Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Redirect and Rootkit opdxalyvbobfrbuhssjkdltvdyxuwkhbhvcv.dll?

Started by jeffliu8 , Jun 05 2009 08:20 PM

This topic is locked

#1
jeffliu8

Posted 05 June 2009 - 08:20 PM

New Member

Member
3 posts

i ran smitfraudfix and then it said i had a backdoor called opdxalyvbobfrbuhssjkdltvdyxuwkhbhvcv.dll and opdxmlsepxbiynmqguwgtulltpqdrulqpqjn.sys

could someone help me remove this

also when i go to google on firefox, sometimes it redirects me to some weird website or it just doesnt load (i can load other pages)

not sure if this is required but
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:04, on 6/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\RTHDCPL.EXE
E:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAP\DAP.EXE
E:\program files\steam\steam.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
E:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - E:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Echovoice Gamer Statistics] C:\Program Files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Steam] "e:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: SetPointII.lnk = %SystemRoot%\Installer\{D3120436-1358-4253-9EB2-257FFE8CE1D9}\NewShortcut4_D3120436135842539EB2257FFE8CE1D9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - E:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.giga...bject/Dldrv.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - E:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OZUEXGKCJT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\winxp\LOCALS~1\Temp\OZUEXGKCJT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 9573 bytes

#2
Rorschach112

Posted 06 June 2009 - 05:22 AM

Ralphie

Retired Staff
47,710 posts

hi

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3
jeffliu8

Posted 06 June 2009 - 11:55 PM

New Member

Topic Starter
Member
3 posts

Thanks for your reply.

Here is the log.

Some came up in Chinese so I have no clue what it means.

ComboFix 09-06-05.07 - winxp 6/2009 Sun 18:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.3070.2181 [GMT 10:00]
执行位置: c:\documents and settings\winxp\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\SystemsHook.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_gaopdxserv.sys
-------\Service_NPF

((((((((((((((((((((((((( 2009-05-06 至 2009-06-06 的新的档案 )))))))))))))))))))))))))))))))
.

2009-06-06 06:47 . 2009-06-06 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-06-06 06:12 . 2009-06-06 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Sibelius Software
2009-06-06 06:12 . 2009-06-06 06:13 -------- d-----w- c:\documents and settings\winxp\Application Data\Sibelius Software
2009-06-06 06:11 . 2009-06-06 06:11 -------- d-----w- c:\program files\Sibelius Software
2009-06-06 02:14 . 2009-06-06 02:14 -------- d-----w- c:\program files\Trend Micro
2009-06-05 23:18 . 2009-06-06 00:04 -------- d-----w- C:\Rooter$
2009-06-04 11:08 . 2009-06-04 11:08 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Mozilla
2009-06-04 11:08 . 2009-06-04 11:08 -------- d-sh--w- c:\documents and settings\James\PrivacIE
2009-06-04 11:07 . 2009-06-04 11:28 -------- d-----w- c:\documents and settings\James\Tracing
2009-06-04 11:07 . 2009-06-04 11:07 -------- d-----w- c:\documents and settings\James\Application Data\ESET
2009-06-04 11:07 . 2009-06-04 11:07 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\LogiShrd
2009-06-04 11:06 . 2008-11-12 11:48 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Microsoft Help
2009-06-04 11:06 . 2008-07-01 11:02 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Apple Computer
2009-06-04 11:06 . 2008-07-01 11:02 -------- d-----w- c:\documents and settings\James\Application Data\Apple Computer
2009-06-04 11:02 . 2008-11-12 11:48 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Microsoft Help
2009-06-04 11:02 . 2008-07-01 11:02 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer
2009-06-04 11:02 . 2008-07-01 11:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-06-04 07:24 . 2009-06-04 07:24 1878984 ----a-w- c:\documents and settings\winxp\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-03 11:29 . 2009-06-03 11:29 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-03 06:45 . 2009-06-03 06:45 -------- d-----w- c:\documents and settings\winxp\Application Data\DVDFab
2009-05-30 11:52 . 2009-05-30 11:52 -------- d-----w- c:\program files\CleanUp!
2009-05-21 11:27 . 2009-05-21 11:28 -------- d-----w- c:\program files\Password Protect

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 06:13 . 2009-03-28 06:09 97200 ----a-w- c:\documents and settings\winxp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 06:12 . 2009-06-06 06:12 604 ---ha-w- c:\program files\STLL Notifier
2009-06-06 06:12 . 2008-11-11 07:28 -------- d-----w- c:\documents and settings\winxp\Application Data\uTorrent
2009-06-04 11:07 . 2009-06-04 11:07 83088 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 11:03 . 2009-06-04 11:03 -------- d-----w- c:\documents and settings\Guest\Application Data\ESET
2009-06-04 11:03 . 2009-06-04 11:03 83088 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 06:38 . 2008-06-10 10:31 -------- d-----w- c:\documents and settings\winxp\Application Data\U3
2009-05-26 03:20 . 2009-03-27 06:47 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 03:19 . 2009-03-27 06:47 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-16 22:18 . 2008-08-16 23:16 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-05-16 10:36 . 2009-03-27 07:53 207504 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-14 10:12 . 2008-06-08 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-11 08:24 . 2008-07-23 06:20 139280 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-11 08:24 . 2008-07-23 06:20 202000 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-05-09 23:55 . 2008-08-12 11:15 -------- d-----w- c:\documents and settings\winxp\Application Data\LimeWire
2009-04-30 10:15 . 2009-04-30 10:15 -------- d-----w- c:\program files\GoldWave
2009-04-30 10:05 . 2009-04-30 10:05 36104 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-04-30 10:05 . 2008-08-15 05:36 131072 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-04-24 05:06 . 2008-06-14 05:09 -------- d-----w- c:\program files\Windows Live Safety Center
2009-04-24 04:39 . 2009-04-24 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-04-24 04:37 . 2008-08-22 05:53 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-24 04:37 . 2009-04-24 04:37 255488 ----a-w- c:\documents and settings\winxp\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-04-24 04:37 . 2009-04-24 04:37 255488 ----a-w- c:\documents and settings\winxp\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-04-24 04:37 . 2009-04-24 04:37 255488 ----a-w- c:\documents and settings\winxp\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-04-24 04:37 . 2009-04-24 04:37 255488 ----a-w- c:\documents and settings\winxp\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-04-24 04:37 . 2008-11-12 08:07 -------- d-----w- c:\documents and settings\winxp\Application Data\SystemRequirementsLab
2009-04-23 01:49 . 2008-06-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-21 11:49 . 2009-04-21 03:09 -------- d-----w- c:\program files\Hotspot Shield
2009-04-21 00:03 . 2009-03-12 07:23 -------- d-----w- c:\program files\SpeedBit Video Accelerator
2009-04-21 00:03 . 2008-09-28 06:03 -------- d-----w- c:\program files\DAP
2009-04-21 00:03 . 2008-10-14 05:00 -------- d-----w- c:\program files\iTunes
2009-04-19 07:00 . 2008-07-06 11:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 06:58 . 2009-03-14 09:39 -------- d-----w- c:\program files\Microsoft
2009-04-18 06:58 . 2008-06-10 02:04 -------- d-----w- c:\program files\Windows Live
2009-04-16 11:57 . 2008-09-26 07:37 -------- d-----w- c:\documents and settings\winxp\Application Data\Xfire
2009-04-16 03:38 . 2009-04-16 03:38 -------- d-----w- c:\program files\TVAnts
2009-04-15 23:04 . 2009-04-15 23:04 -------- d-----w- c:\program files\World of Warcraft
2009-04-12 05:22 . 2009-04-12 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 05:22 . 2009-04-12 05:22 -------- d-----w- c:\program files\iPod
2009-04-12 05:22 . 2008-06-10 12:09 -------- d-----w- c:\program files\Common Files\Apple
2009-04-12 05:18 . 2009-04-12 05:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-03 18:18 . 2009-04-21 03:09 33256 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-04-03 09:32 . 2008-08-23 03:23 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-03-29 00:06 . 2009-03-29 00:06 5510306 ----a-w- c:\documents and settings\winxp\Application Data\Uniblue\DriverScanner\Download\pci_ven_10ec_dev_8169_subsys_816910ec6_213_1110_2008.exe
2009-03-29 00:05 . 2009-03-29 00:05 2873880 ----a-w- c:\documents and settings\winxp\Application Data\Uniblue\DriverScanner\Download\pci_ven_8086_dev_29309_0_0_1009.exe
2009-03-29 00:05 . 2009-03-29 00:05 2824728 ----a-w- c:\documents and settings\winxp\Application Data\Uniblue\DriverScanner\Download\pci_ven_8086_dev_29218_6_1_1001.exe
2009-03-28 07:14 . 2008-06-08 03:06 15600 -c--a-w- c:\windows\gdrv.sys
2009-03-26 03:11 . 2009-03-26 03:11 2082104 ----a-w- c:\documents and settings\winxp\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\extensions\[email protected]\plugins\npTVUAx.dll
2009-03-25 09:39 . 2009-03-25 09:39 -------- d-----w- c:\windows\Fonts\Fonts
2009-03-25 09:38 . 2009-03-25 09:38 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-03-25 09:38 . 2009-03-25 09:38 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-03-19 06:32 . 2009-03-19 06:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 06:32 . 2008-09-27 06:21 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 06:22 . 2009-03-19 06:22 65536 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.exe_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 65536 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\ARPPRODUCTICON.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\NewShortcut1_627EAB2DF5AE4815AD8E79129D7959E7_1.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm17_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm16_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm15_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm14_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm13_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm12_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm11_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 06:22 . 2009-03-19 06:22 4846 ----a-r- c:\documents and settings\winxp\Application Data\Microsoft\Installer\{627EAB2D-F5AE-4815-AD8E-79129D7959E7}\MSFileRescue.chm1_627EAB2DF5AE4815AD8E79129D7959E7.exe
2009-03-19 01:45 . 2009-03-19 01:45 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-03-19 01:45 . 2009-03-19 01:45 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-03-19 01:45 . 2009-03-19 01:45 131976 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-03-19 01:44 . 2009-03-19 01:44 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-03-19 01:41 . 2009-03-19 01:41 113960 ----a-w- c:\windows\system32\drivers\eamon.sys
.

------- Sigcheck -------

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2008-11-08 23:06 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-11-08 23:06 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-18 4555776]
"Steam"="e:\program files\steam\steam.exe" [2009-05-19 1217784]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-03-12 2823784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Echovoice Gamer Statistics"="c:\program files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe" [2006-11-28 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"egui"="e:\program files\ESET\ESET Smart Security\egui.exe" [2009-03-19 2029640]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-26 18081280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SetPointII.lnk - e:\program files\Logitech\SetPoint II\SetpointII.exe [2008-11-13 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-11-24 10:35 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^winxp^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^winxp^Start Menu^Programs^Startup^Raptr.lnk]
backup=c:\windows\pss\Raptr.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warez

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"SymSnapService"=3 (0x3)
"Norton Ghost"=2 (0x2)
"LiveUpdate"=3 (0x3)
"TapiSrv"=3 (0x3)
"ServiceLayer"=3 (0x3)
"AdobeActiveFileMonitor7.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Program Files\\Counter-Strike Source [NON STEAM]\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\condition zero\\hl.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\counter-strike source\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\counter-strike\\hl.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\condition zero deleted scenes\\hl.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\source sdk base\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\garrysmod\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\day of defeat\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"e:\\Program Files\\Steam\\Steam.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\source dedicated server\\srcds.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\insurgency\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\deathmatch classic\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\day of defeat source\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\jeff_liu\\half-life 2 deathmatch\\hl2.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\hitman blood money demo\\HitmanBloodMoney.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"e:\\Program Files\\Rockstar Games\\GTAIV\\GTAIV.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"e:\\Program Files\\Ubisoft\\Demo\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"41679:TCP"= 41679:TCP:72.20.34.145
"22286:TCP"= 22286:TCP:22286
"22286:UDP"= 22286:UDP:22286
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [19/03/2009 11:44 AM 107256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/06/2008 6:22 PM 66048]
R2 ekrn;ESET Service;e:\program files\ESET\ESET Smart Security\ekrn.exe [19/03/2009 11:44 AM 731840]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/03/2009 7:54 PM 10384]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [4/08/2004 10:00 PM 5120]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [20/02/2009 4:54 PM 29184]
S3 CEDRIVER53;CEDRIVER53;c:\program files\Cheat Engine\dbk32.sys [15/06/2008 5:14 PM 25984]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [17/08/2008 9:16 AM 24944]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [21/04/2009 1:09 PM 33256]
S3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5Pro\MARKFUN.W32 [17/08/2008 9:12 AM 17912]
S3 OZUEXGKCJT;OZUEXGKCJT;c:\docume~1\winxp\LOCALS~1\Temp\OZUEXGKCJT.exe --> c:\docume~1\winxp\LOCALS~1\Temp\OZUEXGKCJT.exe [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;e:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 1:02 PM 163840]
S4 SymSnapService;SymSnapService;"c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe" --> c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
‘计划任务’ 文件夹里的内容

2009-06-06 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]

2009-06-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download Link Using Mega Manager... - e:\program files\Megaupload\Mega Manager\mm_file.htm
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
FF - ProfilePath - c:\documents and settings\winxp\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\
FF - component: c:\documents and settings\winxp\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: e:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\winxp\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 18:16
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5Pro\markfun.w32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-682003330-1417001333-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:21,62,1f,ab,25,56,c4,8f,0c,8e,db,39,9c,ab,3a,88,fa,d7,6d,3c,dc,
76,fd,eb,4d,68,14,e1,d6,3e,3a,71,39,5f,2d,b4,5b,37,68,09,41,71,e3,06,b4,e9,\
"rkeysecu"=hex:34,ff,98,8f,58,23,be,a7,ab,97,5c,1e,92,3a,a8,e1

[HKEY_LOCAL_MACHINE\software\Ellusionist\Ellusionist TROUBL_MAKER*]
"HTML"="c:\\Program Files\\Ellusionist TROUBL_MAKER\\HTML"
"VIDEO"="c:\\Program Files\\Ellusionist TROUBL_MAKER\\HTML\\VIDEO"
"Shortcut Folder"="c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Ellusionist Video Player"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\燨譾sf廗b4*ck_Hr]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,
00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
"Changed"=dword:00000000
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3140)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
e:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
e:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
e:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
e:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\conime.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorEngine.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dwwin.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
完成时间: 2009-06-07 18:20 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-06-07 08:20

Pre-Run: 19,096,834,048 bytes free
Post-Run: 18,951,897,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /numproc=2

404 --- E O F --- 2009-05-14 10:12

#4
Rorschach112

Posted 07 June 2009 - 06:02 AM

Ralphie

Retired Staff
47,710 posts

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services
OZUEXGKCJT
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warez]

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#5
jeffliu8

Posted 07 June 2009 - 09:03 PM

New Member

Topic Starter
Member
3 posts

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver OZUEXGKCJT deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warez\\ not found.
========== FILES ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\winxp\LOCALS~1\Temp\etilqs_MbaK4DS3kzb88LiIfRAa scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\AK3R9RQB\DownloadoftheDay[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\6ZPYURKD\rightpane[2].aspx scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTM by OldTimer - Version 2.1.0.0 log created on 06082009_092613

Files moved on Reboot...
C:\DOCUME~1\winxp\LOCALS~1\Temp\etilqs_MbaK4DS3kzb88LiIfRAa moved successfully.
C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\AK3R9RQB\DownloadoftheDay[1].htm moved successfully.
C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\6ZPYURKD\rightpane[2].aspx moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_f0.dat not found!
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\winxp\Local Settings\Application Data\Mozilla\Firefox\Profiles\qu1t21p8.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

Malwarebytes' Anti-Malware 1.37
Database version: 2220
Windows 5.1.2600 Service Pack 3

8/06/2009 9:39:43 AM
mbam-log-2009-06-08 (09-39-43).txt

Scan type: Quick Scan
Objects scanned: 107393
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ill attach the other thing when it finishes updating

Edited by jeffliu8, 07 June 2009 - 09:04 PM.

#6
Rorschach112

Posted 08 June 2009 - 04:31 AM

Ralphie

Retired Staff
47,710 posts

ok cool

#7
Rorschach112

Posted 13 June 2009 - 11:30 AM

Ralphie

Retired Staff
47,710 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.