mboxflash - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - D:\软件\storm2\stormliv.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google 更新服务 (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11762 bytes

2
Contributors
31
Replies
32
Views
7 Years
Discussion Span
Last Post by foxkueh
0

I experience popups that slows down my processing speed of my other computer. This is my HJT log. I appreciate someone will be able to advise me on what to do.

HJT log as above.

--
End of file - 11762 bytes

This problem occurs with a different pc which I need to solve as soon as possible. Can you help me pls.
Foxkueh

0

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\Svcpack\XPLODE.EXE

==

Download DDS from the following location:


DDS Tool

Save dds.scr to the desktop

Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. Click on the Run button to start DDS. If no warning appeared, then you should just continue.

DDS will now display a small black window providing information as to what DDS is doing on your computer.

DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt.

You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option.

Save DDS.txt to the desktop. Now click on the Attach.txt Notepad window and save that to the desktop also.

Copy the contents of the DDS.txt log and paste it into your reply here.
Attach the attach.txt log with your reply using Reply to Thread button, then the Manage Attachments button.

0

Thanks Crunchie for the instruction. However I cannot find C:\WINDOWS\Svcpack\XPLODE.EXE for Jotti's to scan. That's number one.

Secondly, the dds.scr would not run. I disable all the protections and disconnect the internet connection. Then I double-click dds.scr, but it just opens the black window and immediately disappears. I checked Task Manager to confirm it is not running.

Pls advise how I can resolve these issures.

Thanks
foxkueh

0

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Run DDS now and see if it works.

====

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Edited by crunchie: n/a

0

Thanks Crunchie,

Run rkill.scr ok, but dds.scr still didn't run. No txt file.

Run exehelper ok, attach exehelper.txt if any use.

exeHelper by Raktor
Build 20091220
Run at 04:31:12 on 02/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Need further help from you, mate.

foxkueh

Attachments
exeHelper by Raktor
Build 20091220
Run at 04:31:12 on 02/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Thanks Crunchie,

Here are the logs for you advice:

ComboFix 10-02-03.04 - Administrator -02-04 星期四 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.895.322 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* 防毒软件还在运行中


注意 - 这台电脑没有安装恢复控制台 !!
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\BITS
c:\documents and settings\Administrator\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator\Application Data\BITS\ProxyList.ini
c:\program files\StormII
d:\软件\网易闪电邮\Start.exe

.
((((((((((((((((((((((((( 2010-01-04 至 2010-02-04 的新的档案 )))))))))))))))))))))))))))))))
.

2010-02-03 20:06 . 2010-02-03 20:06 126208 ----a-w- c:\windows\system32\SmartPopup.dll
2010-02-03 20:06 . 2010-02-03 20:06 131840 ----a-w- c:\windows\system32\SmartClick.dll
2010-02-02 01:25 . 2010-02-02 01:25 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 01:24 . 2010-02-02 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 06:32 . 2010-02-01 05:40 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 05:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 05:40 . 2010-02-01 05:40 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-01 05:40 . 2010-02-01 05:40 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-01 05:40 . 2010-02-01 05:40 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-01 05:40 . 2010-02-01 05:40 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-01 05:40 . 2010-02-01 05:40 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-01 05:40 . 2010-02-01 05:40 389272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-01 05:40 . 2010-02-01 05:40 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-01 05:40 . 2010-02-01 05:40 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-02-01 05:36 . 2010-02-01 05:37 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-01 05:36 . 2010-02-01 05:36 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-01 05:36 . 2010-02-01 05:36 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-01 05:36 . 2010-02-01 05:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-01 05:36 . 2010-02-01 05:36 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-01 05:35 . 2010-02-01 05:36 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-01 05:35 . 2010-02-01 05:35 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-01 05:35 . 2010-02-01 05:35 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-01 05:35 . 2010-02-01 05:35 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-01 05:35 . 2010-02-01 05:35 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-01 05:33 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-01 05:30 . 2010-02-01 05:30 -------- d-----w- c:\program files\Lavasoft
2010-01-31 02:31 . 2010-01-31 02:31 -------- dc----w- c:\documents and settings\Administrator\Application Data\PPlive
2010-01-26 21:18 . 2010-01-26 21:18 132864 ----a-w- c:\windows\system32\SmartClickEx.dll
2010-01-25 05:17 . 2010-01-25 05:17 70372 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-01-25 05:15 . 2010-01-25 05:15 18718 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2010-01-25 05:15 . 2010-01-25 05:15 18718 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-01-25 05:14 . 2010-01-25 05:15 -------- d-----w- c:\program files\Common Files\Tencent
2010-01-25 05:14 . 2010-01-25 05:14 652616 ----a-w- c:\documents and settings\Administrator\Application Data\tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQDownload.dll
2010-01-25 05:14 . 2010-01-25 05:14 210248 ----a-w- c:\documents and settings\Administrator\Application Data\tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQPinyinDownload.exe
2010-01-25 05:13 . 2010-01-25 05:17 31048 ------r- c:\documents and settings\Administrator\Application Data\tencent\QQ\SafeBase\SelfUpdate.exe
2010-01-25 03:19 . 2010-02-01 05:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 04:39 . 2010-01-22 04:39 -------- d-----w- c:\documents and settings\LocalService\桌面
2010-01-22 03:59 . 2010-01-22 03:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\unispim6
2010-01-22 03:09 . 2010-02-01 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-22 02:31 . 2010-01-22 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 01:33 . 2010-01-22 01:33 388096 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-22 01:33 . 2010-01-22 01:33 -------- d-----w- c:\program files\TrendMicro
2010-01-12 19:42 . 2009-11-21 15:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 19:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-01-12 19:42 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-01-12 19:37 . 2010-01-12 19:37 -------- d-----w- c:\program files\PPLive
2010-01-12 19:36 . 2010-01-12 19:37 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-01-09 06:30 . 2010-01-09 06:30 -------- d-----w- C:\C盘临时移出文件
2010-01-09 02:05 . 2010-01-09 02:05 115200 ----a-w- c:\program files\SOFTCH~1.EXE
2010-01-05 09:53 . 2010-01-05 09:53 192512 -c----w- c:\windows\system32\dllcache\iepeers.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 20:55 . 2007-07-03 10:33 57344 ----a-w- c:\windows\system32\wuauclr.exe
2010-02-03 20:55 . 2007-07-03 10:33 34304 ----a-w- c:\windows\system32\olemaskvr.dll
2010-02-03 20:55 . 2007-07-03 10:33 31744 ----a-w- c:\windows\system32\mspmsnsvr.dll
2010-02-02 04:09 . 2008-11-17 00:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-01 08:08 . 2009-12-21 07:38 -------- d-----w- c:\program files\快捷方式
2010-01-31 22:19 . 2009-12-21 09:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AddressBar
2010-01-31 05:12 . 2009-11-15 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\mcache
2010-01-31 05:10 . 2009-05-21 21:21 30 ----a-w- c:\windows\system32\mylk.dat
2010-01-30 23:36 . 2009-12-21 07:39 -------- dc----w- c:\documents and settings\Administrator\Application Data\AddressBar
2010-01-30 07:10 . 2009-02-14 21:53 3860 ----a-w- c:\windows\system32\cid_store.dat
2010-01-30 01:48 . 2007-07-03 12:01 -------- d-----w- c:\program files\Google
2010-01-25 05:16 . 2007-09-28 03:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\tencent
2010-01-23 20:28 . 2009-11-08 00:18 135424 ----a-w- c:\windows\system32\SmartSearch.dll
2010-01-13 08:04 . 2007-07-04 12:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 23:17 . 2009-11-11 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2010-01-12 19:37 . 2009-11-11 02:52 -------- d-----w- c:\program files\PPLiveVA
2010-01-12 19:37 . 2009-01-19 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2010-01-11 20:12 . 2009-02-25 08:52 6005616 ----a-w- c:\documents and settings\Administrator\Application Data\PPLiveVA\PPVAUpdate\PPVAUpdate.exe
2010-01-05 09:53 . 2007-03-14 05:23 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:52 . 2007-03-14 05:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:52 . 2007-03-14 05:23 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-21 07:54 . 2009-12-21 07:54 342472 ----a-w- c:\windows\system32\upimlib.dll
2009-12-21 07:54 . 2009-06-07 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\unispim6
2009-12-21 07:53 . 2009-12-21 07:53 -------- d-----w- c:\program files\Thunisoft
2009-12-16 06:42 . 2009-12-26 06:57 872960 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 06:42 . 2009-12-26 06:57 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 06:42 . 2009-12-26 06:57 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 06:41 . 2009-12-26 06:57 346624 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-09 22:43 . 2009-10-09 21:24 1786 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-12-09 22:43 . 2007-03-14 05:23 41444 ----a-w- c:\windows\system32\prfc0804.dat
2009-12-09 22:43 . 2007-03-14 05:23 120340 ----a-w- c:\windows\system32\prfh0804.dat
2009-12-09 08:10 . 2007-07-03 10:35 87144 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 06:22 . 2009-11-30 06:22 49664 ----a-w- c:\windows\system32\SmartDash.dll
2009-11-21 15:54 . 2007-03-14 05:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 07:37 . 2007-08-31 00:45 31048 -c--a-w- c:\documents and settings\Administrator\Application Data\QQ\59B848686BA6270269CE15953350482D\qqdoctor\selfupdate.exe
2009-06-24 05:21 . 2009-07-29 07:16 190 ----a-w- c:\program files\快捷上网.url
2008-07-04 02:33 . 2008-12-07 10:09 24576 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-01-12 11:45 . 2009-02-14 21:51 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2009-01-12 11:45 . 2009-02-14 21:51 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-13 . 91FF07895928E71F83A18F7247860EDE . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B4E29943B4B04BD5E7381546848E6669 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]
"PPLiveVA"="c:\program files\PPLive\PPVA\PPLiveVA.exe" [2009-12-30 71152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"Malwarebytes Anti-Malware (reboot)"="d:\软件\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\XPtoVista\Logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^快捷方式.lnk]
path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\快捷方式.lnk
backup=c:\windows\pss\快捷方式.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-10 19:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 01:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2003-01-21 07:19 40960 ----a-w- c:\windows\VM_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:13 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-23 23:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 07:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2007-03-14 05:23 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Pinyin IME Migration]
2008-11-03 20:24 33128 ----a-w- c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
2007-09-13 08:59 69688 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-07-13 05:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-07-13 05:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-07-13 05:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2007-03-14 05:23 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2007-03-14 05:23 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2010-01-21 09:15 173512 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]
2009-12-30 09:15 71152 ----a-w- c:\program files\PPLive\PPVA\PPLiveVA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 07:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-21 09:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 08:07 2260480 --sha-r- d:\软件\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-18 02:16 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-13 08:59 185680 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\软件\\Powerword 2007\\update.exe"=
"d:\\软件\\QQLive\\MiniQQLive.exe"=
"d:\\软件\\storm2\\Storm.exe"=
"d:\\软件\\storm2\\stormliv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\酷我音乐盒\\KwMusic.exe"=
"d:\\酷我音乐盒\\KwMV.exe"=
"d:\\软件\\QQ\\Bin\\QQ.exe"=
"c:\\Program Files\\酷6网\\极速酷6\\Ku6SpeedUpper.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA_U.exe"=
"c:\\Program Files\\PPLive\\PPVA\\FlvPick.exe"=
"c:\\Program Files\\PPLive\\PPVA\\crashreporter.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPVADownload.exe"=
"c:\\Program Files\\PPLive\\PPVA\\DownloadProgress.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-1 13:41 64288]
R2 ccosm;Contrl Center of Storm Media;d:\软件\storm2\stormliv.exe [2008-3-11 14:33 475136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-12-2 21:19 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-11-10 203280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-8-22 13:08 685816]
S2 gupdate;Google 更新服务 (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-1-30 9:48 135664]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\rtl8180.sys [2007-7-3 19:30 184320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2009-11-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 04:22]

2009-11-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 04:22]

2010-02-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-09 14:18]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.so11.cn/?R1
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.bb2000.net/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google 边栏评注... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: iSee 保存所有图片 - d:\program files\iSee\iSeeSavePicAll.htm
IE: iSee保存Flash - d:\program files\iSee\iSeeSaveFlash.htm
IE: iSee保存所有图片 - d:\program files\iSee\iSeeSavePicAll.htm
IE: iSee读取Exif - d:\program files\iSee\iSeeReadExif.htm
IE: 使用光影编辑和美化 - d:\软件\nEO iMAGING\NeoOpenNeo.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 添加到QQ表情 - d:\软件\QQ\Bin\AddEmotion.htm
IE: 通过网易闪电邮发送 - d:\软件\网易闪电邮\data\getcontent.htm
DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} - hxxp://m51.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rlz=1R0GGGL_zh-CN
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\google\Picasa3\npPicasa3.dll
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FlashMail - d:\软件\网易闪电邮\Start.exe
HKU-Default-RunOnce-3 - c:\windows\Svcpack\XPLODE.EXE
MSConfigStartUp-FlashMail - d:\软件\网易闪电邮\Start.exe
MSConfigStartUp-iSeeTray - d:\软件\Program Files\iSee\iSee.exe
MSConfigStartUp-KuGoo3 - c:\program files\KuGoo3\KuGoo.exe
MSConfigStartUp-Picasa Media Detector - d:\picasa2\PicasaMediaDetector.exe
AddRemove-AddressBar - c:\program files\Baidu\AddressBar\ASBarBroker.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-QQ2008 - d:\软件\QQ\uninst.exe
AddRemove-飞速土豆 - d:\飞速tudou\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 10:04
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\+R *2*]
"调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,65,76,\
"加亮阴影"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,65,\
"仅限中间调"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,
3e,3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\陙≧輋IQ *2*]
"提高对比度"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,
3e,3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,41,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\4杚_/*貧IQ]
"调亮/调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"仅限调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"仅限调亮"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"默认值"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,3c,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@="d:\\软件\\QQ\\Bin\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\*\shell\ *~v*NN購*N噀鯪\command]
@="\"c:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\" http://www.sw777.cn/s/?%1"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]
@="BDATuner.组件.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
"contexts"=dword:00000002
@="d:\\软件\\QQ\\Bin\\AddEmotion.htm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.ATL\\Microsoft.VC80.ATL.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.CRT\\Microsoft.VC80.CRT.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFCLOC\\Microsoft.VC80.MFCLOC.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFC\\Microsoft.VC80.MFC.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.Windows.GdiPlus\\Microsoft.Windows.GdiPlus.Manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_8b3a2404\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.ATL\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_2a9a3690\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.CRT\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_3c7113f3\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFCLOC\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_fb80a995\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFC\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*8*B*e*t*a*1*Hy弝Hr\Components\SectionQQ]
"Installed"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\裇愺?*O*n*e*N*o*t*e* *2*0*0*7*\DsDriver]
"printBinNames"=multi:"默认纸盒\00\00"
"printColor"=hex:01
"printMaxXExtent"=dword:00000076
"printMaxYExtent"=dword:00000000
"printMinXExtent"=dword:00000076
"printMinYExtent"=dword:00000000
"printMediaSupported"=multi:"Letter\00Tabloid\00Legal\00A3\00A4\00A5\00B4 (JIS)\00B5 (JIS)\00Japanese Postcard\00自定义大小\00\00"
"printMediaReady"=multi:"\00\00"
"printOrientationsSupported"=multi:"PORTRAIT\00\00"
"printMaxResolutionSupported"=dword:0000012c
"printLanguage"=multi:"\00\00"
"printRateUnit"=""
"driverVersion"=dword:00000401

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\裇愺?*O*n*e*N*o*t*e* *2*0*0*7*\DsSpooler]
"description"=""
"driverName"="Send To Microsoft OneNote Driver"
"location"=""
"portName"=multi:"Send To Microsoft OneNote Port:\00\00"
"printStartTime"=dword:00000000
"printEndTime"=dword:00000000
"printerName"="发送至 OneNote 2007"
"printKeepPrintedJobs"=hex:00
"printSeparatorFile"=""
"printShareName"="发送至 OneNote 2007"
"printSpooling"="PrintWhileSpooling"
"priority"=dword:00000001
"uNCName"="\\\\PARENTS\\发送至 OneNote 2007"
"versionNumber"=dword:00000004
"serverName"="PARENTS"
"shortServerName"="PARENTS"
"flags"=dword:00000000
"url"="http://PARENTS/发送至 OneNote 2007"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \DsDriver]
"printBinNames"=multi:" 自动选择\00 主纸盘\00 照片纸盒\00\00"
"printCollate"=hex:01
"printColor"=hex:01
"printDuplexSupported"=hex:01
"printStaplingSupported"=hex:00
"printMaxXExtent"=dword:0000086f
"printMaxYExtent"=dword:00001dc4
"printMinXExtent"=dword:000002fa
"printMinYExtent"=dword:000004e1
"printMediaSupported"=multi:"Letter\00Legal\00Executive\00A4\00A5\00B5 (JIS)\00Envelope #10\00A6\0010x15 厘米\0010x15 厘米(带裁剪边)\0013x18 厘米\002L 127x178 毫米\004x6 英寸\004x6 英寸(带裁剪边)\005x7 英寸\008x10 英寸\00照片卡 10x20 厘米(带裁剪边)\00照片卡,4x8 英寸(带裁剪边)\00无边界 10x15 厘米\00无边界 10x15 厘米(带裁剪边)\00无边界 8x10 英寸\00无边界 4x6 英寸\00无边界 4x6 英寸(带裁剪边)\00无边界 5x7 英寸\00无边界 13x18 厘米\00无边界 8.5x11 英寸\00无边界 A4,210x297 毫米\00无边界 cabinet 120x165 毫米\00无边界 hagaki 100x148 毫米\00无边界 A5,148x210 毫米\00无边界双面 A4,210x594 毫米\00无边界 A6\00无边界 B5,182x257 毫米\00无边界 L 89x127 毫米\003.5x5 英寸\00无边界 3.5x5 英寸\00无边界全景 4x10 英寸\00无边界全景 4x11 英寸\00无边界全景 4x12 英寸\00无边界全景 10x30 厘米\00无边界全景 10x25 厘米\00无边界全景 10x28 厘米\00无边界 2L 127x178 毫米\00Cabinet 尺寸 120x165 毫米\00A2 信封\00C6 信封\00DL 信封\00Hagaki 100x148 毫米\00索引卡 3x5 英寸\00索引卡 4x6 英寸\00索引卡 5x8 英寸\00日式信封 #2 111x146 毫米\00日式信封 #3,120x235 毫米\00日式信封 #4,90x205 毫米\00L 89x127 毫米\00Ofuku hagaki\00全景 4x10 英寸\00全景 4x11 英寸\00全景 4x12 英寸\00全景 10x25 厘米\00全景 10x28 厘米\00全景 10x30 厘米\00无边界卡 10x20 厘米(带裁剪边)\00无边界 B7\00无边界卡 4x8 英寸(带裁剪边)\00卡片信封 4.4x6 英寸\00HV\00无边界 HV\00B7\00全景双面 A4,210x594 毫米\00\00"
"printMediaReady"=multi:"A4\00\00"
"printNumberUp"=dword:00000006
"printOrientationsSupported"=multi:"PORTRAIT\00LANDSCAPE\00\00"
"printMaxResolutionSupported"=dword:000004b0
"printLanguage"=multi:"\00"
"printRateUnit"="PagesPerMinute"
"driverVersion"=dword:00000401

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \DsSpooler]
"description"=""
"driverName"="HP Photosmart C8100 series"
"location"=""
"portName"=multi:"\\\\GOOGLYBEAR\\HPPhotos\00\00"
"printStartTime"=dword:00000000
"printEndTime"=dword:00000000
"printerName"="在 GOOGLYBEAR 上自动 HP Photosmart C8100 series"
"printKeepPrintedJobs"=hex:00
"printSeparatorFile"=""
"printShareName"=""
"printSpooling"="PrintWhileSpooling"
"priority"=dword:00000001
"uNCName"="\\\\PARENTS\\在 GOOGLYBEAR 上自动 HP Photosmart C8100 series"
"versionNumber"=dword:00000004
"serverName"="PARENTS"
"shortServerName"="PARENTS"
"flags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot]
"HPRestrictedUserGuid"="4621b228-c361-43bc-3aba-9fcf83adb7ed"
"PresetPoolMaxIndexCount"=hex:0a,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot\PresetPoolData]
"PresetPool:0"=hex:94,11,00,00,15,00,00,00,52,00,00,00,20,00,d8,9e,a4,8b,53,62,
70,53,be,8b,6e,7f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:1"=hex:a6,11,00,00,15,00,00,00,52,00,00,00,00,4e,2c,82,e5,65,38,5e,
53,62,70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:2"=hex:18,12,00,00,15,00,00,00,52,00,00,00,67,71,47,72,53,62,70,53,
2d,00,e0,65,b9,8f,4c,75,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:3"=hex:c6,11,00,00,15,00,00,00,52,00,00,00,67,71,47,72,53,62,70,53,
2d,00,26,5e,7d,76,72,82,b9,8f,46,68,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:4"=hex:a2,11,00,00,15,00,00,00,52,00,00,00,cc,53,62,97,53,62,70,53,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:5"=hex:96,11,00,00,15,00,00,00,52,00,00,00,14,6f,3a,79,53,62,70,53,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:6"=hex:8a,11,00,00,15,00,00,00,52,00,00,00,eb,5f,1f,90,2f,00,cf,7e,
4e,6d,53,62,70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:7"=hex:c0,11,00,00,15,00,00,00,52,00,00,00,0e,66,e1,4f,47,72,53,62,
70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:8"=hex:bc,11,00,00,15,00,00,00,52,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:9"=hex:ac,11,00,00,15,00,00,00,52,00,00,00,e5,5d,82,53,d8,9e,a4,8b,
be,8b,6e,7f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot\WatermarkPoolData]
"WatermarkPool:0"=hex:20,00,5b,00,e0,65,5d,00,00,00,00,20,00,5b,00,e0,65,5d,00,
00,00,00,41,00,72,00,69,00,61,00,6c,00,00,00,00,34,00,00,00,50,00,00,00,00,\
"WatermarkPool:1"=hex:3a,67,c6,5b,00,00,00,3a,67,c6,5b,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\
"WatermarkPool:2"=hex:49,83,3f,7a,00,00,00,49,83,3f,7a,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\
"WatermarkPool:3"=hex:37,68,8b,4f,00,00,00,37,68,8b,4f,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \PrinterDriverData]
"InitDriverVersion"=dword:00000600
"Model"="HP Photosmart c8100 series"
"PrinterDataSize"=dword:00000230
"PrinterData"=hex:00,06,30,02,81,08,00,00,80,1a,06,00,00,00,00,00,00,00,00,00,
64,00,58,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,58,dd,09,20,08,\
"FeatureKeywordSize"=dword:00000109
"FeatureKeyword"=hex:44,75,70,6c,65,78,55,6e,69,74,00,4e,6f,74,49,6e,73,74,61,
6c,6c,65,64,00,0a,48,50,50,72,6e,50,72,6f,70,52,65,73,6f,75,72,63,65,44,61,\
"Forms?"=dword:2009dd58
"HPTrayCount"=dword:00000000
"HPTRAYINFOREGDATA"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"DMCStatus"=dword:00000000
"DMCExportOnly"="True"
"InstallationComplete"=dword:00000000
"PrinterPropertiesPermission"=dword:00000001
"ConvertTicketModule"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPZC35ha.DLL"
"ConvertTicketModule32"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPZC35ha.DLL"
"DMCModule32"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPCDMC32.DLL"
"HPRegionalPenErrorRecovery"=dword:00000001
"HPSupportRegionalPenQuery"=dword:00000001
"HPDynCtrDigits"=dword:00000005
"HPPrintingLanguage"=dword:00000004
"CombinedMediaStatus"=dword:00000000
"TrayFormTable"=multi:"主纸盘\00A4\000\00照片纸盒\000\000\00\00"
"TrayFormMapSize"=dword:00000021
"TrayFormMap"=hex:55,70,70,65,72,54,72,61,79,00,09,00,00,00,50,68,6f,74,6f,54,
72,61,79,00,00,00,00,00,00,00,00,00,00
"TrayFormKeywordSize"=dword:00000029
"TrayFormKeyword"=hex:55,70,70,65,72,54,72,61,79,00,41,34,3a,48,65,77,6c,65,74,
74,2d,50,61,63,6b,61,72,64,00,50,68,6f,74,6f,54,72,61,79,00,00,00
"HPDUMMY"=dword:00000000
"HPFormCount"=dword:00000003
"HPFORMINFOREGDATA"=hex:05,00,00,00,9f,00,00,00,00,00,00,00
"HPCustomMinLength"=dword:0001e828
"HPCustomMaxLength"=dword:000ba090
"HPCustomMaxWidth"=dword:00034b5c
"HPCustomMinWidth"=dword:000129a8
"MaxPaperWidth"=dword:0000086f
"InstallDate"="02/24/2009:06:23"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\UNISPIM6.IME
.
完成时间: 2010-02-04 10:07:58
ComboFix-quarantined-files.txt 2010-02-04 02:07

Pre-Run: 4,413,751,296 可用字节
Post-Run: 4,799,832,064 可用字节

- - End Of File - - DD2F5740DF6E8A9BEB3E14A9766C8555
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:13:44, on 2010-2-4
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\软件\storm2\stormliv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\conime.exe
D:\软件\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O1 - Hosts: 60.209.152.204 www.kzdh.com
O1 - Hosts: 60.209.152.204 www.6781.com
O1 - Hosts: 60.209.152.204 www.i2345.cn
O1 - Hosts: 60.209.152.204 www.haokan123.com
O1 - Hosts: 60.209.152.204 www.365wz.net
O1 - Hosts: 60.209.152.204 www.5d5e.com
O1 - Hosts: 60.209.152.204 www.112r.com
O1 - Hosts: 60.209.152.204 www.32e.com
O1 - Hosts: 60.209.152.204 www.77177.com
O1 - Hosts: 60.209.152.204 www.daluobo.cn
O1 - Hosts: 60.209.152.204 www.haha111.com
O1 - Hosts: 60.209.152.204 www.15wz.com
O1 - Hosts: 60.209.152.204 www.fm5566.com
O1 - Hosts: 60.209.152.204 www.9798.net
O1 - Hosts: 60.209.152.204 www.s565.com
O1 - Hosts: 60.209.152.204 www.345s.com
O1 - Hosts: 60.209.152.204 www.110wz.com
O1 - Hosts: 60.209.152.204 www.6dh.com
O1 - Hosts: 60.209.152.204 www.tt98.com
O1 - Hosts: 60.209.152.204 www.85851.com
O1 - Hosts: 60.209.152.204 www.66d8.cn
O1 - Hosts: 60.209.152.204 www.baihu.cn
O1 - Hosts: 60.209.152.204 www.hang123.com
O1 - Hosts: 60.209.152.204 www.17909.com
O1 - Hosts: 60.209.152.204 www.838.cc
O1 - Hosts: 60.209.152.204 www.ee258.com
O1 - Hosts: 60.209.152.204 www.gjj.cc
O1 - Hosts: 60.209.152.204 www.1188.com
O1 - Hosts: 60.209.152.204 www.go2000.com
O1 - Hosts: 60.209.152.204 www.go2000.cn
O1 - Hosts: 60.209.152.204 www.1116.cn
O1 - Hosts: 60.209.152.204 www.365j.com
O1 - Hosts: 60.209.152.204 www.8687.cn
O1 - Hosts: 60.209.152.204 www.15151.cn
O1 - Hosts: 60.209.152.204 www.v2233.com
O1 - Hosts: 60.209.152.204 www.iq123.com
O1 - Hosts: 60.209.152.204 www.4688.com
O1 - Hosts: 60.209.152.204 www.fala123.cn
O1 - Hosts: 60.209.152.204 www.3110.cn
O1 - Hosts: 60.209.152.204 www.haoz123.cn
O1 - Hosts: 60.209.152.204 www.85vv.com
O1 - Hosts: 60.209.152.204 www.ok100.net.cn
O1 - Hosts: 60.209.152.204 www.ai1234.com
O1 - Hosts: 60.209.152.204 www.11227.cn
O1 - Hosts: 60.209.152.204 www.669dh.cn
O1 - Hosts: 60.209.152.204 www.kaka888.com
O1 - Hosts: 60.209.152.204 www.qq5.com
O1 - Hosts: 60.209.152.204 www.you2000.cn
O1 - Hosts: 60.209.152.204 www.yy2000.net
O2 - BHO: SearchHook Class - {00000000-0593-4356-9CF7-1D8C2B3343C0} - C:\Program Files\Baidu\AddressBar\AddressBar.dll (file missing)
O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\软件\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: 快车(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\软件\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscri
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PPLiveVA] C:\Program Files\PPLive\PPVA\PPLiveVA.exe /LoadModule PPVA.DLL /M REAL /S 0 /T 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google 边栏评注... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: iSee 保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee保存Flash - d:\Program Files\iSee\iSeeSaveFlash.htm
O8 - Extra context menu item: iSee保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee读取Exif - d:\Program Files\iSee\iSeeReadExif.htm
O8 - Extra context menu item: 使用光影编辑和美化 - D:\软件\nEO iMAGING\NeoOpenNeo.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\软件\QQ\Bin\AddEmotion.htm
O8 - Extra context menu item: 通过网易闪电邮发送 - D:\软件\网易闪电邮\data\getcontent.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {6AD31948-2ED9-4A2B-85EA-105DD4F656B4} - (no file) (HKCU)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} (ScreenCapture Class) - http://m51.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: mbox - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mboxflash - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - D:\软件\storm2\stormliv.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google 更新服务 (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11133 bytes

0

Thanks Crunchie,

Here are the logs for you advice:

ComboFix 10-02-03.04 - Administrator -02-04 星期四 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.895.322 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* 防毒软件还在运行中


注意 - 这台电脑没有安装恢复控制台 !!
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\BITS
c:\documents and settings\Administrator\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator\Application Data\BITS\ProxyList.ini
c:\program files\StormII
d:\软件\网易闪电邮\Start.exe

.
((((((((((((((((((((((((( 2010-01-04 至 2010-02-04 的新的档案 )))))))))))))))))))))))))))))))
.

2010-02-03 20:06 . 2010-02-03 20:06 126208 ----a-w- c:\windows\system32\SmartPopup.dll
2010-02-03 20:06 . 2010-02-03 20:06 131840 ----a-w- c:\windows\system32\SmartClick.dll
2010-02-02 01:25 . 2010-02-02 01:25 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 01:24 . 2010-02-02 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 06:32 . 2010-02-01 05:40 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 05:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 05:40 . 2010-02-01 05:40 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-01 05:40 . 2010-02-01 05:40 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-01 05:40 . 2010-02-01 05:40 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-01 05:40 . 2010-02-01 05:40 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-01 05:40 . 2010-02-01 05:40 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-01 05:40 . 2010-02-01 05:40 389272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-01 05:40 . 2010-02-01 05:40 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-01 05:40 . 2010-02-01 05:40 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-02-01 05:36 . 2010-02-01 05:37 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-01 05:36 . 2010-02-01 05:36 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-01 05:36 . 2010-02-01 05:36 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-01 05:36 . 2010-02-01 05:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-01 05:36 . 2010-02-01 05:36 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-01 05:35 . 2010-02-01 05:36 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-01 05:35 . 2010-02-01 05:35 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-01 05:35 . 2010-02-01 05:35 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-01 05:35 . 2010-02-01 05:35 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-01 05:35 . 2010-02-01 05:35 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-01 05:33 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-01 05:30 . 2010-02-01 05:30 -------- d-----w- c:\program files\Lavasoft
2010-01-31 02:31 . 2010-01-31 02:31 -------- dc----w- c:\documents and settings\Administrator\Application Data\PPlive
2010-01-26 21:18 . 2010-01-26 21:18 132864 ----a-w- c:\windows\system32\SmartClickEx.dll
2010-01-25 05:17 . 2010-01-25 05:17 70372 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2010-01-25 05:15 . 2010-01-25 05:15 18718 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2010-01-25 05:15 . 2010-01-25 05:15 18718 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2010-01-25 05:15 . 2010-01-25 05:15 106496 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-01-25 05:14 . 2010-01-25 05:15 -------- d-----w- c:\program files\Common Files\Tencent
2010-01-25 05:14 . 2010-01-25 05:14 652616 ----a-w- c:\documents and settings\Administrator\Application Data\tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQDownload.dll
2010-01-25 05:14 . 2010-01-25 05:14 210248 ----a-w- c:\documents and settings\Administrator\Application Data\tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQPinyinDownload.exe
2010-01-25 05:13 . 2010-01-25 05:17 31048 ------r- c:\documents and settings\Administrator\Application Data\tencent\QQ\SafeBase\SelfUpdate.exe
2010-01-25 03:19 . 2010-02-01 05:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 04:39 . 2010-01-22 04:39 -------- d-----w- c:\documents and settings\LocalService\桌面
2010-01-22 03:59 . 2010-01-22 03:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\unispim6
2010-01-22 03:09 . 2010-02-01 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-22 02:31 . 2010-01-22 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 01:33 . 2010-01-22 01:33 388096 -c--a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-22 01:33 . 2010-01-22 01:33 -------- d-----w- c:\program files\TrendMicro
2010-01-12 19:42 . 2009-11-21 15:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 19:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-01-12 19:42 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-01-12 19:37 . 2010-01-12 19:37 -------- d-----w- c:\program files\PPLive
2010-01-12 19:36 . 2010-01-12 19:37 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-01-09 06:30 . 2010-01-09 06:30 -------- d-----w- C:\C盘临时移出文件
2010-01-09 02:05 . 2010-01-09 02:05 115200 ----a-w- c:\program files\SOFTCH~1.EXE
2010-01-05 09:53 . 2010-01-05 09:53 192512 -c----w- c:\windows\system32\dllcache\iepeers.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 20:55 . 2007-07-03 10:33 57344 ----a-w- c:\windows\system32\wuauclr.exe
2010-02-03 20:55 . 2007-07-03 10:33 34304 ----a-w- c:\windows\system32\olemaskvr.dll
2010-02-03 20:55 . 2007-07-03 10:33 31744 ----a-w- c:\windows\system32\mspmsnsvr.dll
2010-02-02 04:09 . 2008-11-17 00:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-01 08:08 . 2009-12-21 07:38 -------- d-----w- c:\program files\快捷方式
2010-01-31 22:19 . 2009-12-21 09:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AddressBar
2010-01-31 05:12 . 2009-11-15 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\mcache
2010-01-31 05:10 . 2009-05-21 21:21 30 ----a-w- c:\windows\system32\mylk.dat
2010-01-30 23:36 . 2009-12-21 07:39 -------- dc----w- c:\documents and settings\Administrator\Application Data\AddressBar
2010-01-30 07:10 . 2009-02-14 21:53 3860 ----a-w- c:\windows\system32\cid_store.dat
2010-01-30 01:48 . 2007-07-03 12:01 -------- d-----w- c:\program files\Google
2010-01-25 05:16 . 2007-09-28 03:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\tencent
2010-01-23 20:28 . 2009-11-08 00:18 135424 ----a-w- c:\windows\system32\SmartSearch.dll
2010-01-13 08:04 . 2007-07-04 12:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 23:17 . 2009-11-11 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2010-01-12 19:37 . 2009-11-11 02:52 -------- d-----w- c:\program files\PPLiveVA
2010-01-12 19:37 . 2009-01-19 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2010-01-11 20:12 . 2009-02-25 08:52 6005616 ----a-w- c:\documents and settings\Administrator\Application Data\PPLiveVA\PPVAUpdate\PPVAUpdate.exe
2010-01-05 09:53 . 2007-03-14 05:23 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:52 . 2007-03-14 05:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:52 . 2007-03-14 05:23 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-21 07:54 . 2009-12-21 07:54 342472 ----a-w- c:\windows\system32\upimlib.dll
2009-12-21 07:54 . 2009-06-07 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\unispim6
2009-12-21 07:53 . 2009-12-21 07:53 -------- d-----w- c:\program files\Thunisoft
2009-12-16 06:42 . 2009-12-26 06:57 872960 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 06:42 . 2009-12-26 06:57 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 06:42 . 2009-12-26 06:57 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 06:41 . 2009-12-26 06:57 346624 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-09 22:43 . 2009-10-09 21:24 1786 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-12-09 22:43 . 2007-03-14 05:23 41444 ----a-w- c:\windows\system32\prfc0804.dat
2009-12-09 22:43 . 2007-03-14 05:23 120340 ----a-w- c:\windows\system32\prfh0804.dat
2009-12-09 08:10 . 2007-07-03 10:35 87144 ----a-w- c:\documents and settings\Default User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 06:22 . 2009-11-30 06:22 49664 ----a-w- c:\windows\system32\SmartDash.dll
2009-11-21 15:54 . 2007-03-14 05:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 07:37 . 2007-08-31 00:45 31048 -c--a-w- c:\documents and settings\Administrator\Application Data\QQ\59B848686BA6270269CE15953350482D\qqdoctor\selfupdate.exe
2009-06-24 05:21 . 2009-07-29 07:16 190 ----a-w- c:\program files\快捷上网.url
2008-07-04 02:33 . 2008-12-07 10:09 24576 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-01-12 11:45 . 2009-02-14 21:51 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2009-01-12 11:45 . 2009-02-14 21:51 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-13 . 91FF07895928E71F83A18F7247860EDE . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B4E29943B4B04BD5E7381546848E6669 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]
"PPLiveVA"="c:\program files\PPLive\PPVA\PPLiveVA.exe" [2009-12-30 71152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-28 1218008]
"Malwarebytes Anti-Malware (reboot)"="d:\软件\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\XPtoVista\Logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^快捷方式.lnk]
path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\快捷方式.lnk
backup=c:\windows\pss\快捷方式.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-10 19:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 01:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2003-01-21 07:19 40960 ----a-w- c:\windows\VM_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:13 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-23 23:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 07:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2007-03-14 05:23 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Pinyin IME Migration]
2008-11-03 20:24 33128 ----a-w- c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
2007-09-13 08:59 69688 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-07-13 05:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-07-13 05:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-07-13 05:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2007-03-14 05:23 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2007-03-14 05:23 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2010-01-21 09:15 173512 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]
2009-12-30 09:15 71152 ----a-w- c:\program files\PPLive\PPVA\PPLiveVA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 07:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-21 09:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 08:07 2260480 --sha-r- d:\软件\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-18 02:16 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-13 08:59 185680 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\软件\\Powerword 2007\\update.exe"=
"d:\\软件\\QQLive\\MiniQQLive.exe"=
"d:\\软件\\storm2\\Storm.exe"=
"d:\\软件\\storm2\\stormliv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\酷我音乐盒\\KwMusic.exe"=
"d:\\酷我音乐盒\\KwMV.exe"=
"d:\\软件\\QQ\\Bin\\QQ.exe"=
"c:\\Program Files\\酷6网\\极速酷6\\Ku6SpeedUpper.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA_U.exe"=
"c:\\Program Files\\PPLive\\PPVA\\FlvPick.exe"=
"c:\\Program Files\\PPLive\\PPVA\\crashreporter.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPVADownload.exe"=
"c:\\Program Files\\PPLive\\PPVA\\DownloadProgress.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-1 13:41 64288]
R2 ccosm;Contrl Center of Storm Media;d:\软件\storm2\stormliv.exe [2008-3-11 14:33 475136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-12-2 21:19 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-11-10 203280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-8-22 13:08 685816]
S2 gupdate;Google 更新服务 (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-1-30 9:48 135664]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\rtl8180.sys [2007-7-3 19:30 184320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:35]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 01:48]

2009-11-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 04:22]

2009-11-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 04:22]

2010-02-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-09 14:18]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.so11.cn/?R1
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.bb2000.net/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google 边栏评注... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: iSee 保存所有图片 - d:\program files\iSee\iSeeSavePicAll.htm
IE: iSee保存Flash - d:\program files\iSee\iSeeSaveFlash.htm
IE: iSee保存所有图片 - d:\program files\iSee\iSeeSavePicAll.htm
IE: iSee读取Exif - d:\program files\iSee\iSeeReadExif.htm
IE: 使用光影编辑和美化 - d:\软件\nEO iMAGING\NeoOpenNeo.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 添加到QQ表情 - d:\软件\QQ\Bin\AddEmotion.htm
IE: 通过网易闪电邮发送 - d:\软件\网易闪电邮\data\getcontent.htm
DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} - hxxp://m51.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rlz=1R0GGGL_zh-CN
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vo47hzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\google\Picasa3\npPicasa3.dll
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FlashMail - d:\软件\网易闪电邮\Start.exe
HKU-Default-RunOnce-3 - c:\windows\Svcpack\XPLODE.EXE
MSConfigStartUp-FlashMail - d:\软件\网易闪电邮\Start.exe
MSConfigStartUp-iSeeTray - d:\软件\Program Files\iSee\iSee.exe
MSConfigStartUp-KuGoo3 - c:\program files\KuGoo3\KuGoo.exe
MSConfigStartUp-Picasa Media Detector - d:\picasa2\PicasaMediaDetector.exe
AddRemove-AddressBar - c:\program files\Baidu\AddressBar\ASBarBroker.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-QQ2008 - d:\软件\QQ\uninst.exe
AddRemove-飞速土豆 - d:\飞速tudou\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 10:04
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\+R *2*]
"调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,65,76,\
"加亮阴影"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,65,\
"仅限中间调"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,
3e,3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,4c,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\陙≧輋IQ *2*]
"提高对比度"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,
3e,3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,45,78,70,6f,73,75,72,65,41,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\ACD Systems\EditLib\Presets\4杚_/*貧IQ]
"调亮/调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"仅限调暗"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"仅限调亮"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,
3c,63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,\
"默认值"=hex:3c,3f,78,6d,6c,20,76,65,72,73,69,6f,6e,3d,22,31,2e,30,22,3f,3e,3c,
63,6f,6d,6d,61,6e,64,3e,3c,6e,61,6d,65,3e,4c,43,45,3c,2f,6e,61,6d,65,3e,3c,\

[HKEY_USERS\S-1-5-21-507921405-776561741-725345543-500\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@="d:\\软件\\QQ\\Bin\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\*\shell\ *~v*NN購*N噀鯪\command]
@="\"c:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\" http://www.sw777.cn/s/?%1"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]
@="BDATuner.组件.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
"contexts"=dword:00000002
@="d:\\软件\\QQ\\Bin\\AddEmotion.htm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.ATL\\Microsoft.VC80.ATL.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.CRT\\Microsoft.VC80.CRT.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFCLOC\\Microsoft.VC80.MFCLOC.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFC\\Microsoft.VC80.MFC.manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.Windows.GdiPlus\\Microsoft.Windows.GdiPlus.Manifest"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_8b3a2404\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.ATL\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_2a9a3690\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.CRT\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_3c7113f3\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFCLOC\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_fb80a995\Codebases\F_d:\;*e*c*c*d*1*0*5*f*;*o忲n\QQ\Bin\QQ.exe]
"URL"="c:\\Documents and Settings\\Administrator\\Application Data\\Tencent\\QQ\\STemp\\~TXQQ2052~0\\SysDir\\Microsoft.VC80.MFC\\8.0.50727.4053.policy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*8*B*e*t*a*1*Hy弝Hr\Components\SectionQQ]
"Installed"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\裇愺?*O*n*e*N*o*t*e* *2*0*0*7*\DsDriver]
"printBinNames"=multi:"默认纸盒\00\00"
"printColor"=hex:01
"printMaxXExtent"=dword:00000076
"printMaxYExtent"=dword:00000000
"printMinXExtent"=dword:00000076
"printMinYExtent"=dword:00000000
"printMediaSupported"=multi:"Letter\00Tabloid\00Legal\00A3\00A4\00A5\00B4 (JIS)\00B5 (JIS)\00Japanese Postcard\00自定义大小\00\00"
"printMediaReady"=multi:"\00\00"
"printOrientationsSupported"=multi:"PORTRAIT\00\00"
"printMaxResolutionSupported"=dword:0000012c
"printLanguage"=multi:"\00\00"
"printRateUnit"=""
"driverVersion"=dword:00000401

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\裇愺?*O*n*e*N*o*t*e* *2*0*0*7*\DsSpooler]
"description"=""
"driverName"="Send To Microsoft OneNote Driver"
"location"=""
"portName"=multi:"Send To Microsoft OneNote Port:\00\00"
"printStartTime"=dword:00000000
"printEndTime"=dword:00000000
"printerName"="发送至 OneNote 2007"
"printKeepPrintedJobs"=hex:00
"printSeparatorFile"=""
"printShareName"="发送至 OneNote 2007"
"printSpooling"="PrintWhileSpooling"
"priority"=dword:00000001
"uNCName"="\\\\PARENTS\\发送至 OneNote 2007"
"versionNumber"=dword:00000004
"serverName"="PARENTS"
"shortServerName"="PARENTS"
"flags"=dword:00000000
"url"="http://PARENTS/发送至 OneNote 2007"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \DsDriver]
"printBinNames"=multi:" 自动选择\00 主纸盘\00 照片纸盒\00\00"
"printCollate"=hex:01
"printColor"=hex:01
"printDuplexSupported"=hex:01
"printStaplingSupported"=hex:00
"printMaxXExtent"=dword:0000086f
"printMaxYExtent"=dword:00001dc4
"printMinXExtent"=dword:000002fa
"printMinYExtent"=dword:000004e1
"printMediaSupported"=multi:"Letter\00Legal\00Executive\00A4\00A5\00B5 (JIS)\00Envelope #10\00A6\0010x15 厘米\0010x15 厘米(带裁剪边)\0013x18 厘米\002L 127x178 毫米\004x6 英寸\004x6 英寸(带裁剪边)\005x7 英寸\008x10 英寸\00照片卡 10x20 厘米(带裁剪边)\00照片卡,4x8 英寸(带裁剪边)\00无边界 10x15 厘米\00无边界 10x15 厘米(带裁剪边)\00无边界 8x10 英寸\00无边界 4x6 英寸\00无边界 4x6 英寸(带裁剪边)\00无边界 5x7 英寸\00无边界 13x18 厘米\00无边界 8.5x11 英寸\00无边界 A4,210x297 毫米\00无边界 cabinet 120x165 毫米\00无边界 hagaki 100x148 毫米\00无边界 A5,148x210 毫米\00无边界双面 A4,210x594 毫米\00无边界 A6\00无边界 B5,182x257 毫米\00无边界 L 89x127 毫米\003.5x5 英寸\00无边界 3.5x5 英寸\00无边界全景 4x10 英寸\00无边界全景 4x11 英寸\00无边界全景 4x12 英寸\00无边界全景 10x30 厘米\00无边界全景 10x25 厘米\00无边界全景 10x28 厘米\00无边界 2L 127x178 毫米\00Cabinet 尺寸 120x165 毫米\00A2 信封\00C6 信封\00DL 信封\00Hagaki 100x148 毫米\00索引卡 3x5 英寸\00索引卡 4x6 英寸\00索引卡 5x8 英寸\00日式信封 #2 111x146 毫米\00日式信封 #3,120x235 毫米\00日式信封 #4,90x205 毫米\00L 89x127 毫米\00Ofuku hagaki\00全景 4x10 英寸\00全景 4x11 英寸\00全景 4x12 英寸\00全景 10x25 厘米\00全景 10x28 厘米\00全景 10x30 厘米\00无边界卡 10x20 厘米(带裁剪边)\00无边界 B7\00无边界卡 4x8 英寸(带裁剪边)\00卡片信封 4.4x6 英寸\00HV\00无边界 HV\00B7\00全景双面 A4,210x594 毫米\00\00"
"printMediaReady"=multi:"A4\00\00"
"printNumberUp"=dword:00000006
"printOrientationsSupported"=multi:"PORTRAIT\00LANDSCAPE\00\00"
"printMaxResolutionSupported"=dword:000004b0
"printLanguage"=multi:"\00"
"printRateUnit"="PagesPerMinute"
"driverVersion"=dword:00000401

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \DsSpooler]
"description"=""
"driverName"="HP Photosmart C8100 series"
"location"=""
"portName"=multi:"\\\\GOOGLYBEAR\\HPPhotos\00\00"
"printStartTime"=dword:00000000
"printEndTime"=dword:00000000
"printerName"="在 GOOGLYBEAR 上自动 HP Photosmart C8100 series"
"printKeepPrintedJobs"=hex:00
"printSeparatorFile"=""
"printShareName"=""
"printSpooling"="PrintWhileSpooling"
"priority"=dword:00000001
"uNCName"="\\\\PARENTS\\在 GOOGLYBEAR 上自动 HP Photosmart C8100 series"
"versionNumber"=dword:00000004
"serverName"="PARENTS"
"shortServerName"="PARENTS"
"flags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot]
"HPRestrictedUserGuid"="4621b228-c361-43bc-3aba-9fcf83adb7ed"
"PresetPoolMaxIndexCount"=hex:0a,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot\PresetPoolData]
"PresetPool:0"=hex:94,11,00,00,15,00,00,00,52,00,00,00,20,00,d8,9e,a4,8b,53,62,
70,53,be,8b,6e,7f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:1"=hex:a6,11,00,00,15,00,00,00,52,00,00,00,00,4e,2c,82,e5,65,38,5e,
53,62,70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:2"=hex:18,12,00,00,15,00,00,00,52,00,00,00,67,71,47,72,53,62,70,53,
2d,00,e0,65,b9,8f,4c,75,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:3"=hex:c6,11,00,00,15,00,00,00,52,00,00,00,67,71,47,72,53,62,70,53,
2d,00,26,5e,7d,76,72,82,b9,8f,46,68,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:4"=hex:a2,11,00,00,15,00,00,00,52,00,00,00,cc,53,62,97,53,62,70,53,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:5"=hex:96,11,00,00,15,00,00,00,52,00,00,00,14,6f,3a,79,53,62,70,53,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:6"=hex:8a,11,00,00,15,00,00,00,52,00,00,00,eb,5f,1f,90,2f,00,cf,7e,
4e,6d,53,62,70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:7"=hex:c0,11,00,00,15,00,00,00,52,00,00,00,0e,66,e1,4f,47,72,53,62,
70,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:8"=hex:bc,11,00,00,15,00,00,00,52,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"PresetPool:9"=hex:ac,11,00,00,15,00,00,00,52,00,00,00,e5,5d,82,53,d8,9e,a4,8b,
be,8b,6e,7f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \HPPresetRoot\WatermarkPoolData]
"WatermarkPool:0"=hex:20,00,5b,00,e0,65,5d,00,00,00,00,20,00,5b,00,e0,65,5d,00,
00,00,00,41,00,72,00,69,00,61,00,6c,00,00,00,00,34,00,00,00,50,00,00,00,00,\
"WatermarkPool:1"=hex:3a,67,c6,5b,00,00,00,3a,67,c6,5b,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\
"WatermarkPool:2"=hex:49,83,3f,7a,00,00,00,49,83,3f,7a,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\
"WatermarkPool:3"=hex:37,68,8b,4f,00,00,00,37,68,8b,4f,00,00,00,41,00,72,00,69,
00,61,00,6c,00,00,00,00,34,00,00,00,48,00,00,00,00,01,01,c0,c0,c0,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(W G O O G L Y B E A R
N陙≧ H P P h o t o s m a r t C 8 1 0 0 s e r i e s \PrinterDriverData]
"InitDriverVersion"=dword:00000600
"Model"="HP Photosmart c8100 series"
"PrinterDataSize"=dword:00000230
"PrinterData"=hex:00,06,30,02,81,08,00,00,80,1a,06,00,00,00,00,00,00,00,00,00,
64,00,58,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,58,dd,09,20,08,\
"FeatureKeywordSize"=dword:00000109
"FeatureKeyword"=hex:44,75,70,6c,65,78,55,6e,69,74,00,4e,6f,74,49,6e,73,74,61,
6c,6c,65,64,00,0a,48,50,50,72,6e,50,72,6f,70,52,65,73,6f,75,72,63,65,44,61,\
"Forms?"=dword:2009dd58
"HPTrayCount"=dword:00000000
"HPTRAYINFOREGDATA"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"DMCStatus"=dword:00000000
"DMCExportOnly"="True"
"InstallationComplete"=dword:00000000
"PrinterPropertiesPermission"=dword:00000001
"ConvertTicketModule"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPZC35ha.DLL"
"ConvertTicketModule32"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPZC35ha.DLL"
"DMCModule32"="c:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\HPCDMC32.DLL"
"HPRegionalPenErrorRecovery"=dword:00000001
"HPSupportRegionalPenQuery"=dword:00000001
"HPDynCtrDigits"=dword:00000005
"HPPrintingLanguage"=dword:00000004
"CombinedMediaStatus"=dword:00000000
"TrayFormTable"=multi:"主纸盘\00A4\000\00照片纸盒\000\000\00\00"
"TrayFormMapSize"=dword:00000021
"TrayFormMap"=hex:55,70,70,65,72,54,72,61,79,00,09,00,00,00,50,68,6f,74,6f,54,
72,61,79,00,00,00,00,00,00,00,00,00,00
"TrayFormKeywordSize"=dword:00000029
"TrayFormKeyword"=hex:55,70,70,65,72,54,72,61,79,00,41,34,3a,48,65,77,6c,65,74,
74,2d,50,61,63,6b,61,72,64,00,50,68,6f,74,6f,54,72,61,79,00,00,00
"HPDUMMY"=dword:00000000
"HPFormCount"=dword:00000003
"HPFORMINFOREGDATA"=hex:05,00,00,00,9f,00,00,00,00,00,00,00
"HPCustomMinLength"=dword:0001e828
"HPCustomMaxLength"=dword:000ba090
"HPCustomMaxWidth"=dword:00034b5c
"HPCustomMinWidth"=dword:000129a8
"MaxPaperWidth"=dword:0000086f
"InstallDate"="02/24/2009:06:23"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\UNISPIM6.IME
.
完成时间: 2010-02-04 10:07:58
ComboFix-quarantined-files.txt 2010-02-04 02:07

Pre-Run: 4,413,751,296 可用字节
Post-Run: 4,799,832,064 可用字节

- - End Of File - - DD2F5740DF6E8A9BEB3E14A9766C8555
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:13:44, on 2010-2-4
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\软件\storm2\stormliv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\conime.exe
D:\软件\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O1 - Hosts: 60.209.152.204 www.kzdh.com
O1 - Hosts: 60.209.152.204 www.6781.com
O1 - Hosts: 60.209.152.204 www.i2345.cn
O1 - Hosts: 60.209.152.204 www.haokan123.com
O1 - Hosts: 60.209.152.204 www.365wz.net
O1 - Hosts: 60.209.152.204 www.5d5e.com
O1 - Hosts: 60.209.152.204 www.112r.com
O1 - Hosts: 60.209.152.204 www.32e.com
O1 - Hosts: 60.209.152.204 www.77177.com
O1 - Hosts: 60.209.152.204 www.daluobo.cn
O1 - Hosts: 60.209.152.204 www.haha111.com
O1 - Hosts: 60.209.152.204 www.15wz.com
O1 - Hosts: 60.209.152.204 www.fm5566.com
O1 - Hosts: 60.209.152.204 www.9798.net
O1 - Hosts: 60.209.152.204 www.s565.com
O1 - Hosts: 60.209.152.204 www.345s.com
O1 - Hosts: 60.209.152.204 www.110wz.com
O1 - Hosts: 60.209.152.204 www.6dh.com
O1 - Hosts: 60.209.152.204 www.tt98.com
O1 - Hosts: 60.209.152.204 www.85851.com
O1 - Hosts: 60.209.152.204 www.66d8.cn
O1 - Hosts: 60.209.152.204 www.baihu.cn
O1 - Hosts: 60.209.152.204 www.hang123.com
O1 - Hosts: 60.209.152.204 www.17909.com
O1 - Hosts: 60.209.152.204 www.838.cc
O1 - Hosts: 60.209.152.204 www.ee258.com
O1 - Hosts: 60.209.152.204 www.gjj.cc
O1 - Hosts: 60.209.152.204 www.1188.com
O1 - Hosts: 60.209.152.204 www.go2000.com
O1 - Hosts: 60.209.152.204 www.go2000.cn
O1 - Hosts: 60.209.152.204 www.1116.cn
O1 - Hosts: 60.209.152.204 www.365j.com
O1 - Hosts: 60.209.152.204 www.8687.cn
O1 - Hosts: 60.209.152.204 www.15151.cn
O1 - Hosts: 60.209.152.204 www.v2233.com
O1 - Hosts: 60.209.152.204 www.iq123.com
O1 - Hosts: 60.209.152.204 www.4688.com
O1 - Hosts: 60.209.152.204 www.fala123.cn
O1 - Hosts: 60.209.152.204 www.3110.cn
O1 - Hosts: 60.209.152.204 www.haoz123.cn
O1 - Hosts: 60.209.152.204 www.85vv.com
O1 - Hosts: 60.209.152.204 www.ok100.net.cn
O1 - Hosts: 60.209.152.204 www.ai1234.com
O1 - Hosts: 60.209.152.204 www.11227.cn
O1 - Hosts: 60.209.152.204 www.669dh.cn
O1 - Hosts: 60.209.152.204 www.kaka888.com
O1 - Hosts: 60.209.152.204 www.qq5.com
O1 - Hosts: 60.209.152.204 www.you2000.cn
O1 - Hosts: 60.209.152.204 www.yy2000.net
O2 - BHO: SearchHook Class - {00000000-0593-4356-9CF7-1D8C2B3343C0} - C:\Program Files\Baidu\AddressBar\AddressBar.dll (file missing)
O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\软件\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: 快车(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\软件\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscri
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PPLiveVA] C:\Program Files\PPLive\PPVA\PPLiveVA.exe /LoadModule PPVA.DLL /M REAL /S 0 /T 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google 边栏评注... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: iSee 保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee保存Flash - d:\Program Files\iSee\iSeeSaveFlash.htm
O8 - Extra context menu item: iSee保存所有图片 - d:\Program Files\iSee\iSeeSavePicAll.htm
O8 - Extra context menu item: iSee读取Exif - d:\Program Files\iSee\iSeeReadExif.htm
O8 - Extra context menu item: 使用光影编辑和美化 - D:\软件\nEO iMAGING\NeoOpenNeo.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\软件\QQ\Bin\AddEmotion.htm
O8 - Extra context menu item: 通过网易闪电邮发送 - D:\软件\网易闪电邮\data\getcontent.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\软件\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {6AD31948-2ED9-4A2B-85EA-105DD4F656B4} - (no file) (HKCU)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {BFB79EE1-04AE-4D4A-B85E-27EE5F30C095} (ScreenCapture Class) - http://m51.mail.qq.com/zh_CN/activex/TencentMailActiveX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: mbox - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mboxflash - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: Browseui 预加载程序 - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: 组件类别缓存程序 - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - D:\软件\storm2\stormliv.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google 更新服务 (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11133 bytes

0

And?

What is all the oriental stuff? I cannot tell what some of that stuff is.
Thought they spoke kiwi over there :)

0

Foreign? The format is still the same although some of the stuff is in Chinese. Do we need someone who can read Chinese to help? Can you highlight the lines you don't understand and I will have them translated to English?

Cruhchie, I suspect the Hosts may have something to do with the problem.

foxkueh

0

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

0

This isn't my pc which runs on Chinese Windows XP Crunchie, I am just helping a friend. There are still popups, especially when browsing Chinese web pages. My concern is that when some unnecessary processes are running in the background and slow down the processing of, say a word application. How can this be stopped?

Can you highlight the lines that have some Chinese characters you want to look at, and I will get them translated so you can give proper advice? I do appreciate your help.

foxkueh

0

c:\documents and settings\LocalService\桌面
C:\C盘临时移出文件
c:\program files\SOFTCH~1.EXE (need the full file name)
c:\program files\快捷方式
c:\program files\快捷上网.url
c:\documents and settings\Administrator\「开始」菜单\程序\启动\快捷方式.lnk
c:\windows\pss\快捷方式.lnkStartup

0

c:\documents and settings\LocalService\桌面
C:\C盘临时移出文件
c:\program files\SOFTCH~1.EXE (need the full file name)
c:\program files\快捷方式
c:\program files\快捷上网.url
c:\documents and settings\Administrator\「开始」菜单\程序\启动\快捷方式.lnk
c:\windows\pss\快捷方式.lnkStartup

Here they are:

c:\documents and settings\LocalService\Desktop
C:\Document temporary removed from C(contains eg. sqmdata08.sqm etc.)
c:\program files\SOFTCHANNEL.EXE (could be related to xiezai, I believe not a desireable program from soft.yesky.com.)
c:\program files\快捷方式 (folder contains xiezai.exe etc)
c:\program files\xiezai.url
c:\documents and settings\Administrator\Start menu\program\xiezai.lnk
c:\windows\pss\xiezai.lnkStartup

Crunchie, I hope this helps.

One more thing. When scan with Malwarebytes's Anti-Malware, dialogue boxes with Error Code: 700 (0,0), Error Code: 724 (0,6) and Error Code: 731 (0,6) open, so I think the result may not be conclusive. There was a trojan found but the report didn't show that.

Can I run ComFix again?

0

With the MBA-M errors, you may have to uninstall it and install it again. Tells you to contact support for two of the three errors.

No point running combofix again unless you delete that copy and download the latest.

==

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:

      Extended

  • Scan Options:

    Scan Archives

Scan Mail Bases


[*] Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

0

Hi Crunchie,

KScan Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, February 05, 2010 10:54:47
Records in database: 3425944
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 76198
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:22:36


File name / Threat / Threats count
D:\下载\HA-PartitionMagic805-LDR.zip Infected: not-a-virus:AdWare.Win32.Alibabar.c 1
D:\下载\HA-PartitionMagic805-LDR.zip Infected: not-a-virus:AdWare.Win32.Alibabar.a 1

Selected area has been scanned.

0

Do you have particular entries I should delete? Any step I should follow? I will try running DDS.

0

Hi Crunchie,

zip file deleted, but only one found.

DDS doesn't run. Is it important? Tried running Kaspersky again but stalled at 10% scan. How do I proceed?

foxkueh

0

See if you can get the following to run;

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

====

Let me know what problems you are still having.

0

Hi Crunchie,

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-08 04:02:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agldapow.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF72A2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF72A3340]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF2F4078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF2F40738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF2F4074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF2F407CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF2F40710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF2F40724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF2F4079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF2F40776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF2F40762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2F407F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF2F407E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF2F407B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A9D1E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

0

I don't seem to be able to change the default page of IE. No matter what I did, it always went back to the same Chinese webpage. If I close this page, another different Chinese webpage will open.

Other than that, it appears running normally now. I will contact you if I encount problems.

I am so grateful for you help, Crunchie.

0

It could be Adaware, or more likely spybot, that is denying the homepage change.
I know that at least Spybot protects changes to the homepage.
Try disabling them and try again.

0

Hi Crunchie,

In addition to the above, I ran Ad-Aware and MBA-M again and the reports:

Logfile created: 2010-2-8 07:04:32
Lavasoft Ad-Aware version: 8.1.4
User performing scan: Administrator

*********************** Definitions database information ***********************
Lavasoft definition file: 149.148
Genotype definition file version: 2010/02/05 10:29:00

******************************** Scan results: *********************************
Scan profile name: 完全扫描  (ID: full)
Objects scanned: 108503
Objects detected: 53


Type              Detected
==========================
Processes.......:        0
Registry entries:        2
Hostfile entries:        0
Files...........:       51
Folders.........:        0
LSPs............:        0
Cookies.........:        0
Browser hijacks.:        0
MRU objects.....:        0



Quarantined items:
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0224522.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0224576.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225573.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225594.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225651.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0226650.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0226676.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227675.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227710.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227773.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227871.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0228875.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0228958.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0228992.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP722\A0229088.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP722\A0230086.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP722\A0230130.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP722\A0230192.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP723\A0230294.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP723\A0230428.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP723\A0230478.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP724\A0231471.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP724\A0231587.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP724\A0231661.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP725\A0231878.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP725\A0232002.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP725\A0233004.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP725\A0233171.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP726\A0233269.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP726\A0234255.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP726\A0235253.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP726\A0235386.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP727\A0236390.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP728\A0236534.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP729\A0237752.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP729\A0237798.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP729\A0238790.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP729\A0239790.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP730\A0239948.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP730\A0240942.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP731\A0241157.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP731\A0241183.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP731\A0242184.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP732\A0243184.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP733\A0243514.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP734\A0243569.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP734\A0243682.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP734\A0243861.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP734\A0244010.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: D:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP728\A0237562.exe Family Name: Win32.TrojanDropper.Agent Engine: 1 Clean status: Success Item ID: 257130 Family ID: 1037 MD5: 9ac2da0b884dcca6528ca4fcb0da7e05
Description: D:\软件\QQ\Plugin\Com.Tencent.QQPet\bin\QQPet\QQPetDazzle.exe Family Name: Win32.TrojanDropper.Agent Engine: 1 Clean status: Success Item ID: 257130 Family ID: 1037 MD5: 9ac2da0b884dcca6528ca4fcb0da7e05
Description: HKU:S-1-5-21-507921405-776561741-725345543-500\software\wget: Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 28779 Family ID: 1001
Description: HKLM:software\microsoft\windows\currentversion\windowsupdate\auto update:austate Family Name: Win32.TrojanDropper.Agent Engine: 1 Clean status: Success Item ID: 41162 Family ID: 1037

Scan and cleaning complete: Finished correctly after 15833 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: 完全扫描
  ID: folderstoscan, enabled:1, value: C:\,D:\
  ID: useantivirus, enabled:1, value: true
  ID: sections, enabled:1
    ID: scancriticalareas, enabled:1, value: true
    ID: scanrunningapps, enabled:1, value: true
    ID: scanregistry, enabled:1, value: true
    ID: scanlsp, enabled:1, value: true
    ID: scanads, enabled:1, value: true
    ID: scanhostsfile, enabled:1, value: true
    ID: scanmru, enabled:1, value: true
    ID: scanbrowserhijacks, enabled:1, value: true
    ID: scantrackingcookies, enabled:1, value: true
      ID: closebrowsers, enabled:1, value: false
  ID: filescanningoptions, enabled:1
    ID: archives, enabled:1, value: true
    ID: onlyexecutables, enabled:1, value: false
    ID: skiplargerthan, enabled:1, value: 20480
    ID: scanrootkits, enabled:1, value: true
      ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
    ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
  ID: addtocontextmenu, enabled:1, value: true
  ID: playsoundoninfection, enabled:1, value: false
    ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
  ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
  ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
  ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
  ID: schedules, enabled:1, value: true
    ID: updatedaily1, enabled:1, value: Daily 1
      ID: time, enabled:1, value: Mon Feb 01 13:41:00 2010
      ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
      ID: weekdays, enabled:1
        ID: monday, enabled:1, value: false
        ID: tuesday, enabled:1, value: false
        ID: wednesday, enabled:1, value: false
        ID: thursday, enabled:1, value: false
        ID: friday, enabled:1, value: false
        ID: saturday, enabled:1, value: false
        ID: sunday, enabled:1, value: false
      ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
      ID: scanprofile, enabled:1, value: 
      ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily2, enabled:1, value: Daily 2
      ID: time, enabled:1, value: Mon Feb 01 19:41:00 2010
      ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
      ID: weekdays, enabled:1
        ID: monday, enabled:1, value: false
        ID: tuesday, enabled:1, value: false
        ID: wednesday, enabled:1, value: false
        ID: thursday, enabled:1, value: false
        ID: friday, enabled:1, value: false
        ID: saturday, enabled:1, value: false
        ID: sunday, enabled:1, value: false
      ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
      ID: scanprofile, enabled:1, value: 
      ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily3, enabled:1, value: Daily 3
      ID: time, enabled:1, value: Mon Feb 01 01:41:00 2010
      ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
      ID: weekdays, enabled:1
        ID: monday, enabled:1, value: false
        ID: tuesday, enabled:1, value: false
        ID: wednesday, enabled:1, value: false
        ID: thursday, enabled:1, value: false
        ID: friday, enabled:1, value: false
        ID: saturday, enabled:1, value: false
        ID: sunday, enabled:1, value: false
      ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
      ID: scanprofile, enabled:1, value: 
      ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily4, enabled:1, value: Daily 4
      ID: time, enabled:1, value: Mon Feb 01 07:41:00 2010
      ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
      ID: weekdays, enabled:1
        ID: monday, enabled:1, value: false
        ID: tuesday, enabled:1, value: false
        ID: wednesday, enabled:1, value: false
        ID: thursday, enabled:1, value: false
        ID: friday, enabled:1, value: false
        ID: saturday, enabled:1, value: false
        ID: sunday, enabled:1, value: false
      ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
      ID: scanprofile, enabled:1, value: 
      ID: auto_deal_with_infections, enabled:1, value: false
    ID: updateweekly1, enabled:1, value: Weekly
      ID: time, enabled:1, value: Mon Feb 01 13:41:00 2010
      ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
      ID: weekdays, enabled:1
        ID: monday, enabled:1, value: true
        ID: tuesday, enabled:1, value: false
        ID: wednesday, enabled:1, value: false
        ID: thursday, enabled:1, value: true
        ID: friday, enabled:1, value: false
        ID: saturday, enabled:1, value: false
        ID: sunday, enabled:1, value: false
      ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
      ID: scanprofile, enabled:1, value: 
      ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
  ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
  ID: showtrayicon, enabled:1, value: true
  ID: autoentertainmentmode, enabled:1, value: true
  ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
  ID: language, enabled:1, value: zh-cmn-Hans, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
  ID: modules, enabled:1
    ID: processprotection, enabled:1, value: true
    ID: registryprotection, enabled:1, value: true
    ID: networkprotection, enabled:1, value: true
  ID: layers, enabled:1
    ID: useantivirus, enabled:1, value: true
    ID: usespywareheuristics, enabled:1, value: true
  ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: PARENTS
Processor name: AMD Sempron(tm) Processor 3200+
Processor identifier: x86 Family 15 Model 79 Stepping 2
Processor speed: ~1808MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 20226, number of processors 1, processor features: [MMX,SSE,SSE2,3DNow]
Physical memory available: 218120192 bytes
Physical memory total: 938786816 bytes
Virtual memory available: 1970909184 bytes
Virtual memory total: 2147352576 bytes
Memory load: 76%
Microsoft Windows XP Professional Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 620 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 692 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 760 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 924 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1004 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1040 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1092 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1176 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1532 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1780 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 464 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: Administrator domain: PARENTS
PID: 1460 name: C:\WINDOWS\system32\ctfmon.exe owner: Administrator domain: PARENTS
PID: 520 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 660 name: D:\软件\storm2\stormliv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 884 name: C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1108 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1260 name: C:\Program Files\McAfee\SiteAdvisor\McSACore.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1328 name: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1388 name: c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1440 name: c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1860 name: C:\Program Files\McAfee\MPF\MPFSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1936 name: C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1996 name: C:\Program Files\McAfee\MSK\MskSrver.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2100 name: C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2144 name: c:\PROGRA~1\mcafee.com\agent\mcagent.exe owner: Administrator domain: PARENTS
PID: 2196 name: C:\WINDOWS\system32\nvsvc32.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2336 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2472 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2584 name: C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3052 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3064 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3300 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 988 name: C:\WINDOWS\explorer.exe owner: Administrator domain: PARENTS
PID: 1184 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Administrator domain: PARENTS
PID: 3564 name: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 440 name: C:\Program Files\酷6网\极速酷6\Ku6SpeedUpper.exe owner: Administrator domain: PARENTS
PID: 1800 name: C:\WINDOWS\system32\rundll32.exe owner: Administrator domain: PARENTS
PID: 2360 name: C:\WINDOWS\system32\conime.exe owner: Administrator domain: PARENTS
PID: 1700 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Administrator domain: PARENTS
PID: 184 name: D:\软件\Virus Cleaning\Spybot - Search & Destroy\SpybotSD.exe owner: Administrator domain: PARENTS
PID: 4008 name: D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe owner: Administrator domain: PARENTS
PID: 2780 name: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3972 name: C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe owner: Administrator domain: PARENTS

Startup items:
Name: NvCplDaemon
          imagepath: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Name: SunJavaUpdateSched
          imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Name: PostBootReminder
          imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
          imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
          imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
          imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
          imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
          imagepath: Browseui 预加载程序
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
          imagepath: 组件类别缓存程序
Name: ctfmon.exe
          imagepath: C:\WINDOWS\system32\CTFMON.EXE
Name: 
          imagepath: C:\Documents and Settings\All Users\「开始」菜单\程序\启动\desktop.ini

Bootexecute items:
Name: 
          imagepath: autocheck autochk *
Name: 
          imagepath: lsdelete

Running services:
Name: ALG
          displayname: Application Layer Gateway Service
Name: AudioSrv
          displayname: Windows Audio
Name: BITS
          displayname: Background Intelligent Transfer Service
Name: Browser
          displayname: Computer Browser
Name: ccosm
          displayname: Contrl Center of Storm Media
Name: CryptSvc
          displayname: CryptSvc
Name: DcomLaunch
          displayname: DCOM 服务器进程启动器
Name: Dhcp
          displayname: DHCP Client
Name: dmserver
          displayname: Logical Disk Manager
Name: Dnscache
          displayname: DNS Client
Name: ERSvc
          displayname: Error Reporting Service
Name: Eventlog
          displayname: Event Log
Name: EventSystem
          displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
          displayname: Fast User Switching Compatibility
Name: ForcewareWebInterface
          displayname: Forceware Web Interface
Name: helpsvc
          displayname: Help and Support
Name: HidServ
          displayname: HID Input Service
Name: JavaQuickStarterService
          displayname: Java Quick Starter
Name: lanmanserver
          displayname: Server
Name: lanmanworkstation
          displayname: Workstation
Name: Lavasoft Ad-Aware Service
          displayname: Lavasoft Ad-Aware Service
Name: LmHosts
          displayname: TCP/IP NetBIOS Helper
Name: McAfee SiteAdvisor Service
          displayname: McAfee SiteAdvisor Service
Name: mcmscsvc
          displayname: McAfee Services
Name: McNASvc
          displayname: McAfee Network Agent
Name: McProxy
          displayname: McAfee Proxy Service
Name: McShield
          displayname: McAfee Real-time Scanner
Name: McSysmon
          displayname: McAfee SystemGuards
Name: MpfService
          displayname: McAfee Personal Firewall Service
Name: MSK80Service
          displayname: McAfee Anti-Spam Service
Name: Netman
          displayname: Network Connections
Name: Nla
          displayname: Network Location Awareness (NLA)
Name: nSvcIp
          displayname: ForceWare IP service
Name: nSvcLog
          displayname: ForceWare user log service
Name: NVSvc
          displayname: NVIDIA Display Driver Service
Name: PlugPlay
          displayname: Plug and Play
Name: PolicyAgent
          displayname: IPSEC Services
Name: ProtectedStorage
          displayname: Protected Storage
Name: RasMan
          displayname: Remote Access Connection Manager
Name: RemoteRegistry
          displayname: Remote Registry
Name: RpcSs
          displayname: Remote Procedure Call (RPC)
Name: SamSs
          displayname: Security Accounts Manager
Name: Schedule
          displayname: Task Scheduler
Name: seclogon
          displayname: Secondary Logon
Name: SENS
          displayname: System Event Notification
Name: SharedAccess
          displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
          displayname: Shell Hardware Detection
Name: Spooler
          displayname: Print Spooler
Name: srservice
          displayname: System Restore Service
Name: SSDPSRV
          displayname: SSDP Discovery Service
Name: stisvc
          displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
          displayname: Telephony
Name: TermService
          displayname: Terminal Services
Name: Themes
          displayname: Themes
Name: TrkWks
          displayname: Distributed Link Tracking Client
Name: UxTuneUp
          displayname: XP变脸王可视风格引擎
Name: W32Time
          displayname: Windows Time
Name: WebClient
          displayname: WebClient
Name: winmgmt
          displayname: Windows Management Instrumentation
Name: wscsvc
          displayname: Security Center
Name: wuauserv
          displayname: Automatic Updates
Name: WZCSVC
          displayname: Wireless Zero Configuration

MBA-M dialogue after the scan: copied from the box
Trojan Cinmus
Adware CNNIC File C:\Program Files\Common Files\Real\CNNIC\Setup.exe
Adware Registry Value HKEY_Local_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shared DLLs\C:\Program Files\Common Files\CNNIC\Setup.exe

Malwarebytes' Anti-Malware 1.44
数据库版本: 3703
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2010-2-8 11:58:49
mbam-log-2010-02-08 (11-58-49).txt

扫描类型:完全扫描 (C:\|D:\|)
被扫描对象数目: 196671
时间过去: 4 hour(s), 10 minute(s), 29 second(s)

被感染内存进程数目: 0
被感染内存模块数目: 0
被感染注册表项数目: 0
被感染注册表值数目: 1 infected
被感染注册表数据项数目: 0
被感染文件夹数目: 0
被感染文件数目: 1 infected

被感染内存进程数目:not infected
(没有检测到有害项目)

被感染内存模块数目:
(没有检测到有害项目)

被感染注册表项数目:
(没有检测到有害项目)

被感染注册表值数目:infected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\CNNIC\setup-real.exe (Adware.CNNIC) -> Quarantined and deleted successfully.

被感染注 infected

The pc is somewhat slower, may be due to background processes. foxkueh

Edited by Nick Evan: Fixed formatting

0

You need to disable system restore, then re-enable it again. That will clear all files in there, but you will lose all restore points.

The file that MBA-M found could be a false positive.

Cannot remember if I recommended this already but,
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Defragment the drive also.

Are you able to go to ESET and do an on-line scan? If so, post the log up.

0

Thanks Crunchie,

The file that MBA-M found could be a false positive. What could I do?

I've changed the restore, run ATF Cleaner.exe and defraged the drives.

ESET returns no threat.

foxkueh

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.