Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot Open IE [CLOSED]


  • This topic is locked This topic is locked

#1
lazykitty

lazykitty

    New Member

  • Member
  • Pip
  • 6 posts
Hi all,

i am unable to open IE on my machine using the icon on the desktop as well as in the Quick Launch toolbar. However, when opening html files, IE is still able to open.

Below is a log of Hijack This. I used Kaspersky Internet Security as well as Trend Micro online scan to scan for malware and viruses but found nothing. Tried Malwarebytes but encountered a buffer overflow error so the scan could not be completed.


Kindly assist, thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:06, on 2008-5-7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CNRN\RNMain.exe
C:\PROGRA~1\CNRN\RNMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\dzh\internet\hypwise.exe
D:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Mozilla Firefox\firefox.exe
D:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: IE - {D7B21266-AA85-44b8-B516-3B1A69827400} - C:\PROGRA~1\CNRN\RNEvent.dll
O2 - BHO: Video Speedy - {E74B0A8E-68C0-4866-8288-53EFF8ECBC28} - C:\Program Files\VideoSpeedy\VSpeed.dll
O2 - BHO: AssistHelper - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yassist.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll,Rundll32 R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CNRN] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\CNRN.dll,Rundll32
O4 - HKLM\..\Run: [CNRNRNHelper.dll] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\RNHelper.dll,Rundll32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: 添加到反广告条 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理 上网记录 - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra button: Web 反病毒统计 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: 名品 折扣 - {30778C27-54C7-437e-946A-F04CBB8C460F} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: Yahoo 3.5G 电邮 - {4C4A96EA-D26D-4ab1-9D7C-BEA7D3312B6F} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: (no name) - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复 浏览器 - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: 雅虎 WIDGET - {6C32C266-E0C3-447c-B1A1-650640D550D0} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: 情景 聊天 - {7035F492-7EAE-4213-A159-7C4E1E216C12} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: 雅虎 助手 - {BF69897E-F9B4-4c1a-9D81-59822096081F} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\program files\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\program files\ipacc\ipacc_v2.dll
O11 - Options group: [!CNRN] 中文上网2007
O11 - Options group: [TBH] 中文搜搜
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD9981A-240D-4130-A7EB-1CADA986AE59}: NameServer = 61.139.2.69
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: 卡巴斯基互联网安全套装 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10515 bytes
  • 0

Advertisements


#2
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello lazykitty, welcome to GeeksToGo! :)

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask! :)

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

Step1 : Getting rid of a malicious file in LSP

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of ipacc_v2.dll.
  • Select every instance of ipacc_v2.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.

Step2 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O2 - BHO: IE - {D7B21266-AA85-44b8-B516-3B1A69827400} - C:\PROGRA~1\CNRN\RNEvent.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O4 - HKLM\..\Run: [CNRN] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\CNRN.dll,Rundll32
O11 - Options group: [!CNRN] 中文上网2007
O11 - Options group: [TBH] 中文搜搜


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step3 : OTMoveIt

Please download the OTMoveIt2 by OldTimer. Please note: If you already have OTMoveIt on your system, please replace it with this newer version.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\PROGRA~1\CNRN
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step4 : Scanning with DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

In your next reply, please include the DSS logs.
  • 0

#3
lazykitty

lazykitty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tal,

thanks a zillion for your prompt reply. i'm indeed very grateful to you.

As instructed please find the logs

1. OTMoveIT
-------------

C:\PROGRA~1\CNRN moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05092008_003236

2. DSS Main.txt
-----------------

Deckard's System Scanner v20071014.68
Run by hp on 2008-05-09 00:33:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2008-05-08 16:33:16 UTC - RP62 - Deckard's System Scanner Restore Point
30: 2008-05-07 18:11:08 UTC - RP61 - 系统检查点
29: 2008-05-05 17:45:09 UTC - RP60 - 系统检查点
28: 2008-05-03 14:34:43 UTC - RP59 - 安装了 Windows XP KB888111WXPSP2。
27: 2008-05-03 11:17:37 UTC - RP58 - 系统检查点


-- First Restore Point --
1: 2008-03-16 04:51:08 UTC - RP32 - 系统检查点


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.33 GiB (less than 15%) free.


-- HijackThis (run as hp.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:35:13, on 2008-5-9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CNRN\RNMain.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Adobe Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\hp\桌面\dss.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
D:\HIJACK~1\hp.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: IE - {D7B21266-AA85-44b8-B516-3B1A69827400} - C:\PROGRA~1\CNRN\RNEvent.dll (file missing)
O2 - BHO: Video Speedy - {E74B0A8E-68C0-4866-8288-53EFF8ECBC28} - C:\Program Files\VideoSpeedy\VSpeed.dll
O2 - BHO: AssistHelper - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yassist.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [stup.exe] Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll,Rundll32 R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CNRN] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\CNRN.dll,Rundll32
O4 - HKLM\..\Run: [CNRNRNHelper.dll] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\RNHelper.dll,Rundll32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: 添加到反广告条 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理 上网记录 - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra button: Web 反病毒统计 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: 名品 折扣 - {30778C27-54C7-437e-946A-F04CBB8C460F} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: Yahoo 3.5G 电邮 - {4C4A96EA-D26D-4ab1-9D7C-BEA7D3312B6F} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: (no name) - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复 浏览器 - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: 雅虎 WIDGET - {6C32C266-E0C3-447c-B1A1-650640D550D0} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: 情景 聊天 - {7035F492-7EAE-4213-A159-7C4E1E216C12} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: 雅虎 助手 - {BF69897E-F9B4-4c1a-9D81-59822096081F} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNRN] 中文上网2007
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: 卡巴斯基互联网安全套装 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7507 bytes

-- HijackThis Fixed Entries (D:\HIJACK~1\backups\) -----------------------------

backup-20080508-235339-137 O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
backup-20080508-235339-158 O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
backup-20080508-235339-344 O2 - BHO: QQCycloneHelper - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
backup-20080508-235339-717 O11 - Options group: [TBH] 中文搜搜
backup-20080508-235339-762 O2 - BHO: IE - {D7B21266-AA85-44b8-B516-3B1A69827400} - C:\PROGRA~1\CNRN\RNEvent.dll
backup-20080508-235339-794 O11 - Options group: [!CNRN] 中文上网2007
backup-20080508-235339-972 O4 - HKLM\..\Run: [CNRN] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\CNRN.dll,Rundll32

-- File Associations -----------------------------------------------------------

.chm - chm.file - shell\open\command - "hh.exe" %1
.ini - inifile - shell\open\command - C:\WINDOWS\System32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 lqsgipq - c:\windows\system32\drivers\lqsgipq.sys
R3 HBtnKey - c:\windows\system32\drivers\cpqbttn.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>

S3 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HPQuick Launch Buttons>
S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ccosm (Contrl Center of Storm Media) - c:\program files\stormii\stormliv.exe /asservice <Not Verified; 北京暴风网际科技有限公司; 暴风影音媒体控制中心>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-07 12:12:50 0 d-------- C:\Documents and Settings\hp\Application Data\Malwarebytes
2008-05-07 12:12:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 22:12:32 0 d-------- C:\Program Files\Intel
2008-05-03 10:28:14 1212 --a------ C:\WINDOWS\mozver.dat
2008-05-02 18:51:08 0 d-------- C:\Program Files\Synaptics
2008-05-02 18:46:44 102400 --a------ C:\WINDOWS\HPWebcam.exe <Not Verified; ; HPWebcam>
2008-05-02 18:46:43 53248 --a------ C:\WINDOWS\csnp2uvc.dll <Not Verified; ; InstallUtil>
2008-05-02 18:46:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 18:46:43 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-02 18:41:17 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-05-02 18:40:58 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-02 18:37:25 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-02 14:27:38 0 d-------- C:\WINDOWS\system32\zh-cn
2008-05-02 14:25:33 0 d-------- C:\WINDOWS\network diagnostic
2008-05-01 17:18:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 17:18:05 0 d-------- C:\Documents and Settings\hp\Application Data\Mozilla
2008-05-01 17:11:43 0 d-------- C:\Mozilla Firefox
2008-05-01 13:25:48 0 d-------- C:\Documents and Settings\hp\.housecall6.6
2008-04-30 17:57:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-30 17:57:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-30 17:57:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\TENCENT
2008-04-30 16:35:29 20 -rah----- C:\WINDOWS\assist.dat
2008-04-30 14:06:29 12752 --a------ C:\WINDOWS\system32\drivers\lqsgipq.sys
2008-04-30 09:06:20 0 d-------- C:\Program Files\Yahoo!
2008-04-30 09:06:19 0 d-------- C:\Program Files\连连看简体中文精装版
2008-04-28 22:51:36 0 d-------- C:\Program Files\VideoSpeedy
2008-04-28 19:12:02 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-28 18:57:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-28 18:56:53 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-28 18:56:53 0 d-------- C:\Adobe Reader 8.0
2008-04-24 10:37:59 0 d-------- C:\Documents and Settings\hp\Application Data\Help
2008-04-16 19:54:39 0 d-------- C:\Program Files\SogouInput
2008-04-16 19:54:38 0 d-------- C:\Documents and Settings\hp\Application Data\SogouPY.users
2008-04-16 19:54:33 0 d-------- C:\Documents and Settings\hp\Application Data\SogouPY


-- Find3M Report ---------------------------------------------------------------

2008-05-09 00:02:07 205328 --a------ C:\WINDOWS\system32\prfh0804.dat
2008-05-09 00:02:07 141420 --a------ C:\WINDOWS\system32\prfc0804.dat
2008-05-08 23:55:37 0 d-------- C:\Program Files\PPStream
2008-05-08 12:09:53 18123 --a------ C:\WINDOWS\system32\cid_store.dat
2008-05-07 15:19:33 0 d-------- C:\Program Files\PPLive
2008-05-03 22:30:35 0 d-------- C:\Program Files\CONEXANT
2008-05-02 18:40:58 0 d-------- C:\Program Files\Common Files
2008-05-01 13:39:44 0 d-------- C:\Program Files\Qyule
2008-04-28 19:01:55 0 d-------- C:\Documents and Settings\hp\Application Data\Adobe
2008-04-16 00:20:22 0 d-------- C:\Documents and Settings\hp\Application Data\QQUpdate
2008-04-14 18:42:07 0 d-------- C:\Documents and Settings\hp\Application Data\QQ
2008-04-14 18:34:12 0 d-------- C:\Documents and Settings\hp\Application Data\Kingsoft
2008-03-20 11:56:09 0 d-------- C:\Program Files\Tencent
2008-03-20 11:56:09 0 d-------- C:\Documents and Settings\hp\Application Data\Tencent
2008-03-19 00:18:50 0 d-------- C:\Program Files\DopLive
2008-03-17 18:29:13 0 d-------- C:\Documents and Settings\hp\Application Data\ppstream
2008-03-17 12:17:56 0 d-------- C:\Program Files\PPS
2008-03-16 11:09:44 0 d-------- C:\Program Files\ipacc
2008-03-16 11:06:22 0 d-------- C:\Program Files\KuGou
2008-03-16 10:51:45 0 d-------- C:\Documents and Settings\hp\Application Data\PPLive
2008-03-09 09:22:15 0 d-------- C:\Program Files\StormII
2008-03-09 09:21:40 0 d-------- C:\Program Files\Wopti
2008-03-08 20:36:45 212992 --a------ C:\WINDOWS\TdxUnInstall.exe <Not Verified; ; TdxUnInstall 应用程序>
2008-03-08 20:34:41 20 --a------ C:\WINDOWS\system32\pub_store.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C7C23EF-A848-485B-873C-0ED954731014}]
2008-04-17 14:17 256832 --a------ C:\Program Files\TENCENT\SSPlus\SAddr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38928D50-8A48-44C2-945F-D2F23F771410}]
2007-12-14 21:40 175536 --a------ C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B}]
2007-08-20 16:15 341904 --a------ C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7B21266-AA85-44b8-B516-3B1A69827400}]
C:\PROGRA~1\CNRN\RNEvent.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E74B0A8E-68C0-4866-8288-53EFF8ECBC28}]
2008-04-22 20:42 167936 --a------ C:\Program Files\VideoSpeedy\VSpeed.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8}]
2007-12-14 21:39 77232 --a------ C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yassist.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-17 15:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 15:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 15:00]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"stup.exe"="C:\PROGRA~1\TENCENT\SSPlus\SPlus1.dll" [2008-03-27 09:42]
"Adobe Reader Speed Launcher"="C:\Adobe Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"YLive.exe"="C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe" [2007-12-29 15:14]
"CNRN"="C:\PROGRA~1\CNRN\RNMain.exe" []
"CNRNRNHelper.dll"="C:\PROGRA~1\CNRN\RNMain.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 19:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:00]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-01-17 14:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\All Users\「开始」菜单\程序\启动\
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2008-5-2 下午 06:46:44]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D7B21266-AA85-44b8-B516-3B1A69827400}"= C:\PROGRA~1\CNRN\RNEvent.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll




-- End of Deckard's System Scanner: finished at 2008-05-09 00:35:50 ------------

3. DSS Extra.txt
--------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Genuine Intel® CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel® CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1022.04 MiB / 675.82 MiB
Pagefile Memory (total/avail): 2458.29 MiB / 2227.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.92 MiB

C: is Fixed (NTFS) - 9.77 GiB total, 0.33 GiB free.
D: is Fixed (NTFS) - 22.46 GiB total, 4.67 GiB free.
E: is Fixed (NTFS) - 23.66 GiB total, 9.09 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2060BH PL - 55.9 GiB - 3 partitions
\PARTITION0 (bootable) - 可安装文件系统 - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 46.12 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: 卡巴斯基互联网安全套装 v7.0.0.125 (卡巴斯基试验室) Disabled
AV: 卡巴斯基互联网安全套装 v7.0.0.125 (卡巴斯基试验室) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="D:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPS网络电视"
"C:\\Program Files\\PPStream\\PPSAP.exe"="C:\\Program Files\\PPStream\\PPSAP.exe:*:Enabled:PPS 网络加速器"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\hp\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HP-3A88CA1F13FE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\hp
LOGONSERVER=\\HP-3A88CA1F13FE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\hp\LOCALS~1\Temp
TMP=C:\DOCUME~1\hp\LOCALS~1\Temp
USERDOMAIN=HP-3A88CA1F13FE
USERNAME=hp
USERPROFILE=C:\Documents and Settings\hp
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

hp (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 - Chinese Simplified --> MsiExec.exe /I{AC76BA86-7AD7-2052-7B44-A81200000003}
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -Iwis30B2a.inf
DopLive 1.3.313.1 --> "C:\Program Files\DopLive\unins000.exe"
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_wis30B2m\HXFSETUP.EXE -U -Iwis30B2m.INF
HijackThis 2.0.2 --> "D:\HijackThis\HijackThis.exe" /uninstall
HP Pavilion Webcam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\Setup.exe" -l0x804 -u
Intel® PRO Network Connections Drivers --> Prounstl.exe
Mozilla Firefox (2.0.0.14) --> C:\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PPLive 1.9 --> C:\Program Files\PPLive\uninst.exe
PPS --> "C:\Program Files\PPS\unins000.exe"
PPS网络电视 --> C:\Program Files\PPStream\uninst.exe
QQ2008 贺岁版 --> C:\Program Files\Tencent\QQ\uninst.exe
QQ工具栏 --> RUNDLL32.EXE C:\PROGRA~1\Tencent\QQTOOL~1\IEBar.dll,UnInstall
QQ聊天室 --> "C:\Program Files\Tencent\QQChat\uninstall.exe"
QQ音乐7.1Beta09 --> C:\Program Files\Tencent\QQ\QQMusicUninst.exe
QQ游戏 --> C:\Program Files\Tencent\QQGame\Uninstall.EXE
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
VideoSpeedy Platform --> "C:\Program Files\VideoSpeedy\unins000.exe"
Windows XP (KB923689) 安全更新 -->
Windows XP (KB941569) 安全更新 --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB911562) -->
Windows XP 安全更新 (KB920213) -->
Windows XP 安全更新 (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB925454) -->
Windows XP 安全更新 (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944533) --> "C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB947864) --> "C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Windows XP 安全更新 (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Windows XP 更新 (KB898461) -->
Windows XP 更新 (KB900485) -->
Windows XP 更新 (KB908531) -->
Windows XP 更新 (KB916595) -->
Windows XP 更新 (KB920872) -->
Windows XP 更新 (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP 更新 (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP 更新 (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP 更新 (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Windows XP 更新 (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Windows XP 更新 (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Windows XP 修补程序 (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Windows XP 修补程序包 - KB885836 -->
Windows XP 修补程序包 - KB890859 -->
Windows XP 修补程序包 - KB891781 -->
WinRAR 压缩文件管理器 --> C:\Program Files\WinRAR\uninstall.exe
WPS Office 个人版 (6.3.0.1519) --> d:\Program Files\Kingsoft\WPS Office Personal\utility\uninst.exe
暴风影音 --> C:\Program Files\StormII\uninst.exe
超级旋风 1.8.170.201 --> C:\Program Files\Tencent\QQDownload\uninst.exe
大智慧v5.6 --> c:\dzh\unins000.exe
卡巴斯基互联网安全套装 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
卡巴斯基互联网安全套装 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
酷狗音乐2008(测试版) --> C:\PROGRA~1\KuGou\KUGOU2~1\UNWISE.EXE C:\PROGRA~1\KuGou\KUGOU2~1\INSTALL.LOG
连连看 v4.1 简体中文精装版 --> "C:\Program Files\连连看简体中文精装版\unins000.exe"
搜狗拼音输入法 3.2 正式版 (3.2.0.0605) --> "C:\Program Files\SogouInput\Uninstall.exe"
腾讯中文搜搜 --> Rundll32.exe C:\WINDOWS\system32\Scrax.dll,Uninstall
迅雷5 --> "d:\Program Files\Thunder Network\Thunder\unins000.exe"
一键GHOST v11.0 Build 070707 --> "c:\dosh\ghos\uninstall.exe" "/U:c:\dosh\ghos\uninstall.xml"
招商银行一网通网盾 --> C:\Program Files\CMBCHINA\WebProtect\Setup.exe UNINSTALL
招商证券全能版 --> C:\WINDOWS\TdxUnInstall.exe c:\new_zszq\
中文上网2007 --> C:\Program Files\CNRN\RNMain.exe C:\Program Files\CNRN\CNRN.dll,ControlPanel


-- Application Event Log -------------------------------------------------------

Event Record #/Type1627 / Error
Event Submitted/Written: 05/09/2008 00:02:07 AM
Event ID/Source: 3001 / LoadPerf
Event Description:
注册表中性能计数器名称字符串数值的格式不正确。
不正确的字符串是 7592,不正确的索引值是数据节中的第一个 DWORD 值,
最后的有效索引值是数据节中的第二个和第三个 DWORD 值。

Event Record #/Type1626 / Warning
Event Submitted/Written: 05/09/2008 00:02:06 AM
Event ID/Source: 2006 / LoadPerf
Event Description:
性能注册表的 LastCounter 和 LastHelp 值不正确,需要更新。
数据段中的第一个和第二个 DWORDs 是原始值,
第三个和第四个 DWORDs 是经过更新的新值。

Event Record #/Type1621 / Error
Event Submitted/Written: 05/08/2008 09:52:54 PM
Event ID/Source: 3001 / LoadPerf
Event Description:
注册表中性能计数器名称字符串数值的格式不正确。
不正确的字符串是 7592,不正确的索引值是数据节中的第一个 DWORD 值,
最后的有效索引值是数据节中的第二个和第三个 DWORD 值。

Event Record #/Type1620 / Warning
Event Submitted/Written: 05/08/2008 09:52:54 PM
Event ID/Source: 2006 / LoadPerf
Event Description:
性能注册表的 LastCounter 和 LastHelp 值不正确,需要更新。
数据段中的第一个和第二个 DWORDs 是原始值,
第三个和第四个 DWORDs 是经过更新的新值。

Event Record #/Type1615 / Error
Event Submitted/Written: 05/08/2008 03:21:51 PM
Event ID/Source: 3001 / LoadPerf
Event Description:
注册表中性能计数器名称字符串数值的格式不正确。
不正确的字符串是 7592,不正确的索引值是数据节中的第一个 DWORD 值,
最后的有效索引值是数据节中的第二个和第三个 DWORD 值。



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7205 / Warning
Event Submitted/Written: 05/08/2008 00:12:49 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP 已经达到并发 TCP 连接尝试次数的安全限制。

Event Record #/Type7204 / Warning
Event Submitted/Written: 05/08/2008 10:13:26 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP 已经达到并发 TCP 连接尝试次数的安全限制。

Event Record #/Type7201 / Warning
Event Submitted/Written: 05/08/2008 09:19:13 AM
Event ID/Source: 1007 / Dhcp
Event Description:
计算机已自动配置网络地址为 0018DE0D06BF 的网卡的 IP 地址。
使用的 IP 地址是 169.254.153.238。

Event Record #/Type7197 / Warning
Event Submitted/Written: 05/08/2008 09:16:48 AM
Event ID/Source: 1007 / Dhcp
Event Description:
计算机已自动配置网络地址为 0018DE0D06BF 的网卡的 IP 地址。
使用的 IP 地址是 169.254.153.238。

Event Record #/Type7195 / Warning
Event Submitted/Written: 05/08/2008 08:45:05 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP 已经达到并发 TCP 连接尝试次数的安全限制。



-- End of Deckard's System Scanner: finished at 2008-05-09 00:35:50 ------------


Thanks, lazykitty
  • 0

#4
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
OK. Looks like we have a rootkit in here preventing the deletion of the CNRN malware, as it came back.

Step1 : ComboFix script

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
lqsgipq



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Step2 : Uploading file for analysis

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: c:\windows\system32\drivers\lqsgipq.sys
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Step3 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKLM\..\Run: [CNRN] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\CNRN.dll,Rundll32
O4 - HKLM\..\Run: [CNRNRNHelper.dll] C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\RNHelper.dll,Rundll32
O11 - Options group: [!CNRN] 中文上网2007


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step4 : Another CF script

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\lqsgipq.sys

Folder::
C:\PROGRA~1\CNRN



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

In your next reply, please include a new DSS log (it will only produce a main.txt log this time).

Regards,

Tal

Edited by Tal, 08 May 2008 - 11:58 AM.

  • 0

#5
lazykitty

lazykitty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tal,

My Kaskersky detected a malware in Combofix.exe. Can you assist to check?

Regards, lazykitty
  • 0

#6
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Please disable it while running ComboFix. Some anti-viruses have a tendency to mark such scanners as bad due to various reasons.

Tal
  • 0

#7
lazykitty

lazykitty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Tal,


I was unable to find c:\windows\system32\drivers\lqsgipq.sys for uploading. Did combofix delete it?

as requested the log filer of DSS

Deckard's System Scanner v20071014.68
Run by hp on 2008-05-10 10:33:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.19 GiB (less than 15%) free.


-- HijackThis (run as hp.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:01, on 2008-5-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Mozilla Firefox\firefox.exe
D:\软件\dss.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
D:\HIJACK~1\hp.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: IE - {D7B21266-AA85-44b8-B516-3B1A69827400} - C:\PROGRA~1\CNRN\RNEvent.dll (file missing)
O2 - BHO: Video Speedy - {E74B0A8E-68C0-4866-8288-53EFF8ECBC28} - C:\Program Files\VideoSpeedy\VSpeed.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: 添加到反广告条 - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - d:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理 上网记录 - {110F6354-E9E3-4f8c-95DD-8487ED86C73D} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra button: Web 反病毒统计 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: 名品 折扣 - {30778C27-54C7-437e-946A-F04CBB8C460F} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: Yahoo 3.5G 电邮 - {4C4A96EA-D26D-4ab1-9D7C-BEA7D3312B6F} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: (no name) - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复 浏览器 - {4D985980-695A-4b42-8B11-34D8D3385676} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: 雅虎 WIDGET - {6C32C266-E0C3-447c-B1A1-650640D550D0} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: 情景 聊天 - {7035F492-7EAE-4213-A159-7C4E1E216C12} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: 雅虎 助手 - {BF69897E-F9B4-4c1a-9D81-59822096081F} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: 卡巴斯基互联网安全套装 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6657 bytes

-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-10 10:14:58 68096 --a------ C:\WINDOWS\zip.exe
2008-05-10 10:14:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-10 10:14:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-10 10:14:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-10 10:14:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-10 10:14:58 98816 --a------ C:\WINDOWS\sed.exe
2008-05-10 10:14:58 80412 --a------ C:\WINDOWS\grep.exe
2008-05-10 10:14:58 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 12:12:50 0 d-------- C:\Documents and Settings\hp\Application Data\Malwarebytes
2008-05-07 12:12:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-03 22:12:32 0 d-------- C:\Program Files\Intel
2008-05-03 10:28:14 1212 --a------ C:\WINDOWS\mozver.dat
2008-05-02 18:51:08 0 d-------- C:\Program Files\Synaptics
2008-05-02 18:46:44 102400 --a------ C:\WINDOWS\HPWebcam.exe <Not Verified; ; HPWebcam>
2008-05-02 18:46:43 53248 --a------ C:\WINDOWS\csnp2uvc.dll <Not Verified; ; InstallUtil>
2008-05-02 18:46:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 18:46:43 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-02 18:41:17 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-05-02 18:40:58 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-02 18:37:25 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-02 14:27:38 0 d-------- C:\WINDOWS\system32\zh-cn
2008-05-02 14:25:33 0 d-------- C:\WINDOWS\network diagnostic
2008-05-01 17:18:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 17:18:05 0 d-------- C:\Documents and Settings\hp\Application Data\Mozilla
2008-05-01 17:11:43 0 d-------- C:\Mozilla Firefox
2008-05-01 13:25:48 0 d-------- C:\Documents and Settings\hp\.housecall6.6
2008-04-30 17:57:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-30 17:57:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-30 17:57:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\TENCENT
2008-04-30 16:35:29 20 -rah----- C:\WINDOWS\assist.dat
2008-04-30 09:06:20 0 d-------- C:\Program Files\Yahoo!
2008-04-30 09:06:19 0 d-------- C:\Program Files\连连看简体中文精装版
2008-04-28 22:51:36 0 d-------- C:\Program Files\VideoSpeedy
2008-04-28 19:12:02 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-28 18:57:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-28 18:56:53 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-28 18:56:53 0 d-------- C:\Adobe Reader 8.0
2008-04-24 10:37:59 0 d-------- C:\Documents and Settings\hp\Application Data\Help
2008-04-16 19:54:39 0 d-------- C:\Program Files\SogouInput
2008-04-16 19:54:38 0 d-------- C:\Documents and Settings\hp\Application Data\SogouPY.users
2008-04-16 19:54:33 0 d-------- C:\Documents and Settings\hp\Application Data\SogouPY


-- Find3M Report ---------------------------------------------------------------

2008-05-10 10:25:35 207572 --a------ C:\WINDOWS\system32\prfh0804.dat
2008-05-10 10:25:35 144012 --a------ C:\WINDOWS\system32\prfc0804.dat
2008-05-09 16:55:47 0 d-------- C:\Program Files\Tencent
2008-05-09 12:26:58 18585 --a------ C:\WINDOWS\system32\cid_store.dat
2008-05-08 23:55:37 0 d-------- C:\Program Files\PPStream
2008-05-07 15:19:33 0 d-------- C:\Program Files\PPLive
2008-05-03 22:30:35 0 d-------- C:\Program Files\CONEXANT
2008-05-02 18:40:58 0 d-------- C:\Program Files\Common Files
2008-05-01 13:39:44 0 d-------- C:\Program Files\Qyule
2008-04-28 19:01:55 0 d-------- C:\Documents and Settings\hp\Application Data\Adobe
2008-04-16 00:20:22 0 d-------- C:\Documents and Settings\hp\Application Data\QQUpdate
2008-04-14 18:42:07 0 d-------- C:\Documents and Settings\hp\Application Data\QQ
2008-04-14 18:34:12 0 d-------- C:\Documents and Settings\hp\Application Data\Kingsoft
2008-03-20 11:56:09 0 d-------- C:\Documents and Settings\hp\Application Data\Tencent
2008-03-19 00:18:50 0 d-------- C:\Program Files\DopLive
2008-03-17 18:29:13 0 d-------- C:\Documents and Settings\hp\Application Data\ppstream
2008-03-17 12:17:56 0 d-------- C:\Program Files\PPS
2008-03-16 11:09:44 0 d-------- C:\Program Files\ipacc
2008-03-16 10:51:45 0 d-------- C:\Documents and Settings\hp\Application Data\PPLive
2008-03-08 20:36:45 212992 --a------ C:\WINDOWS\TdxUnInstall.exe <Not Verified; ; TdxUnInstall 应用程序>
2008-03-08 20:34:41 20 --a------ C:\WINDOWS\system32\pub_store.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B}]
2007-08-20 16:15 341904 --a------ C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7B21266-AA85-44b8-B516-3B1A69827400}]
C:\PROGRA~1\CNRN\RNEvent.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E74B0A8E-68C0-4866-8288-53EFF8ECBC28}]
2008-04-22 20:42 167936 --a------ C:\Program Files\VideoSpeedy\VSpeed.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-17 15:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 15:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-17 15:00]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
"Adobe Reader Speed Launcher"="C:\Adobe Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 19:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:00]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-01-17 14:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\All Users\「开始」菜单\程序\启动\
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2008-5-2 下午 06:46:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D7B21266-AA85-44b8-B516-3B1A69827400}"= C:\PROGRA~1\CNRN\RNEvent.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-10 10:34:22 ------------

Thanks, lazykitty

Edited by lazykitty, 09 May 2008 - 08:45 PM.

  • 0

#8
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi lazykitty,

My instructions seem to have been cut off. ComboFix should have generated a log file named combofix.txt in the same directory you ran it. Please include the two logs generated (since we ran it twice) in your next reply, if possible.

As for the file, yes it's possible that it might have been deleted. Don't worry about it then :) Apart from it the logs appear to be clean. Any particular issue you can point out?

Tal
  • 0

#9
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP