Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

need help to remove virus infected computer please

Started by brandenqi , Dec 11 2010 05:13 PM

  • This topic is locked This topic is locked

#1
brandenqi
Posted 11 December 2010 - 05:13 PM

brandenqi

    Member

  • Member
  • PipPip
  • 23 posts
My computer infected with "security tools" virus at 2010-11-19 around 11:14 pm. I followed some tips to remove it manually. I deleted .exe virus file fro C: drive and clean the regedit. seems i get back control of the computer agian. However, the computer runs not fast as before. there are some abnormals as following:
1) just-in time debugger pops up and can't be stoped
2) there is periodical CPU usage even computer is idle. I noticed it is winlogon.exe running every 5 second. When firefox is running , it gets worse, the CPU usage goes up to 100%. sometimes computer gets frozen because of overheat.
3) I run OTL.EXE and notice there is a hlp.dat file was created on my computer by virus it is a hide folder, but I can't remove it because it is used by system. C:\Documents and Settings\All Users.WINDOWS\Documents\Server
4)the computer also got redirect virus.

the following is the log file after running OTL

OTL logfile created on: 11/12/2010 12:56:36 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\bo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

959.00 Mb Total Physical Memory | 764.00 Mb Available Physical Memory | 80.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 104.62 Gb Total Space | 68.66 Gb Free Space | 65.63% Space Free | Partition Type: NTFS
Drive D: | 7.17 Gb Total Space | 3.78 Gb Free Space | 52.74% Space Free | Partition Type: NTFS

Computer Name: U-F98A522CAB534 | User Name: bo | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
PRC - [2010/11/24 21:01:27 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:11:31 | 000,482,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\pintlgnt.ime


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/12/04 12:42:46 | 000,596,064 | ---- | M] (北京暴风网际科技有限公司) [Disabled | Stopped] -- C:\Program Files\StormII\stormliv.exe -- (ccosm)
SRV - [2006/09/27 20:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - [2010/12/09 04:00:00 | 001,360,248 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101210.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/09 04:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101210.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 12:50:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/04/28 20:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/31 16:19:50 | 000,461,056 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SPC230NC.SYS -- (SPC230NC)
DRV - [2007/09/26 14:28:46 | 000,008,576 | ---- | M] (PixArt Imaging Incorporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAEAFLT.sys -- (PAEAFLT.sys)
DRV - [2007/07/13 07:34:00 | 006,807,744 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/11/01 08:55:48 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/18 17:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/29 14:12:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 14:11:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 14:10:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/08/07 16:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/07/27 14:44:42 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/03/05 22:49:36 | 000,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/02 23:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/02 23:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2004/08/04 07:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/09 22:10:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/09 22:10:23 | 000,000,000 | ---D | M]

[2010/12/09 22:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Extensions
[2010/12/10 22:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions
[2010/12/10 19:26:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/09 22:10:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/01 05:07:10 | 000,079,664 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) -- C:\Program Files\Mozilla Firefox\components\ThunderComponent.dll
[2008/01/04 10:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 10:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 14:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 10:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/11/24 22:01:03 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ѸÀ×Á÷ýÌå̽²âIEÖ§³Ö) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDMediaDetector5.9.27.1554.dll File not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ѸÀ×ÍøҳͼƬä¯ÀÀÆ÷IEÖ§³Ö) - {2D90D33C-DE76-42D0-9040-E4466DDC24AC} - C:\Program Files\Thunder Network\Thunder\Program\EmbedDetectNow.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [PPS Accelerator] c:\Program Files\PPStream\PPSAP.exe (PPStream Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O9 - Extra 'Tools' menuitem : 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1238023776281 (MUWebControl Class)
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} http://download.tv.s.../downloader.cab (DLoader Class)
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} http://t.live.cctv.c...dateInstall.dll (KooPlayer Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/23 09:45:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/11 10:45:37 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/12/10 22:50:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Desktop\GooredFix Backups
[2010/12/10 22:14:12 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Mozilla
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2010/12/08 21:48:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/12/08 14:48:08 | 001,344,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/26 09:23:06 | 000,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2010/11/24 21:55:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\My Documents\Downloads
[2010/11/20 10:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Malwarebytes
[2010/11/20 09:59:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/20 09:59:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/11/20 09:57:21 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/11/19 23:14:31 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/11 12:50:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/11 11:59:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/11 11:42:03 | 000,002,287 | ---- | M] () -- C:\WINDOWS\psnetwork.ini
[2010/12/11 11:41:39 | 000,000,096 | ---- | M] () -- C:\WINDOWS\PCDNSetting.ini
[2010/12/11 11:41:06 | 000,001,726 | ---- | M] () -- C:\WINDOWS\powerplayer.ini
[2010/12/11 11:11:22 | 1073,741,824 | ---- | M] () -- C:\ppsds.pgf
[2010/12/11 10:32:59 | 000,000,383 | ---- | M] () -- C:\WINDOWS\powerlist.ini
[2010/12/11 10:32:53 | 000,000,060 | ---- | M] () -- C:\WINDOWS\MediaList.ini
[2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:30:32 | 001,230,779 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:33 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/10 22:14:12 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:25 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/12/08 14:48:08 | 001,344,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/27 15:06:13 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/25 14:41:00 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\monthly expense.xls
[2010/11/24 22:01:03 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/23 18:39:52 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/11/22 15:47:10 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/11/20 09:59:29 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/10 22:30:32 | 001,230,779 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:32 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/09 22:10:25 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/11/20 09:59:29 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/17 18:37:19 | 000,000,021 | ---- | C] () -- C:\WINDOWS\ppscodec.ini
[2010/05/05 21:18:54 | 000,000,426 | ---- | C] () -- C:\WINDOWS\{38CE8FAD-2E31-4CA8-B671-1BA7A8A54B28}_WiseFW.ini
[2010/04/19 17:41:19 | 000,000,096 | ---- | C] () -- C:\WINDOWS\PCDNSetting.ini
[2010/04/18 18:48:55 | 000,000,060 | ---- | C] () -- C:\WINDOWS\MediaList.ini
[2010/04/18 18:48:54 | 000,000,383 | ---- | C] () -- C:\WINDOWS\powerlist.ini
[2010/04/18 18:43:54 | 000,002,287 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2010/04/18 18:43:52 | 000,001,726 | ---- | C] () -- C:\WINDOWS\powerplayer.ini
[2010/02/25 21:23:43 | 000,000,013 | ---- | C] () -- C:\WINDOWS\msgtn.ini
[2009/01/09 21:20:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/05 09:13:41 | 000,000,842 | ---- | C] () -- C:\WINDOWS\System32\SPC230NC.INI
[2009/01/01 16:20:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/22 14:09:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/12/22 13:59:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/19 09:24:09 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/07/13 08:34:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/13 08:34:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/13 08:34:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/13 08:34:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/13 08:34:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/12/08 22:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/02/14 11:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLive
[2010/02/07 18:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLiveVA
[2009/03/12 20:18:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Storm
[2008/12/22 14:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
[2009/01/24 21:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\CCTV
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2009/01/15 22:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\MSNInstaller
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2009/08/09 08:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPLiveVA
[2010/11/26 09:30:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPStream
[2009/01/24 00:49:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQ
[2009/05/25 12:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQMusicUpdate
[2009/01/24 17:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQUpdate
[2009/10/04 20:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Tencent
[2009/05/06 22:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\TOMXPP
[2008/11/22 10:34:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\unispim6
[2008/11/14 23:44:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\unispim6

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/01/23 23:22:10 | 000,000,684 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:22:10 | 000,000,684 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk

< End of report >


Thanks a lot

Edited by brandenqi, 11 December 2010 - 05:18 PM.

  • 0

Advertisements

#2
Cold Titanium
Posted 11 December 2010 - 07:13 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Hello brandenqi and welcome to G2G!

My name is Cold Titanium ;) , and I will be assisting you with your problem. I am still in training, so all my replies need to be checked by an expert first. Consequently, there may be a slight delay in between replies.

Please follow all of my instructions without skipping anything. Also, please refrain from experimenting around whilst I am helping you. At times some of the things I tell you to do may seem unnecessary and frustrating, but just stick to it and we'll get through :D

;) Note: Please save these instructions in a file or print them out, as the internet may not be available while we are fixing the system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


While I go over the OTL log, I'd like you to run one other scan for me please




Step #1

  • Download GMER to your desktop
  • Right-Click and extract it to the desktop
  • Double-Click gmer.exe
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning
  • Click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it to your desktop

Post ark.txt in your next reply
  • 0

#3
brandenqi
Posted 11 December 2010 - 07:28 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-11 20:25:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000006e ST9120822AS rev.3.BHD
Running: gmer.exe; Driver: C:\DOCUME~1\bo\LOCALS~1\Temp\axlyrfob.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
Thanks a lot
  • 0

#4
Cold Titanium
Posted 12 December 2010 - 11:04 AM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Step #1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O2 - BHO: (ѸÀ×Á÷ýÌå̽²âIEÖ§³Ö) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDMediaDetector5.9.27.1554.dll File not found
O2 - BHO: (ѸÀ×ÍøҳͼƬä¯ÀÀÆ÷IEÖ§³Ö) - {2D90D33C-DE76-42D0-9040-E4466DDC24AC} - C:\Program Files\Thunder Network\Thunder\Program\EmbedDetectNow.dll File not found
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2


Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\Combofix.txt in your next reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to see OTL.txt and ComboFix.txt in your next reply... :D
  • 0

#5
brandenqi
Posted 12 December 2010 - 03:07 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello,

the folloing is the after step 1 OTL log file.Thanks a lot

OTL logfile created on: 12/12/2010 4:01:41 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\bo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

959.00 Mb Total Physical Memory | 491.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 104.62 Gb Total Space | 68.67 Gb Free Space | 65.64% Space Free | Partition Type: NTFS
Drive D: | 7.17 Gb Total Space | 3.78 Gb Free Space | 52.74% Space Free | Partition Type: NTFS

Computer Name: U-F98A522CAB534 | User Name: bo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
PRC - [2010/11/24 21:01:27 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2010/02/23 22:25:30 | 000,214,408 | ---- | M] (PPStream Inc) -- C:\Program Files\PPStream\PPSAP.exe
PRC - [2008/04/13 19:12:39 | 000,507,904 | ---- | M] () -- C:\WINDOWS\system32\winlogon.exe
PRC - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:11:31 | 000,482,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\pintlgnt.ime


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009/12/04 12:42:46 | 000,596,064 | ---- | M] (北京暴风网际科技有限公司) [Disabled | Stopped] -- C:\Program Files\StormII\stormliv.exe -- (ccosm)
SRV - [2006/09/27 20:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - [2010/12/09 04:00:00 | 001,360,248 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101211.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/09 04:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101211.006\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 12:50:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/27 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/04/28 20:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/31 16:19:50 | 000,461,056 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SPC230NC.SYS -- (SPC230NC)
DRV - [2007/09/26 14:28:46 | 000,008,576 | ---- | M] (PixArt Imaging Incorporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAEAFLT.sys -- (PAEAFLT.sys)
DRV - [2007/07/13 07:34:00 | 006,807,744 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/11/01 08:55:48 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/18 17:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/29 14:12:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 14:11:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 14:10:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/08/07 16:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/07/27 14:44:42 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/03/05 22:49:36 | 000,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/02 23:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/02 23:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2004/08/04 07:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/09 22:10:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/09 22:10:23 | 000,000,000 | ---D | M]

[2010/12/09 22:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Extensions
[2010/12/10 22:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions
[2010/12/10 19:26:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/09 22:10:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/01 05:07:10 | 000,079,664 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) -- C:\Program Files\Mozilla Firefox\components\ThunderComponent.dll
[2008/01/04 10:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 10:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 14:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 10:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/11/24 22:01:03 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ѸÀ×Á÷ýÌå̽²âIEÖ§³Ö) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDMediaDetector5.9.27.1554.dll File not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (ѸÀ×ÍøҳͼƬä¯ÀÀÆ÷IEÖ§³Ö) - {2D90D33C-DE76-42D0-9040-E4466DDC24AC} - C:\Program Files\Thunder Network\Thunder\Program\EmbedDetectNow.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [PPS Accelerator] c:\Program Files\PPStream\PPSAP.exe (PPStream Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O9 - Extra 'Tools' menuitem : 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1238023776281 (MUWebControl Class)
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} http://download.tv.s.../downloader.cab (DLoader Class)
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} http://t.live.cctv.c...dateInstall.dll (KooPlayer Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/23 09:45:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/12 15:59:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/11 10:45:37 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/12/10 22:50:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Desktop\GooredFix Backups
[2010/12/10 22:14:12 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Mozilla
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2010/12/08 21:48:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/12/08 14:48:08 | 001,344,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/26 09:23:06 | 000,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2010/11/24 21:55:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\My Documents\Downloads
[2010/11/20 10:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Malwarebytes
[2010/11/20 09:59:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/20 09:59:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/11/20 09:57:21 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/11/19 23:14:31 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/12 16:02:51 | 000,002,336 | ---- | M] () -- C:\WINDOWS\psnetwork.ini
[2010/12/12 16:02:27 | 000,000,096 | ---- | M] () -- C:\WINDOWS\PCDNSetting.ini
[2010/12/12 16:00:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/12 16:00:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/12 15:58:42 | 003,988,425 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\ComboFix.exe
[2010/12/11 22:18:08 | 000,001,769 | ---- | M] () -- C:\WINDOWS\powerplayer.ini
[2010/12/11 22:17:35 | 1073,741,824 | ---- | M] () -- C:\ppsds.pgf
[2010/12/11 21:08:03 | 000,000,383 | ---- | M] () -- C:\WINDOWS\powerlist.ini
[2010/12/11 21:07:59 | 000,000,060 | ---- | M] () -- C:\WINDOWS\MediaList.ini
[2010/12/11 20:19:49 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\gmer.zip
[2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:30:32 | 001,230,779 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:33 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/10 22:14:12 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:25 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/12/08 14:48:08 | 001,344,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/27 15:06:13 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/25 14:41:00 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\monthly expense.xls
[2010/11/24 22:01:03 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/23 18:39:52 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/11/22 15:47:10 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/11/20 09:59:29 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/12 15:58:35 | 003,988,425 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\ComboFix.exe
[2010/12/11 20:19:49 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\gmer.zip
[2010/12/10 22:30:32 | 001,230,779 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:32 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/09 22:10:25 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/11/20 09:59:29 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/17 18:37:19 | 000,000,021 | ---- | C] () -- C:\WINDOWS\ppscodec.ini
[2010/05/05 21:18:54 | 000,000,426 | ---- | C] () -- C:\WINDOWS\{38CE8FAD-2E31-4CA8-B671-1BA7A8A54B28}_WiseFW.ini
[2010/04/19 17:41:19 | 000,000,096 | ---- | C] () -- C:\WINDOWS\PCDNSetting.ini
[2010/04/18 18:48:55 | 000,000,060 | ---- | C] () -- C:\WINDOWS\MediaList.ini
[2010/04/18 18:48:54 | 000,000,383 | ---- | C] () -- C:\WINDOWS\powerlist.ini
[2010/04/18 18:43:54 | 000,002,336 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2010/04/18 18:43:52 | 000,001,769 | ---- | C] () -- C:\WINDOWS\powerplayer.ini
[2010/02/25 21:23:43 | 000,000,013 | ---- | C] () -- C:\WINDOWS\msgtn.ini
[2009/01/09 21:20:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/05 09:13:41 | 000,000,842 | ---- | C] () -- C:\WINDOWS\System32\SPC230NC.INI
[2009/01/01 16:20:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/22 14:09:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/12/22 13:59:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/19 09:24:09 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/07/13 08:34:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/13 08:34:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/13 08:34:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/13 08:34:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/13 08:34:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/12/08 22:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/02/14 11:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLive
[2010/02/07 18:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLiveVA
[2009/03/12 20:18:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Storm
[2008/12/22 14:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
[2009/01/24 21:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\CCTV
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2009/01/15 22:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\MSNInstaller
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2009/08/09 08:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPLiveVA
[2010/11/26 09:30:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPStream
[2009/01/24 00:49:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQ
[2009/05/25 12:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQMusicUpdate
[2009/01/24 17:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQUpdate
[2009/10/04 20:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Tencent
[2009/05/06 22:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\TOMXPP

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/01/23 23:22:10 | 000,000,684 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:22:10 | 000,000,684 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk

< End of report >

step 2 report, sorry, it automatically reported in chinese

ComboFix 10-12-11.06 - bo 12/12/2010 17:20:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.959.389 [GMT -5:00]
执行位置: c:\documents and settings\bo\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\StormII
c:\program files\StormII\BfOptDll.dll
c:\program files\StormII\BFThumbs.dll
c:\program files\StormII\box\BoxLog.dll
c:\program files\StormII\box\cache\readme.txt
c:\program files\StormII\box\HttpServer.dll
c:\program files\StormII\box\InstallInfo.ini
c:\program files\StormII\box\mini.swf
c:\program files\StormII\box\MovieBoxCore.dll
c:\program files\StormII\box\MovieBoxPS.dll
c:\program files\StormII\box\skin\MovieBox.zip
c:\program files\StormII\box\Stline.exe
c:\program files\StormII\box\UILib.dll
c:\program files\StormII\box\UiManager.dll
c:\program files\StormII\box\UiPlay.dll
c:\program files\StormII\box\UitvWrapper_dll.dll
c:\program files\StormII\codec\264be.dll
c:\program files\StormII\codec\264dmmx.dll
c:\program files\StormII\codec\264dsse.dll
c:\program files\StormII\codec\264dsse2.dll
c:\program files\StormII\codec\264dsse3.dll
c:\program files\StormII\codec\3ivx.dll
c:\program files\StormII\codec\3ivxDemux.ax
c:\program files\StormII\codec\3ivxDSDecoder.ax
c:\program files\StormII\codec\aasc32.dll
c:\program files\StormII\codec\ac3filter.ax
c:\program files\StormII\codec\ACDV.dll
c:\program files\StormII\codec\acelpdec.ax
c:\program files\StormII\codec\asusasv1.dll
c:\program files\StormII\codec\asusasv2.dll
c:\program files\StormII\codec\ativcr2.dll
c:\program files\StormII\codec\avcodec.dll
c:\program files\StormII\codec\avdevice.dll
c:\program files\StormII\codec\avformat.dll
c:\program files\StormII\codec\avidavicodec.dll
c:\program files\StormII\codec\AviSplitter.ax
c:\program files\StormII\codec\avutil.dll
c:\program files\StormII\codec\bass.dll
c:\program files\StormII\codec\bass_aac.dll
c:\program files\StormII\codec\bass_alac.dll
c:\program files\StormII\codec\bass_ape.dll
c:\program files\StormII\codec\bass_flac.dll
c:\program files\StormII\codec\bass_mpc.dll
c:\program files\StormII\codec\bass_tta.dll
c:\program files\StormII\codec\bass_wv.dll
c:\program files\StormII\codec\bsrsrc.ax
c:\program files\StormII\codec\BsrVideoDec.ax
c:\program files\StormII\codec\cddareader.ax
c:\program files\StormII\codec\cdxareader.ax
c:\program files\StormII\codec\ChpSrcFilter.ax
c:\program files\StormII\codec\CinemasterAudio.DLL
c:\program files\StormII\codec\CL264dec.ax
c:\program files\StormII\codec\CLNavX.ax
c:\program files\StormII\codec\CLRVIDDC.DLL
c:\program files\StormII\codec\clrviddd.dll
c:\program files\StormII\codec\CLVc1Dec.ax
c:\program files\StormII\codec\CLVsd.ax
c:\program files\StormII\codec\clvsdx.ax
c:\program files\StormII\codec\coreavc.ax
c:\program files\StormII\codec\CUVCcodc.dll
c:\program files\StormII\codec\DCBassSource.ax
c:\program files\StormII\codec\DECVW_32.DLL
c:\program files\StormII\codec\divxdec.ax
c:\program files\StormII\codec\DL_H264_DECODER.dll
c:\program files\StormII\codec\DL_H264Dec.dll
c:\program files\StormII\codec\DLH264Filter.ax
c:\program files\StormII\codec\Dm642FilterConfig.ini
c:\program files\StormII\codec\DmoDec.dll
c:\program files\StormII\codec\DSMSplitter.ax
c:\program files\StormII\codec\dtsac3source.ax
c:\program files\StormII\codec\empgdmx.ax
c:\program files\StormII\codec\ff_kernelDeint.dll
c:\program files\StormII\codec\ff_liba52.dll
c:\program files\StormII\codec\ff_libavcodec.dll
c:\program files\StormII\codec\ff_libdts.dll
c:\program files\StormII\codec\ff_libfaad2.dll
c:\program files\StormII\codec\ff_libmad.dll
c:\program files\StormII\codec\ff_libmpeg2.dll
c:\program files\StormII\codec\ff_libmplayer.dll
c:\program files\StormII\codec\ff_realaac.dll
c:\program files\StormII\codec\ff_samplerate.dll
c:\program files\StormII\codec\ff_theora.dll
c:\program files\StormII\codec\ff_TomsMoComp.dll
c:\program files\StormII\codec\ff_tremor.dll
c:\program files\StormII\codec\ff_unrar.dll
c:\program files\StormII\codec\ff_wmv9.dll
c:\program files\StormII\codec\ff_xvidcore.dll
c:\program files\StormII\codec\ffdshow.ax
c:\program files\StormII\codec\ffdshow.ax.manifest
c:\program files\StormII\codec\ffmpeg.dll
c:\program files\StormII\codec\ffsource.ax
c:\program files\StormII\codec\Flash.ocx
c:\program files\StormII\codec\FLT_ffdshow.dll
c:\program files\StormII\codec\FLVSplitter.ax
c:\program files\StormII\codec\frapsvid.dll
c:\program files\StormII\codec\G722ADEC.dll
c:\program files\StormII\codec\GeoCodec.dll
c:\program files\StormII\codec\h264dec.dll
c:\program files\StormII\codec\h264decoder.ax
c:\program files\StormII\codec\H264VDEC.dll
c:\program files\StormII\codec\HBGKDec.ax
c:\program files\StormII\codec\HBGKSrc.ax
c:\program files\StormII\codec\hi_h264dec_w.dll
c:\program files\StormII\codec\HikDataDump.ax
c:\program files\StormII\codec\HikFileSource.ax
c:\program files\StormII\codec\HikFileSplitter.ax
c:\program files\StormII\codec\HikG722Dec.ax
c:\program files\StormII\codec\HikH264Dec.ax
c:\program files\StormII\codec\HIKM4DEC.dll
c:\program files\StormII\codec\i263_32.drv
c:\program files\StormII\codec\icmw_32.dll
c:\program files\StormII\codec\iconv.dll
c:\program files\StormII\codec\ijl15.dll
c:\program files\StormII\codec\kdh4.dll
c:\program files\StormII\codec\kdm4.dll
c:\program files\StormII\codec\keys.dat
c:\program files\StormII\codec\l3codecx.ax
c:\program files\StormII\codec\LCodcCMP.dll
c:\program files\StormII\codec\lib_VoiceEngine_dll.dll
c:\program files\StormII\codec\libavcodec.dll
c:\program files\StormII\codec\lsvxdec.dll
c:\program files\StormII\codec\mfplat.dll
c:\program files\StormII\codec\mkunicode.dll
c:\program files\StormII\codec\mkx.dll
c:\program files\StormII\codec\mkzlib.dll
c:\program files\StormII\codec\mmamrdmx.ax
c:\program files\StormII\codec\Mp3Decdll.dll
c:\program files\StormII\codec\mp4.dll
c:\program files\StormII\codec\Mp4Audio.ax
c:\program files\StormII\codec\MP4Demux.ax
c:\program files\StormII\codec\MP4Splitter.ax
c:\program files\StormII\codec\Mp4Src.ax
c:\program files\StormII\codec\Mp4Video.ax
c:\program files\StormII\codec\MpaDecFilter.ax
c:\program files\StormII\codec\MpaSplitter.ax
c:\program files\StormII\codec\MPCVideoDec.ax
c:\program files\StormII\codec\Mpeg2DecFilter.ax
c:\program files\StormII\codec\mpeg2dmx.ax
c:\program files\StormII\codec\MpegSplitter.ax
c:\program files\StormII\codec\mpg2splt.ax
c:\program files\StormII\codec\mpg4dmod.dll
c:\program files\StormII\codec\mpg4ds32.ax
c:\program files\StormII\codec\msdmo.dll
c:\program files\StormII\codec\msms001.vwp
c:\program files\StormII\codec\msscds32.ax
c:\program files\StormII\codec\msvcp71.dll
c:\program files\StormII\codec\msvcr71.dll
c:\program files\StormII\codec\NDParser.ax
c:\program files\StormII\codec\nvviddec.ax
c:\program files\StormII\codec\OggSplitter.ax
c:\program files\StormII\codec\ogm.dll
c:\program files\StormII\codec\openquicktimelib.dll
c:\program files\StormII\codec\Plugins\nppl3260.dll
c:\program files\StormII\codec\Plugins\nppl3260.xpt
c:\program files\StormII\codec\Plugins\nprpjplug.dll
c:\program files\StormII\codec\Plugins\nsJSRealPlayerPlugin.xpt
c:\program files\StormII\codec\PmpSplt.ax
c:\program files\StormII\codec\pncrt.dll
c:\program files\StormII\codec\pndx5016.dll
c:\program files\StormII\codec\pndx5032.dll
c:\program files\StormII\codec\pthreadVC2.dll
c:\program files\StormII\codec\pvmjpg21.dll
c:\program files\StormII\codec\PVWV220.DLL
c:\program files\StormII\codec\qasf.dll
c:\program files\StormII\codec\Real\Codecs\14_43260.dll
c:\program files\StormII\codec\Real\Codecs\28_83260.dll
c:\program files\StormII\codec\Real\Codecs\atrc.dll
c:\program files\StormII\codec\Real\Codecs\cook.dll
c:\program files\StormII\codec\Real\Codecs\ddnt3260.dll
c:\program files\StormII\codec\Real\Codecs\dnet3260.dll
c:\program files\StormII\codec\Real\Codecs\drv1.dll
c:\program files\StormII\codec\Real\Codecs\drv2.dll
c:\program files\StormII\codec\Real\Codecs\drvc.dll
c:\program files\StormII\codec\Real\Codecs\hxltcolor.dll
c:\program files\StormII\codec\Real\Codecs\raac.dll
c:\program files\StormII\codec\Real\Codecs\ralf.dll
c:\program files\StormII\codec\Real\Codecs\rv10.dll
c:\program files\StormII\codec\Real\Codecs\rv20.dll
c:\program files\StormII\codec\Real\Codecs\rv30.dll
c:\program files\StormII\codec\Real\Codecs\rv40.dll
c:\program files\StormII\codec\Real\Codecs\sipr.dll
c:\program files\StormII\codec\Real\Common\objb3201.dll
c:\program files\StormII\codec\Real\Common\pnen3260.dll
c:\program files\StormII\codec\Real\Common\pngu3267.dll
c:\program files\StormII\codec\Real\Common\pnrs3260.dll
c:\program files\StormII\codec\Real\Common\rppr3260.dll
c:\program files\StormII\codec\Real\Common\security.dll
c:\program files\StormII\codec\Real\Plugins\audplin.dll
c:\program files\StormII\codec\Real\Plugins\authmgr.dll
c:\program files\StormII\codec\Real\Plugins\clbascauth.dll
c:\program files\StormII\codec\Real\Plugins\clntxres.dll
c:\program files\StormII\codec\Real\Plugins\ExtResources\coreres.xrs
c:\program files\StormII\codec\Real\Plugins\fpsechnd.dll
c:\program files\StormII\codec\Real\Plugins\httpfsys.dll
c:\program files\StormII\codec\Real\Plugins\hxsdp.dll
c:\program files\StormII\codec\Real\Plugins\hxxml.dll
c:\program files\StormII\codec\Real\Plugins\imgrender.dll
c:\program files\StormII\codec\Real\Plugins\memfsys.dll
c:\program files\StormII\codec\Real\Plugins\mp3fformat.dll
c:\program files\StormII\codec\Real\Plugins\mp3render.dll
c:\program files\StormII\codec\Real\Plugins\mp4arender.dll
c:\program files\StormII\codec\Real\Plugins\ntlmauth.dll
c:\program files\StormII\codec\Real\Plugins\oggfformat.dll
c:\program files\StormII\codec\Real\Plugins\pacplin.dll
c:\program files\StormII\codec\Real\Plugins\plusplin.dll
c:\program files\StormII\codec\Real\Plugins\pxcb3210.dll
c:\program files\StormII\codec\Real\Plugins\ramfformat.dll
c:\program files\StormII\codec\Real\Plugins\ramrender.dll
c:\program files\StormII\codec\Real\Plugins\rarender.dll
c:\program files\StormII\codec\Real\Plugins\rmfformat.dll
c:\program files\StormII\codec\Real\Plugins\rmxfpln.dll
c:\program files\StormII\codec\Real\Plugins\rmxrend.dll
c:\program files\StormII\codec\Real\Plugins\rn5auth.dll
c:\program files\StormII\codec\Real\Plugins\rtfformat.dll
c:\program files\StormII\codec\Real\Plugins\rtrender.dll
c:\program files\StormII\codec\Real\Plugins\rvrender.dll
c:\program files\StormII\codec\Real\Plugins\sdpplin.dll
c:\program files\StormII\codec\Real\Plugins\security.dll
c:\program files\StormII\codec\Real\Plugins\smlfformat.dll
c:\program files\StormII\codec\Real\Plugins\smlrender.dll
c:\program files\StormII\codec\Real\Plugins\smmrender.dll
c:\program files\StormII\codec\Real\Plugins\smplfsys.dll
c:\program files\StormII\codec\Real\Plugins\stubdrm.dll
c:\program files\StormII\codec\Real\Plugins\tfilesys.dll
c:\program files\StormII\codec\Real\Plugins\vidplin.dll
c:\program files\StormII\codec\Real\Plugins\vidsite.dll
c:\program files\StormII\codec\Real\Plugins\vorbisrend.dll
c:\program files\StormII\codec\Real\Plugins\vsrlocal.dll
c:\program files\StormII\codec\Real\rpplugins\cn\embed_cn.dll
c:\program files\StormII\codec\Real\rpplugins\cn\rpclsvc_cn.dll
c:\program files\StormII\codec\Real\rpplugins\embd3260.dll
c:\program files\StormII\codec\Real\rpplugins\rpcl3260.dll
c:\program files\StormII\codec\Real\rpplugins\rput3260.dll
c:\program files\StormII\codec\RenderFilter.ax
c:\program files\StormII\codec\RLMPCDec.ax
c:\program files\StormII\codec\rmoc3260.dll
c:\program files\StormII\codec\RMSplt.ax
c:\program files\StormII\codec\Sc726dec.ax
c:\program files\StormII\codec\scsource.ax
c:\program files\StormII\codec\skinsres.dll
c:\program files\StormII\codec\SonicLicenseManager9.dll
c:\program files\StormII\codec\SoundOut_H264.dll
c:\program files\StormII\codec\splitter.ax
c:\program files\StormII\codec\swscale.dll
c:\program files\StormII\codec\TomsMoComp_ff.dll
c:\program files\StormII\codec\ts.dll
c:\program files\StormII\codec\tsccvid.dll
c:\program files\StormII\codec\TTL2Dec.dll
c:\program files\StormII\codec\vc1dc.dll
c:\program files\StormII\codec\vc1dmmx.dll
c:\program files\StormII\codec\vc1dsse.dll
c:\program files\StormII\codec\vc1dsse2.dll
c:\program files\StormII\codec\vc1wp.ax
c:\program files\StormII\codec\VDODEC32.dll
c:\program files\StormII\codec\vdowave.drv
c:\program files\StormII\codec\Vid1Dec.dll
c:\program files\StormII\codec\vmnc.dll
c:\program files\StormII\codec\voxmsdec.ax
c:\program files\StormII\codec\vp6vfw.dll
c:\program files\StormII\codec\vp7vfw.dll
c:\program files\StormII\codec\vssver2.scc
c:\program files\StormII\codec\WMADMOD.dll
c:\program files\StormII\codec\wmpasf.dll
c:\program files\StormII\codec\WMVDECOD.dll
c:\program files\StormII\codec\wmvdmod.dll
c:\program files\StormII\codec\xvid.ax
c:\program files\StormII\codec\xvidcore.dll
c:\program files\StormII\codec\yv12vfw.dll
c:\program files\StormII\corelog.dll
c:\program files\StormII\current.ecs
c:\program files\StormII\GdiPlus.dll
c:\program files\StormII\getimg.exe
c:\program files\StormII\GifParser.dll
c:\program files\StormII\jscript.dll
c:\program files\StormII\keys.dat
c:\program files\StormII\media\def\def.flv
c:\program files\StormII\media\def\def.ini
c:\program files\StormII\media\def\vssver2.scc
c:\program files\StormII\media\empty.swf
c:\program files\StormII\media\media4in1.swf
c:\program files\StormII\media\mediabp.swf
c:\program files\StormII\media\others.xml
c:\program files\StormII\media\others.xml.ini
c:\program files\StormII\media\stcon.ini
c:\program files\StormII\media\toff.ini
c:\program files\StormII\media\video_material_list.xml
c:\program files\StormII\media\video_material_list.xml.ini
c:\program files\StormII\media\video_style_list.xml
c:\program files\StormII\media\video_style_list.xml.ini
c:\program files\StormII\Media2.dll
c:\program files\StormII\mediainfo.dll
c:\program files\StormII\medialib.dll
c:\program files\StormII\mee.db
c:\program files\StormII\meedb.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\msscript.ocx
c:\program files\StormII\msvcp60.dll
c:\program files\StormII\playlist.smpl
c:\program files\StormII\risconn.ini
c:\program files\StormII\rndrmgr.dll
c:\program files\StormII\Skin\暴风1经典.zip
c:\program files\StormII\Skin\暴风2经典.zip
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\stMgr.exe
c:\program files\StormII\StMgrExcept.log
c:\program files\StormII\storm.exe
c:\program files\StormII\StormDebug.exe
c:\program files\StormII\StormExcept.log
c:\program files\StormII\stormliv.exe
c:\program files\StormII\stormply.exe
c:\program files\StormII\stormpop.exe
c:\program files\StormII\StormRes.dll
c:\program files\StormII\subdecoder.dll
c:\program files\StormII\swDirScaner.dll
c:\program files\StormII\swf\ku6.swf
c:\program files\StormII\swf\tudou.swf
c:\program files\StormII\Tips.dll
c:\program files\StormII\uninst.exe
c:\program files\StormII\unrar.dll
c:\program files\StormII\video.dll

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ccosm
-------\Legacy_ccosm
-------\Service_ccosm
-------\Service_ccosm


((((((((((((((((((((((((( 2010-11-12 至 2010-12-12 的新的档案 )))))))))))))))))))))))))))))))
.

2010-12-12 20:59 . 2010-12-12 20:59 -------- d-----w- C:\_OTL
2010-12-09 02:48 . 2010-12-09 02:48 -------- d-----w- c:\documents and settings\bo\Application Data\ParetoLogic
2010-12-09 02:48 . 2010-12-09 02:48 -------- d-----w- c:\documents and settings\bo\Application Data\DriverCure
2010-12-09 02:48 . 2010-12-09 03:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2010-12-09 02:28 . 2010-12-09 02:28 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY.000\UserData
2010-12-09 02:21 . 2010-12-09 02:21 4706 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-25 02:01 . 2004-08-04 12:00 1033728 ----a-w- c:\windows\explorer.exe
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-01 10:07 . 2010-09-11 17:13 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2004-08-04 . 6A2D53177C1EAC531308708E65782304 . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 507904 . . [------] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2010-11-25 . C514310AE5952F8CBA4DE195AC5E3154 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-13 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-13 8466432]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PPTV.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PPTV.lnk
backup=c:\windows\pss\PPTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TrayMin230.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TrayMin230.lnk
backup=c:\windows\pss\TrayMin230.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bo^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\bo\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bo^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=c:\documents and settings\bo\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2010-11-22 18:30 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2006-07-27 19:44 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ------w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-07-13 13:34 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-07-13 13:34 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2010-02-24 03:25 214408 ------w- c:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPC230NC_Monitor]
2007-12-10 20:55 323584 ----a-w- c:\windows\Philips\SPC230NC\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPC_Monitor]
2007-12-10 20:55 323584 ----a-w- c:\windows\Philips\SPC230NC\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-04-18 23:50 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccosm"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\TTKN\\CAJViewer 7.0\\PDL.exe"=
"c:\\Program Files\\TTKN\\CAJViewer 7.0\\CAJViewer.exe"=
"d:\\Program Files\\qqqtv网络电视\\QQQTV网络电视.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-18 135664]
R3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\DRIVERS\PAEAFLT.sys [2007-09-26 8576]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
R3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\DRIVERS\SPC230NC.SYS [2007-12-31 461056]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]

.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://download.tv.sina.com.cn/downloader.cab
FF - ProfilePath - c:\documents and settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Windows Media Player\np-mswmp.dll
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D90D33C-DE76-42D0-9040-E4466DDC24AC} - c:\program files\Thunder Network\Thunder\Program\EmbedDetectNow.dll
MSConfigStartUp-eMuleAutoStart - c:\program files\easyMule\eMule.exe
MSConfigStartUp-PPAP - c:\program files\Common Files\PPLiveNetwork\PPAP.exe
MSConfigStartUp-PPLive - c:\program files\PPLive\PPLive.exe
MSConfigStartUp-PPLiveVA - c:\program files\PPLiveVA\PPLiveVA.exe
AddRemove-storm2 - c:\program files\StormII\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 17:29
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-682003330-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\conime.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
完成时间: 2010-12-12 17:34:13 - 电脑已重新启动
ComboFix-quarantined-files.txt 2010-12-12 22:33

Pre-Run: 73,658,339,328 bytes free
Post-Run: 78,298,562,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5034E02F7C042F6AB56C4DAC6810EBA4

Edited by brandenqi, 12 December 2010 - 04:39 PM.

  • 0

#6
Cold Titanium
Posted 14 December 2010 - 05:44 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Sorry for the delay...


Step #1


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2


Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'd like to see OTL.txt and the MBAM log in your next reply ... :D Also, are you still having redirects?
  • 0

#7
brandenqi
Posted 14 December 2010 - 07:23 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello,
why i can't find the icon of my anti-virus sofware, in my case is symantac. I cannot disable it.

Th
  • 0

#8
Cold Titanium
Posted 14 December 2010 - 08:12 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
You can can just continue on.
  • 0

#9
brandenqi
Posted 14 December 2010 - 09:31 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
The following is the combofix log:

ComboFix 10-12-14.01 - bo 14/12/2010 20:51:34.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.959.666 [GMT -5:00]
执行位置: c:\documents and settings\bo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bo\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( deleted files )))))))))))))))))))))))))))))))))))))))))))))))))
.

founded infected file c:\windows\system32\winlogon.exe successfully removed
from - c:\windows\ServicePackFiles\i386\winlogon.exe restore the original file

founded infected file c:\windows\explorer.exe and removed
from - c:\windows\ServicePackFiles\i386\explorer.exe restore the original file

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( 2010-11-15 至 2010-12-15 的新的档案 )))))))))))))))))))))))))))))))
.

2010-12-15 01:51 . 2010-12-15 01:51 -------- d-----w- c:\windows\LastGood.Tmp
2010-12-12 20:59 . 2010-12-12 20:59 -------- d-----w- C:\_OTL
2010-12-09 02:48 . 2010-12-09 02:48 -------- d-----w- c:\documents and settings\bo\Application Data\ParetoLogic
2010-12-09 02:48 . 2010-12-09 02:48 -------- d-----w- c:\documents and settings\bo\Application Data\DriverCure
2010-12-09 02:48 . 2010-12-09 03:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2010-12-09 02:28 . 2010-12-09 02:28 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY.000\UserData
2010-12-09 02:21 . 2010-12-09 02:21 4706 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-01 10:07 . 2010-09-11 17:13 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2004-08-04 . 6A2D53177C1EAC531308708E65782304 . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-13 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-13 8466432]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PPTV.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PPTV.lnk
backup=c:\windows\pss\PPTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TrayMin230.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TrayMin230.lnk
backup=c:\windows\pss\TrayMin230.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^bo^Start Menu^Programs^Startup^PPS.lnk]
path=c:\documents and settings\bo\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^bo^Start Menu^Programs^Startup^腾讯QQ.lnk]
path=c:\documents and settings\bo\Start Menu\Programs\Startup\腾讯QQ.lnk
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2010-11-22 18:30 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2006-07-27 19:44 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ------w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-07-13 13:34 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-07-13 13:34 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2010-02-24 03:25 214408 ------w- c:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPC230NC_Monitor]
2007-12-10 20:55 323584 ----a-w- c:\windows\Philips\SPC230NC\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPC_Monitor]
2007-12-10 20:55 323584 ----a-w- c:\windows\Philips\SPC230NC\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-04-18 23:50 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccosm"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"DefWatch"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\TTKN\\CAJViewer 7.0\\PDL.exe"=
"c:\\Program Files\\TTKN\\CAJViewer 7.0\\CAJViewer.exe"=
"d:\\Program Files\\qqqtv网络电视\\QQQTV网络电视.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13/12/2010 9:00 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/04/2010 6:50 PM 135664]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [05/01/2009 9:13 AM 8576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 8:33 PM 116464]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [05/01/2009 9:13 AM 461056]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://download.tv.sina.com.cn/downloader.cab
FF - ProfilePath - c:\documents and settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 20:59
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-682003330-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\conime.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
完成时间: 2010-12-14 21:03:52 - 电脑已重新启动
ComboFix-quarantined-files.txt 2010-12-15 02:03
ComboFix2.txt 2010-12-12 22:34

Pre-Run: 78,234,079,232 bytes free
Post-Run: 78,207,438,848 bytes free

- - End Of File - - C239611A6BE828A1CCB3D956D1968985

after combofix I notice some changes with my computer
1)there is not CPU peroidical usage surge anymore
2)I can remove the hide file created by the virus (hlp.dat)
3)seems google redirect was gone.

wow, amazing, looks like you help me remove the virus completely.

Bravo.........


Thank you so much.
  • 0

#10
brandenqi
Posted 14 December 2010 - 09:39 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I run the malwarbytes and found nothing is abnormal ,so i didn't copy the log.
the following is OTLlog.



OTL logfile created on: 14/12/2010 10:33:07 PM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\bo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

959.00 Mb Total Physical Memory | 489.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 104.62 Gb Total Space | 72.93 Gb Free Space | 69.71% Space Free | Partition Type: NTFS
Drive D: | 7.17 Gb Total Space | 3.78 Gb Free Space | 52.74% Space Free | Partition Type: NTFS

Computer Name: U-F98A522CAB534 | User Name: bo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
PRC - [2010/02/23 22:25:30 | 000,214,408 | ---- | M] (PPStream Inc) -- C:\Program Files\PPStream\PPSAP.exe
PRC - [2008/12/02 16:07:07 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 19:12:15 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\conime.exe


========== Modules (SafeList) ==========

MOD - [2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:11:31 | 000,482,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\pintlgnt.ime


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2006/09/27 20:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/12/09 04:00:00 | 001,360,248 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101214.001\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/09 04:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101214.001\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/15 12:50:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/07/15 12:50:36 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/04/28 20:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/31 16:19:50 | 000,461,056 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SPC230NC.SYS -- (SPC230NC)
DRV - [2007/09/26 14:28:46 | 000,008,576 | ---- | M] (PixArt Imaging Incorporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAEAFLT.sys -- (PAEAFLT.sys)
DRV - [2007/07/13 07:34:00 | 006,807,744 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/11/01 08:55:48 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/18 17:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/29 14:12:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 14:11:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 14:10:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/08/07 16:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/07/27 14:44:42 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/03/05 22:49:36 | 000,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/02 23:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/02 23:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/26 23:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2004/08/04 07:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/09 22:10:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/09 22:10:23 | 000,000,000 | ---D | M]

[2010/12/09 22:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Extensions
[2010/12/13 18:26:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions
[2010/12/10 19:26:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\bo\Application Data\Mozilla\Firefox\Profiles\bjbule3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/13 18:26:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/01 05:07:10 | 000,079,664 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) -- C:\Program Files\Mozilla Firefox\components\ThunderComponent.dll
[2008/01/04 10:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 10:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 14:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 10:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/12/14 20:59:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ѸÀ×Á÷ýÌå̽²âIEÖ§³Ö) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDMediaDetector5.9.27.1554.dll File not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (MSN Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [PPS Accelerator] c:\Program Files\PPStream\PPSAP.exe (PPStream Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O9 - Extra 'Tools' menuitem : 查看网页全部图片 - {548BF84E-9665-47f9-B635-7380F8943E90} - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm File not found
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1238023776281 (MUWebControl Class)
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} http://download.tv.s.../downloader.cab (DLoader Class)
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} http://t.live.cctv.c...dateInstall.dll (KooPlayer Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\bo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/23 09:45:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/14 21:08:34 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/12/14 21:03:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/12/12 17:19:01 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/12/12 17:15:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/12 17:14:59 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/12 17:14:59 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/12 17:14:59 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/12 16:14:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/12/12 16:13:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/12 15:59:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/11 10:45:37 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/12/10 22:50:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Desktop\GooredFix Backups
[2010/12/10 22:14:12 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Mozilla
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2010/12/08 21:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2010/12/08 21:48:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/12/08 14:48:08 | 001,344,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/26 09:23:06 | 000,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2010/11/24 21:55:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\My Documents\Downloads
[2010/11/20 10:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bo\Application Data\Malwarebytes
[2010/11/20 09:59:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/20 09:59:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/20 09:59:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/11/20 09:57:21 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/14 21:07:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/12/14 21:01:14 | 000,002,365 | ---- | M] () -- C:\WINDOWS\psnetwork.ini
[2010/12/14 21:00:50 | 000,000,096 | ---- | M] () -- C:\WINDOWS\PCDNSetting.ini
[2010/12/14 20:59:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/14 20:59:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/14 20:59:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/14 20:07:06 | 003,989,579 | R--- | M] () -- C:\Documents and Settings\bo\Desktop\ComboFix.exe
[2010/12/14 19:12:55 | 000,001,775 | ---- | M] () -- C:\WINDOWS\powerplayer.ini
[2010/12/14 19:09:21 | 1073,741,824 | ---- | M] () -- C:\ppsds.pgf
[2010/12/14 10:37:02 | 000,000,383 | ---- | M] () -- C:\WINDOWS\powerlist.ini
[2010/12/14 10:36:52 | 000,000,060 | ---- | M] () -- C:\WINDOWS\MediaList.ini
[2010/12/11 20:19:49 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\gmer.zip
[2010/12/10 22:50:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bo\Desktop\OTL.exe
[2010/12/10 22:30:32 | 001,230,779 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:33 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/10 22:14:12 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\bo\Desktop\GooredFix.exe
[2010/12/09 22:10:25 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/12/08 14:48:08 | 001,344,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\bo\Desktop\TDSSKiller.exe
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/27 15:06:13 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/25 14:41:00 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\bo\Desktop\monthly expense.xls
[2010/11/23 18:39:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/11/22 15:47:10 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/11/20 09:59:29 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/12 17:19:08 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/12/12 17:19:04 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/12/12 17:15:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/12 17:15:00 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/12 17:14:59 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/12 17:14:59 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/12 17:14:59 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/12 15:58:35 | 003,989,579 | R--- | C] () -- C:\Documents and Settings\bo\Desktop\ComboFix.exe
[2010/12/11 20:19:49 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\gmer.zip
[2010/12/10 22:30:32 | 001,230,779 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\tdsskiller.zip
[2010/12/10 22:27:32 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\bo\Desktop\erunt.zip
[2010/12/09 22:10:25 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/09 22:10:25 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/11/20 09:59:29 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/17 18:37:19 | 000,000,021 | ---- | C] () -- C:\WINDOWS\ppscodec.ini
[2010/05/05 21:18:54 | 000,000,426 | ---- | C] () -- C:\WINDOWS\{38CE8FAD-2E31-4CA8-B671-1BA7A8A54B28}_WiseFW.ini
[2010/04/19 17:41:19 | 000,000,096 | ---- | C] () -- C:\WINDOWS\PCDNSetting.ini
[2010/04/18 18:48:55 | 000,000,060 | ---- | C] () -- C:\WINDOWS\MediaList.ini
[2010/04/18 18:48:54 | 000,000,383 | ---- | C] () -- C:\WINDOWS\powerlist.ini
[2010/04/18 18:43:54 | 000,002,365 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2010/04/18 18:43:52 | 000,001,775 | ---- | C] () -- C:\WINDOWS\powerplayer.ini
[2010/02/25 21:23:43 | 000,000,013 | ---- | C] () -- C:\WINDOWS\msgtn.ini
[2009/01/09 21:20:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\bo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/05 09:13:41 | 000,000,842 | ---- | C] () -- C:\WINDOWS\System32\SPC230NC.INI
[2009/01/01 16:20:17 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/22 14:09:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/12/22 13:59:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/19 09:24:09 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/07/13 08:34:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/13 08:34:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/13 08:34:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/13 08:34:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/13 08:34:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/12/08 22:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
[2010/02/14 11:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLive
[2010/02/07 18:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLiveVA
[2009/03/12 20:18:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Storm
[2008/12/22 14:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
[2009/01/24 21:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\CCTV
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\DriverCure
[2009/01/15 22:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\MSNInstaller
[2010/12/08 21:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\ParetoLogic
[2009/08/09 08:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPLiveVA
[2010/12/12 20:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\PPStream
[2009/01/24 00:49:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQ
[2009/05/25 12:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQMusicUpdate
[2009/01/24 17:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\QQUpdate
[2009/10/04 20:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\Tencent
[2009/05/06 22:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bo\Application Data\TOMXPP

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/01/23 23:22:10 | 000,000,684 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:22:10 | 000,000,684 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\?á?òò?à?oD.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\¿áÎÒÒôÀÖºÐ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/23 23:19:52 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive í???μ?êó.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\PPLive ÍøÂçµçÊÓ.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | M] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk
[2009/01/17 23:47:03 | 000,000,672 | ---- | C] ()(C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±?·?ó°ò?.lnk) -- C:\Documents and Settings\bo\Application Data\Microsoft\Internet Explorer\Quick Launch\±©·çÓ°Òô.lnk

< End of report >
  • 0

#11
Cold Titanium
Posted 15 December 2010 - 03:27 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Excellent Job! :D The logs appear to be clean!

We now need to finish cleaning up

Step #1

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2

Please Re-Open OTL and click the Cleanup button to remove all the tools we used as well as OTL.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster - to help prevent spyware from installing in the first place.
  • SpywareGuard - to catch and block spyware before it can execute.
  • IESpy-Ad - to block access to malicious websites so you cannot be redirected to them from an infected site or email.
  • MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.
  • Google Toolbar - Get the free google toolbar to help stop pop up windows.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And to help keep your system clean I recommend running one or two of these free malware scanners weekly


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a different Internet Browser


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It is also extremely important to keep your operating system up to date:

Turn on automatic updating
  • Click Start.
  • Select Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Have a Backup Plan

Keep a backup of your important files - This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To learn more about how to protect yourself while on the internet read these articles:
Safe Computing! ;) And have a very Merry Christmas!

~Cold Titanium ;)
  • 0

#12
brandenqi
Posted 15 December 2010 - 08:44 PM

brandenqi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello Cold Titanium,
I really appreciate your professional help,you teach me a lot, and i will follow your advice in future. Thank you very much. and wish you a Happy Christmas.
  • 0

#13
Cold Titanium
Posted 15 December 2010 - 08:47 PM

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
You're very welcome! Come back if you have any more problems and have a Merry Christmas! :D

Edited by Cold Titanium, 15 December 2010 - 08:47 PM.

  • 0

#14
Essexboy
Posted 16 December 2010 - 12:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :D

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP