google search always returns a hijacked url on top [Archive]

View Full Version : google search always returns a hijacked url on top

frankliu77

2009-05-06, 20:59

Dear all,

I am using firefox and I have recently found that my google search always returns a link which redirects me, e.g., something like

hxxp:// 216.240.159.88/gogo.php?id=513270

However, I don't have such a problem if I use IE. I've just installed SplyBot and it doesn't remove it. The HijackThis log file is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:09 AM , on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Ringz Studio\Storm Codec\stormliv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\sony\Wireless adapter\ZDWLan.EXE
C:\WINDOWS\system32\ctfmon.exe
d:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: êμó????÷1¤??ì?2.0 - {03465FF5-00AE-411a-9C34-960ED566EC03} - C:\Program Files\superutilbar\superutilbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Wireless Adapter Manager] C:\Program Files\sony\Wireless adapter\ZDWLan.EXE -minisize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - D:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - D:\Program Files\PPLive\PPLive.exe
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\171962984.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\171962984.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://tb.sogou.com/MMCShell.cab
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/ca/photo/loaders/ImageUploader3.cab
O16 - DPF: {A9E58728-1FA7-46CE-845D-44694EB11602} (XGiboView Control) - http://www.sinago.com/giboview/giboview.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.64/MZPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - d:\Program Files\Ringz Studio\Storm Codec\stormliv.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Stormser - Unknown owner - d:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 13072 bytes

Thanks a lot.

Frank

Shaba

2009-05-07, 16:25

Hi frankliu77

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\system32\171962984.dll
Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

frankliu77

2009-05-07, 19:41

Hi Shaba,

Thanks a lot for the reply. After I posted the message, I run into ComboFix and after running that, the problem has been fixed. And now there is no

c:\windows\system32\171962984.dll

Do you think the problem is really fixed?

Thanks
Frank

Shaba

2009-05-07, 19:43

It can be.

However, you are not supposed to run tools unsupervised because those can cause serious damage.

Please post next contents of c:\ComboFix.txt

frankliu77

2009-05-08, 17:56

Hi Shaba,

Thanks a lot for reminding me.

The following is the ComboFix file. Two things:

1. The log files contains some Chinese. I've translated some and there may still be some left out. I hope those won't affect your diagnosis.
2. When I run ComboFix, I forgot to turn off the Norton Script Block. During the execution of ComboFix, there were some scripts blocked. However, ComboFix seemed to run normal and my problem was fixed; so I didn't care. If you spot something weird in the log file, maybe that is why.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Hap\Application Data\dapcon1.2.ini
c:\program files\Common Files\System\updaterun.exe
c:\program files\Common Files\updat
c:\windows\bar.exe
c:\windows\castxml.dat
c:\windows\local_list.dll
c:\windows\setup.exe
c:\windows\system32\171962984.dll
c:\windows\system32\advport.dll
c:\windows\system32\blockad.ini
c:\windows\system32\drivers\beep.sys
c:\windows\system32\ext
c:\windows\system32\helper
c:\windows\system32\mdm.exe
c:\windows\system32\nt.sys
c:\windows\system32\scia.dll
c:\windows\system32\score.txt
c:\windows\system32\spted.dll
c:\windows\system32\wbem\ocmor.dat
c:\windows\system32\wbem\ocmor.dll
c:\windows\system32\wbem\smtpconfs.dll
c:\windows\system32\winup
c:\windows\system32\winup\hbhvmt33.dll
c:\windows\system32\winxkg40.dll
c:\windows\task.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABHCOP
-------\Legacy_ANFAD
-------\Legacy_FAD
-------\Legacy_HCALWAY
-------\Legacy_INVESTOR
-------\Legacy_P4P_SERVICE
-------\Legacy_REMOTE_LOG
-------\Legacy_SOCEESE
-------\Legacy_STDSERVICE
-------\Legacy_UNIVERSAL_DISK_MANAGER
-------\Service_Investor
-------\Service_SOCEESe

((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-04-24 17:37 . 2009-04-24 17:37 -------- d-----w c:\documents and settings\Hap\Application Data\QQMusicUpdate
2009-04-16 17:54 . 2009-04-16 17:54 -------- d-----w c:\documents and settings\Hap\Local Settings\Application Data\Tencent
2009-04-16 17:53 . 2009-04-16 17:53 -------- d-----w c:\program files\Common Files\Tencent
2009-04-16 17:52 . 2009-04-24 17:36 -------- d-----w c:\documents and settings\Hap\Application Data\Tencent
2009-04-15 07:22 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 07:22 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 07:22 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 07:22 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 07:22 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 07:22 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 07:22 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 07:22 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 07:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 07:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 06:48 . 2009-04-14 06:49 -------- d-----w c:\windows\system32\XPSViewer
2009-04-14 06:48 . 2009-04-14 06:48 -------- d-----w c:\program files\Reference Assemblies
2009-04-14 06:47 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-14 06:47 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-14 06:47 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-14 06:47 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-14 06:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-14 06:47 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-14 06:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-14 03:52 . 2009-04-14 03:52 -------- d-sh--w c:\documents and settings\Hap\IECompatCache
2009-04-12 05:17 . 2009-04-12 05:17 -------- d-sh--w c:\documents and settings\Hap\PrivacIE
2009-04-12 04:57 . 2009-04-12 04:57 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-12 04:55 . 2009-04-12 04:55 -------- d-sh--w c:\documents and settings\Hap\IETldCache
2009-04-12 04:51 . 2009-04-12 04:51 -------- d-----w c:\windows\ie8updates
2009-04-12 04:44 . 2009-04-12 04:47 -------- dc-h--w c:\windows\ie8
2009-04-12 04:43 . 2009-04-14 02:40 -------- d--h--w c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3D Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 21:31 . 2006-01-21 07:38 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-06 21:16 . 2007-02-13 05:51 -------- d-----w c:\program files\Norton AntiVirus
2009-05-06 19:06 . 2006-03-31 03:36 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-06 18:27 . 2006-01-21 09:05 -------- d-----w c:\program files\FlashGet
2009-05-06 17:41 . 2006-04-12 07:36 -------- d-----w c:\program files\RegistryBot
2009-04-23 21:09 . 2007-05-02 22:08 -------- d-----w c:\program files\Common Files\LogiShrd
2009-04-15 17:43 . 2005-03-09 22:14 -------- d-----w c:\program files\Common Files\Adobe
2009-04-14 19:14 . 2006-01-21 05:21 50672 ----a-w c:\documents and settings\Hap\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 18:55 . 2005-03-09 21:26 -------- d-----w c:\program files\Java
2009-04-13 06:29 . 2005-03-09 21:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-08 09:27 . 2007-06-22 21:50 0 ---ha-w c:\documents and settings\All Users\Application Data\QQiPPro.dat
2009-03-30 03:41 . 2009-03-30 03:41 -------- d-----w c:\program files\TechSmith
2009-03-18 05:16 . 2009-03-17 06:21 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-17 06:51 . 2006-01-22 00:31 -------- d-----w c:\program files\Emacs
2009-03-08 11:34 . 2005-03-09 19:20 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2005-03-09 19:19 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2005-03-09 19:19 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2005-03-09 19:20 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2005-03-09 19:19 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2005-03-09 19:19 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2005-03-09 19:19 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2005-03-09 19:19 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2005-03-09 19:19 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2005-03-09 19:19 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-03-09 19:19 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2005-03-09 19:19 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-03-09 19:20 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-03-09 19:19 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-03-09 19:19 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-03-09 19:20 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2005-03-09 19:20 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-03-09 19:19 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-03-09 19:20 35328 ----a-w c:\windows\system32\sc.exe
2006-03-22 22:26 . 2006-03-22 22:20 2 --shatr c:\windows\winstart.bat
2007-02-13 05:53 . 2007-02-13 05:53 32 --sha-w c:\windows\{A74D5A38-6027-41F5-9835-1FAF8C324EF3}.dat
2007-02-13 05:53 . 2007-02-13 05:53 32 --sha-w c:\windows\system32\{DA91F97B-5F40-4C11-A34D-5435FBEA763E}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 19:35 536576 ----a-w d:\program files\TortoiseSVN\bin\TortoiseSVN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-23 126976]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-04 5406720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]
"Advanced Tools Check"="c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-27 79480]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"Wireless Adapter Manager"="c:\program files\sony\Wireless adapter\ZDWLan.EXE" [2007-08-17 530296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"matlabserver"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PPS Accelerator"=d:\program files\PPStream\ppsap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"= 0 (0x0)]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\eMule\\eMule.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\LeapFTP\\HA_LeapFTP2.7.6.613_yfy\\LeapFTP.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bingglebear\\MediaPhone\\mphone.exe"=
"c:\\Program Files\\Emacs\\visemacs\\gnuserv.exe"=
"d:\\Software Backup\\emacs_win\\visemacs\\gnuserv.exe"=
"c:\\Program Files\\MultiProxy\\MProxy.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\CreateDynamics\\bin\\win32\\PhysXViewer244.exe"=
"d:\\Program Files\\MediaRing\\MediaRing Talk\\mrtalk.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"d:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\MSDev98\\Bin\\MSDEV.EXE"=
"c:\\Program Files\\sina\\SAP\\SAPlatform.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\PPStream\\PPStream.exe"=
"d:\\Program Files\\PPStream\\PPSAP.exe"=
"d:\\PROGRA~1\\RINGZS~1\\STORMC~1\\Stormser.exe"=
"d:\\Program Files\\Ringz Studio\\Storm Codec\\Storm.exe"=
"d:\\Program Files\\Ringz Studio\\Storm Codec\\stormliv.exe"=
"d:\\Program Files\\SinaWeiqi\\Sina.exe"=
"d:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=
"d:\\Program Files\\Tencent\\QQ\\Plugin\\Com.Tencent.QQMusic\\bin\\QQMusic\\QzoneMusic.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7007:TCP"= 7007:TCP:BitComet 7007 TCP
"7007:UDP"= 7007:UDP:BitComet 7007 UDP

R0 l9e;l9e;c:\windows\system32\drivers\l9e.sys [3/30/2006 6:41 PM 5120]
R0 St320hg;St320hg;c:\windows\system32\drivers\st320hg.sys [9/12/2002 11:49 AM 85696]
R1 ee1p41tl;ee1p41tl;c:\windows\system32\drivers\ee1p41tl.sys [3/30/2006 6:41 PM 38272]
R2 ccosm;Contrl Center of Storm Media;d:\program files\Ringz Studio\Storm Codec\stormliv.exe [3/10/2008 11:33 PM 473184]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [2/12/2007 10:53 PM 135168]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 dnkjqw13;dnkjqw1;c:\windows\system32\DRIVERS\dnkjqw13.sys --> c:\windows\system32\DRIVERS\dnkjqw13.sys [?]
S0 hbhvmt33;hbhvmt3;c:\windows\system32\DRIVERS\hbhvmt33.sys --> c:\windows\system32\DRIVERS\hbhvmt33.sys [?]
S0 hilxfy63;hilxfy6;c:\windows\system32\DRIVERS\hilxfy63.sys --> c:\windows\system32\DRIVERS\hilxfy63.sys [?]
S0 jstrfu47;jstrfu4;c:\windows\system32\DRIVERS\jstrfu47.sys --> c:\windows\system32\DRIVERS\jstrfu47.sys [?]
S0 mscdtb06;mscdtb0;c:\windows\system32\DRIVERS\mscdtb06.sys --> c:\windows\system32\DRIVERS\mscdtb06.sys [?]
S0 qenbqa31;qenbqa3;c:\windows\system32\DRIVERS\qenbqa31.sys --> c:\windows\system32\DRIVERS\qenbqa31.sys [?]
S0 rwmwqk52;rwmwqk5;c:\windows\system32\DRIVERS\rwmwqk52.sys --> c:\windows\system32\DRIVERS\rwmwqk52.sys [?]
S0 xjdxkg40;xjdxkg4;c:\windows\system32\DRIVERS\xjdxkg40.sys --> c:\windows\system32\DRIVERS\xjdxkg40.sys [?]
S0 yl_zzc;yl_zzc;c:\windows\system32\drivers\yl_zzc.sys --> c:\windows\system32\drivers\yl_zzc.sys [?]
S2 Stormser;Stormser;d:\progra~1\RINGZS~1\STORMC~1\Stormser.exe [11/14/2008 10:49 PM 0]
S3 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{336d8895-f2b3-11dc-b955-00014a5e4c30}]
\Shell\AutoRun\command - Iexplores.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a81be08-27e9-11db-b8e5-0013ce00a52b}]
\Shell\AutoRun\command - I:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents in ‘Scheduled Task’ director

2009-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-05-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-01-21 17:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} - REG_BINARY
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.sfu.ca:8080
uInternet Settings,ProxyOverride = .sfu.ca; localhost; 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
IE: 使用网际快车下载 - c:\program files\FlashGet\jc_link.htm
IE: 使用网际快车下载全部链接 - c:\program files\FlashGet\jc_all.htm
IE: 导出到 Microsoft Excel(&x) - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: 添加到QQ表情
IE: {{9A687CA6-D585-4947-9ED9-BE96071F5CD9} - {47B92A27-8252-420D-9630-378EF61434D7} - d:\progra~1\Kingsoft\POWERW~1\XDictExB.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {05C1004E-2596-48E5-8E26-39362985EEB9}
DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - hxxp://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {A9E58728-1FA7-46CE-845D-44694EB11602} - hxxp://www.sinago.com/giboview/giboview.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://static.mediazone.com/player/1.0.0.64/MZPlayer.CAB
FF - ProfilePath - c:\documents and settings\Hap\Application Data\Mozilla\Firefox\Profiles\u49rwhp6.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: d:\program files\Adobe\Acrobat 5.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
.
.
------- File Format -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 14:31
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\Sb*_y橆v\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\Sb*_y橆v\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\鹠燫皊 g剉y?*
 *銐砆筫Hhy榎File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\鹠燫皊 g剉y?*
 *銐砆筫Hhy榎View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\鹠燫皊 gy?*-* *m*e*s*h*e*r*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Development Environment\Settings\鹠燫皊 gy?*-* *m*e*s*h*e*r*\View]
"Data"=hex:04,16,00,37,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\Sb*_\File Name MRU]
"Value"=multi:".\\L\00.\\local settings\00\\local settings\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Excel\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\R鷁bSb*_ *O*u*t*l*o*o*k* *penc噀鯪\File Name MRU]
"Value"=multi:"myoutlookdata.pst\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\R鷁bSb*_ *O*u*t*l*o*o*k* *penc噀鯪\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\Sb*_ *O*u*t*l*o*o*k* *penc噀鯪\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\Sb*_ *O*u*t*l*o*o*k* *penc噀鯪\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\Sb*_*N篘噀鯪9Y\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Outlook\Settings\Sb*_*N篘噀鯪9Y\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Sb*_\View]
"Data"=hex:04,16,00,17,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,04,0d,00,fa,08,00,00,bf,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Sb*_\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Sb*_\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*lZ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*lZ\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1800794445-1065419589-2087688078-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\鹠燫0RQ*Q*h埮`]
"contexts"=dword:00000002
@="d:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,18,83,8e,
56,7f,b4,c7,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(4028)
d:\program files\TortoiseSVN\bin\tortoisesvn.dll
d:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\Norton AntiVirus\NavShExt.dll
c:\windows\system32\ccTrust.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
d:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\jsproxy.dll
c:\progra~1\FlashGet\jccatch.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft LifeCam\MSCamSvc.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
d:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\msiexec.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Finish Time: 2009-05-06 14:39 - Computer Restarted
ComboFix-quarantined-files.txt 2009-05-06 21:39

Pre-Run: 2,115,399,680 bytes free
Post-Run: 2,046,734,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /PAE /NoExecute=OptOut

461 --- E O F --- 2009-05-04 13:50

Shaba

2009-05-08, 18:00

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Shaba

2009-05-13, 16:32

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.