Virtumonde and Vundo Problem

[lingra]

Acdsee 5.0 正式迷你中文版
Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 7.0 中文版
Adobe Reader 7.0 - Chinese Simplified
ArcSoft PhotoStudio 5.5
avast! Antivirus
AVSCodec 1.0
Canon CanoScan Toolbox 4.9
Canon PIXMA iP1000
Canon ScanGear Starter
Cisco Systems VPN Client 5.0.00.0340
Citrix Presentation Server 客户端 - 仅web
CoreAVC Professional Edition (remove only)
Easy-WebPrint
Gemplus Smart Card Reader Tools
Google Earth
Google 软件精选管理器
Haali Media Splitter
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
icbc_netbank_client_controls
InCD
InCD Reader
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 7
Lingoes 2.4.5
Malwarebytes' Anti-Malware
Manual CanoScan LiDE 25
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero OEM
Picasa 2
Powerword 2005
QQ2006 Beta1SP4
QQ2007 Beta1
Realtek AC'97 Audio
Revo Uninstaller 1.75
RosettaStone V3.20c
Security Update for Windows Internet Explorer 7 (KB960714)
Speech Recognition Engine
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
VDrvInst
VIA Rhine-Family Fast Ethernet Adapter
VIA 平台设备管理员
VIA/S3G Display Driver
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 安全更新 (KB938127)
Windows Internet Explorer 7 安全更新 (KB939653)
Windows Internet Explorer 7 安全更新 (KB942615)
Windows Internet Explorer 7 安全更新 (KB944533)
Windows Internet Explorer 7 安全更新 (KB950759)
Windows Internet Explorer 7 安全更新 (KB953838)
Windows Internet Explorer 7 安全更新 (KB956390)
Windows Internet Explorer 7 安全更新 (KB958215)
Windows Internet Explorer 7 修补程序 (KB947864)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player (KB952069) 安全更新
Windows Media Player 11
Windows Media Player 11
Windows Media Player 11 (KB936782) 安全更新
Windows Media Player 11 (KB939683) 修补程序
Windows Media Player 11 (KB954154) 安全更新
Windows XP (KB941569) 安全更新
Windows XP Service Pack 3
Windows XP 安全更新 (KB938464)
Windows XP 安全更新 (KB946648)
Windows XP 安全更新 (KB950760)
Windows XP 安全更新 (KB950762)
Windows XP 安全更新 (KB950974)
Windows XP 安全更新 (KB951066)
Windows XP 安全更新 (KB951376)
Windows XP 安全更新 (KB951376-v2)
Windows XP 安全更新 (KB951698)
Windows XP 安全更新 (KB951748)
Windows XP 安全更新 (KB952954)
Windows XP 安全更新 (KB953155)
Windows XP 安全更新 (KB953839)
Windows XP 安全更新 (KB954211)
Windows XP 安全更新 (KB954459)
Windows XP 安全更新 (KB954600)
Windows XP 安全更新 (KB955069)
Windows XP 安全更新 (KB956391)
Windows XP 安全更新 (KB956802)
Windows XP 安全更新 (KB956803)
Windows XP 安全更新 (KB956841)
Windows XP 安全更新 (KB957095)
Windows XP 安全更新 (KB957097)
Windows XP 安全更新 (KB958644)
Windows XP 更新 (KB951072-v2)
Windows XP 更新 (KB951618-v2)
Windows XP 更新 (KB951978)
Windows XP 更新 (KB954920-v2)
Windows XP 更新 (KB955839)
Windows XP 修补程序 (KB932716-v2)
Windows XP 修补程序 (KB942288-v3)
Windows XP 修补程序 (KB944043-v3)
Windows XP 修补程序 (KB951830)
Windows XP 修补程序 (KB952287)
Windows XP 修补程序 (KB954708)
Windows优化大师 V7.51.6.905
WinRAR 压缩文件管理器
广发证券独立委托程序 V4.83
广发证券至强版
汉王笔无线小金刚
豪杰超级解霸V8
金山快译 2003
卡卡上网安全助手
快车(FlashGet) 1.8.2.1001
宽带我世界
联想100分学校
联想标准功能键盘 V1.02
民生银行客户端安全控件
农行网上银行辅助工具
同花顺2007(v4.40.10,Build 2007.04.09)
同花顺工具条 - T
网通安全卫士
迅雷5
隐藏分区管理
招行专业版
智能维护3.0
中国网通CNCMAX客户端
中信银行网上银行安全控件

[Shaba]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these afterwards:

c:\program files\uTorrent
c:\documents and settings\Owner\Application Data\uTorrent

Please run a new combofix scan when finished and post the log back here.

[lingra]

ComboFix 08-12-23.01 - Owner 2008-12-24 21:28:47.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.936.1.2052.18.735.463 [GMT 8:00]
执行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\链接

.
((((((((((((((((((((((((( 2008-11-24 至 2008-12-24 的新的档案 )))))))))))))))))))))))))))))))
.

2008-12-24 20:31 . 2008-12-24 20:31 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 08:43 . 2008-12-23 08:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-20 10:28 . 2008-12-20 10:29 1,639,241 ---hs---- c:\windows\system32\jbkohtrf.ini
2008-12-20 06:08 . 2008-12-20 06:08 1,661,209 ---hs---- c:\windows\system32\ylwahmrm.ini
2008-12-19 06:35 . 2008-12-19 06:35 <DIR> d-------- c:\windows\Internet Logs
2008-12-19 06:32 . 2008-12-19 06:32 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2008-12-19 06:32 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2008-12-19 06:32 . 2007-01-31 13:45 101,904 --a------ c:\windows\system32\dneinobj.dll
2008-12-19 06:32 . 2008-12-19 06:33 1,593 --a------ c:\windows\VPNInstall.MIF
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- c:\temp\vpn5
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- C:\temp
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- c:\program files\Cisco Systems
2008-12-19 06:07 . 2008-12-19 06:07 1,639,241 ---hs---- c:\windows\system32\fqgnwfsv.ini
2008-12-18 20:57 . 2008-12-18 20:57 <DIR> d-------- c:\documents and settings\Owner\Lb
2008-12-18 12:32 . 2008-12-18 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 12:26 . 2008-12-18 12:26 91 --a------ c:\windows\wininit.ini
2008-12-18 06:03 . 2008-12-18 06:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 04:23 . 2008-12-18 04:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 04:23 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 04:23 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 04:16 . 2008-12-18 04:16 <DIR> d-------- c:\program files\VS Revo Group
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 11:11 . 2008-12-06 11:11 <DIR> d-------- c:\windows\已看未刻

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-11 01:59 45,056 ----a-w c:\windows\ccn-racerpc-bj-uninstall.exe
2008-11-11 01:59 37,781 ----a-w c:\windows\system32\uninst_avs.exe
2008-11-11 01:59 --------- d-----w c:\program files\racer-ccn-racerpc-bj
2008-11-11 01:59 --------- d-----w c:\program files\cncsafe
2008-11-10 15:50 477,808 ------w c:\windows\system32\kmon.dll
2008-11-05 08:40 --------- d-----w c:\program files\CncimAdsl
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:38 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:38 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 13:09 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-07 14:37 136 ----a-w c:\program files\Common Files\jyverify.dat
2008-10-07 11:42 96,880 ----a-w c:\windows\system32\KakaTool.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_ 6.52.33.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-17 14:45:46 1,666 ----a-w c:\windows\install.dat
+ 2008-11-23 11:34:08 1,666 ----a-w c:\windows\install.dat
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:36 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:26 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:26 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:30 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2008-12-24 12:33:24 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_750.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-17 208952]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-08-29 24576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"runeip"="d:\卡卡\rstray.exe" [2008-09-13 141936]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2008-12-23 161264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="d:\卡卡\RunOnce.exe" [2008-08-04 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「开始」菜单\程序\启动\
HWShell.lnk - e:\hw99\HWPEN\HWshell.EXE [2008-08-03 917504]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kmon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^「开始」菜单^程序^启动^腾讯QQ.LNK]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
--a------ 2003-07-14 22:57 13368 c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegNetPass]
--a------ 2004-05-09 15:30 45056 c:\windows\system32\RegCsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--a------ 2005-08-29 17:59 69632 c:\herosoft\HeroV8\SysExplr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LHotkey]
--a------ 2005-04-15 11:49 40960 c:\windows\LHOTKEY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 17:33 147456 c:\windows\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\qq\\0612\\QQ.exe"=
"e:\\qq\\0612\\QQUpdateCenter.exe"=
"e:\\qq\\0612\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 HpaFilt;HpaFilt;c:\windows\system32\drivers\HpaFilt.sys [2005-08-29 10880]
R0 HpaLower;HpaLower;c:\windows\system32\drivers\HpaLower.sys [2005-08-29 2048]
R0 pciidey;pciidey;c:\windows\system32\drivers\pciidey.sys [2005-08-29 4608]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-24 111184]
R1 FixDrv;FixDrv;c:\windows\system32\drivers\FixDrv.sys [2005-08-29 6144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-24 20560]
R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\DRIVERS\BaseTDI.SYS [2006-12-26 13364]
R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-05-14 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2006-12-28 3584]
S3 CALLKEY_IO;CALLKEY_IO;\??\c:\program files\lenovo\智能维护3.0\CALLKEY.sys [2005-08-29 3072]
S3 GKeyUSB;GKeyUSB;c:\windows\system32\Drivers\GKeyUSB.sys [2006-12-27 62096]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2007-02-08 31872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{769f8fa8-1e51-11dc-9210-00142a43674d}]
\Shell\AutoRun\command - desktop.ion

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWFSBLK
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWSP
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
‘计划任务’ 文件夹 里的内容

2008-12-21 c:\windows\Tasks\Update.job
- c:\windows\wintask.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{39852EFE-325B-45EF-9A60-3DBECD2DDDD5} - c:\windows\system32\thsbar.dll


.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: e:\qq\0612\SendMMS.htm
IE: &使用快车(FlashGet)下载 - e:\其他软件和杂件（2）\国际快车\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - e:\其他软件和杂件（2）\国际快车\jc_all.htm
IE: Easy-WebPrint打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint添加到打印列表 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint预览 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint高速打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: 上传到QQ网络硬盘 - e:\qq\0612\AddToNetDisk.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - e:\qq\0612\AddPanel.htm
IE: 添加到QQ表情 - e:\qq\0612\AddEmotion.htm
IE: 用QQ彩信发送该图片 - e:\qq\0612\SendMMS.htm
IE: 百度Flash搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
IE: 百度mp3搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
IE: 百度信息快递搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
IE: 百度图片搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
IE: 百度搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
IE: 百度新闻搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
IE: 豪杰超级解霸V8实时播放 - c:\herosoft\HeroV8\MPURLGET.HTM
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE -
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE -
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - d:\新建文件夹 (2)\QQIEHelper.dll
Trusted Zone: easyabc.95599.cn
Trusted Zone: www.95599.cn
TCP: {A6301F3A-5A04-4073-9CF8-CFD570815B08} = 202.106.195.68 202.106.46.151
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\CMBEdit.dll - O16 -: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}
hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
c:\windows\Downloaded Program Files\CMBEdit.inf

c:\windows\Downloaded Program Files\GemOCX.ocx - O16 -: {1D90741B-F236-4D21-94F6-F70631BF3CA3}
hxxps://mybank.icbc.com.cn/icbc/GemOCX.cab
c:\windows\Downloaded Program Files\GemOCX.inf

c:\windows\Downloaded Program Files\PwdEdit.ocx - O16 -: {5467862B-C477-437F-886E-EC5006B37DCA}
hxxps://ebank.cmbc.com.cn/PwdEdit.cab
c:\windows\Downloaded Program Files\PwdEdit.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\SubmitControl.dll
c:\windows\Downloaded Program Files\InputControl.dll
O16 -: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\AxSafeControls.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\CONFLICT.1\SubmitControl.dll
c:\windows\Downloaded Program Files\CONFLICT.1\InputControl.dll
O16 -: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\CONFLICT.1\AxSafeControls.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0jlamgx.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.http - 128.59.67.200:3124
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Acrobatchs\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 21:30:05
Windows 5.1.2600 Service Pack 3 FAT NTAPI

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath"="\??\c:\windows\system32\Drivers\CertClient.dat"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath"="\??\c:\windows\system32\Drivers\CMBProtector.dat"
.
完成时间: 2008-12-24 21:30:46
ComboFix-quarantined-files.txt 2008-12-24 13:30:46
ComboFix2.txt 2008-12-23 22:53:10

Pre-Run: 4,939,915,264 可用字节
Post-Run: 4,947,804,160 可用字节

259 --- E O F --- 2008-12-11 04:31:16

[Shaba]

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\jbkohtrf.ini
c:\windows\system32\ylwahmrm.ini
c:\windows\system32\dneinobj.dll

Folder::
c:\temp\vpn5

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{769f8fa8-1e51-11dc-9210-00142a43674d}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

[lingra]

Here are the logs as requested. Thanks.


ComboFix 08-12-24.01 - Owner 2008-12-25 7:14:51.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.936.1.2052.18.735.447 [GMT 8:00]
执行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\桌面\CFScript.txt
* 成功创造新还原点

FILE ::
c:\windows\system32\dneinobj.dll
c:\windows\system32\jbkohtrf.ini
c:\windows\system32\ylwahmrm.ini
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\链接
c:\temp\vpn5
c:\temp\vpn5\DelayInst.exe
c:\temp\vpn5\Firewall_Exception_2k-xp.bat
c:\temp\vpn5\installservice.exe
c:\temp\vpn5\instmsi.exe
c:\temp\vpn5\instmsiw.exe
c:\temp\vpn5\pcf.exe
c:\temp\vpn5\sig.dat
c:\temp\vpn5\UTSW Campus Wireless.pcf
c:\temp\vpn5\UTSW Remote with NAT.pcf
c:\temp\vpn5\UTSW Remote without NAT.pcf
c:\temp\vpn5\vpnclient_fc.mst
c:\temp\vpn5\vpnclient_jp.mst
c:\temp\vpn5\vpnclient_setup.exe
c:\temp\vpn5\vpnclient_setup.ini
c:\temp\vpn5\vpnclient_setup.msi
c:\temp\vpn5\vpnclient_setup.pdf
c:\temp\vpn5\vpnclient_setup.sms
c:\windows\system32\dneinobj.dll
c:\windows\system32\jbkohtrf.ini
c:\windows\system32\ylwahmrm.ini

.
((((((((((((((((((((((((( 2008-11-24 至 2008-12-24 的新的档案 )))))))))))))))))))))))))))))))
.

2008-12-24 20:31 . 2008-12-24 20:31 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 08:43 . 2008-12-23 08:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-19 06:35 . 2008-12-19 06:35 <DIR> d-------- c:\windows\Internet Logs
2008-12-19 06:32 . 2008-12-19 06:32 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2008-12-19 06:32 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2008-12-19 06:32 . 2008-12-19 06:33 1,593 --a------ c:\windows\VPNInstall.MIF
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- C:\temp
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- c:\program files\Cisco Systems
2008-12-19 06:07 . 2008-12-19 06:07 1,639,241 ---hs---- c:\windows\system32\fqgnwfsv.ini
2008-12-18 20:57 . 2008-12-18 20:57 <DIR> d-------- c:\documents and settings\Owner\Lb
2008-12-18 12:32 . 2008-12-18 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 12:26 . 2008-12-18 12:26 91 --a------ c:\windows\wininit.ini
2008-12-18 06:03 . 2008-12-18 06:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 04:23 . 2008-12-18 04:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 04:23 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 04:23 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 04:16 . 2008-12-18 04:16 <DIR> d-------- c:\program files\VS Revo Group
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 11:11 . 2008-12-06 11:11 <DIR> d-------- c:\windows\已看未刻

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-11 01:59 45,056 ----a-w c:\windows\ccn-racerpc-bj-uninstall.exe
2008-11-11 01:59 37,781 ----a-w c:\windows\system32\uninst_avs.exe
2008-11-11 01:59 --------- d-----w c:\program files\racer-ccn-racerpc-bj
2008-11-11 01:59 --------- d-----w c:\program files\cncsafe
2008-11-10 15:50 477,808 ------w c:\windows\system32\kmon.dll
2008-11-05 08:40 --------- d-----w c:\program files\CncimAdsl
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:38 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:38 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 13:09 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-07 14:37 136 ----a-w c:\program files\Common Files\jyverify.dat
2008-10-07 11:42 96,880 ----a-w c:\windows\system32\KakaTool.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_ 6.52.33.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-17 14:45:46 1,666 ----a-w c:\windows\install.dat
+ 2008-11-23 11:34:08 1,666 ----a-w c:\windows\install.dat
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:36 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:26 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:26 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:30 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2008-12-24 23:07:24 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-17 208952]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-08-29 24576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"runeip"="d:\卡卡\rstray.exe" [2008-09-13 141936]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2008-12-23 161264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="d:\卡卡\RunOnce.exe" [2008-08-04 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「开始」菜单\程序\启动\
HWShell.lnk - e:\hw99\HWPEN\HWshell.EXE [2008-08-03 917504]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kmon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^「开始」菜单^程序^启动^腾讯QQ.LNK]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
--a------ 2003-07-14 22:57 13368 c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegNetPass]
--a------ 2004-05-09 15:30 45056 c:\windows\system32\RegCsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--a------ 2005-08-29 17:59 69632 c:\herosoft\HeroV8\SysExplr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LHotkey]
--a------ 2005-04-15 11:49 40960 c:\windows\LHOTKEY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 17:33 147456 c:\windows\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\qq\\0612\\QQ.exe"=
"e:\\qq\\0612\\QQUpdateCenter.exe"=
"e:\\qq\\0612\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 HpaFilt;HpaFilt;c:\windows\system32\drivers\HpaFilt.sys [2005-08-29 10880]
R0 HpaLower;HpaLower;c:\windows\system32\drivers\HpaLower.sys [2005-08-29 2048]
R0 pciidey;pciidey;c:\windows\system32\drivers\pciidey.sys [2005-08-29 4608]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-24 111184]
R1 FixDrv;FixDrv;c:\windows\system32\drivers\FixDrv.sys [2005-08-29 6144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-24 20560]
R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\DRIVERS\BaseTDI.SYS [2006-12-26 13364]
R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-05-14 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2006-12-28 3584]
S3 CALLKEY_IO;CALLKEY_IO;\??\c:\program files\lenovo\智能维护3.0\CALLKEY.sys [2005-08-29 3072]
S3 GKeyUSB;GKeyUSB;c:\windows\system32\Drivers\GKeyUSB.sys [2006-12-27 62096]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2007-02-08 31872]
.
‘计划任务’ 文件夹 里的内容

2008-12-21 c:\windows\Tasks\Update.job
- c:\windows\wintask.exe []
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: e:\qq\0612\SendMMS.htm
IE: &使用快车(FlashGet)下载 - e:\其他软件和杂件（2）\国际快车\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - e:\其他软件和杂件（2）\国际快车\jc_all.htm
IE: Easy-WebPrint打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint添加到打印列表 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint预览 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint高速打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: 上传到QQ网络硬盘 - e:\qq\0612\AddToNetDisk.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - e:\qq\0612\AddPanel.htm
IE: 添加到QQ表情 - e:\qq\0612\AddEmotion.htm
IE: 用QQ彩信发送该图片 - e:\qq\0612\SendMMS.htm
IE: 百度Flash搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
IE: 百度mp3搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
IE: 百度信息快递搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
IE: 百度图片搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
IE: 百度搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
IE: 百度新闻搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
IE: 豪杰超级解霸V8实时播放 - c:\herosoft\HeroV8\MPURLGET.HTM
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE -
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE -
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - d:\新建文件夹 (2)\QQIEHelper.dll
Trusted Zone: easyabc.95599.cn
Trusted Zone: www.95599.cn
TCP: {A6301F3A-5A04-4073-9CF8-CFD570815B08} = 202.106.195.68 202.106.46.151
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\CMBEdit.dll - O16 -: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}
hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
c:\windows\Downloaded Program Files\CMBEdit.inf

c:\windows\Downloaded Program Files\GemOCX.ocx - O16 -: {1D90741B-F236-4D21-94F6-F70631BF3CA3}
hxxps://mybank.icbc.com.cn/icbc/GemOCX.cab
c:\windows\Downloaded Program Files\GemOCX.inf

c:\windows\Downloaded Program Files\PwdEdit.ocx - O16 -: {5467862B-C477-437F-886E-EC5006B37DCA}
hxxps://ebank.cmbc.com.cn/PwdEdit.cab
c:\windows\Downloaded Program Files\PwdEdit.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\SubmitControl.dll
c:\windows\Downloaded Program Files\InputControl.dll
O16 -: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\AxSafeControls.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\CONFLICT.1\SubmitControl.dll
c:\windows\Downloaded Program Files\CONFLICT.1\InputControl.dll
O16 -: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\CONFLICT.1\AxSafeControls.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0jlamgx.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.http - 128.59.67.200:3124
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Acrobatchs\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 07:16:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath"="\??\c:\windows\system32\Drivers\CertClient.dat"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath"="\??\c:\windows\system32\Drivers\CMBProtector.dat"
.
完成时间: 2008-12-25 7:17:15
ComboFix-quarantined-files.txt 2008-12-24 23:17:14
ComboFix3.txt 2008-12-23 22:53:10
ComboFix2.txt 2008-12-24 13:30:48

Pre-Run: 4,881,850,368 可用字节
Post-Run: 4,868,505,600 可用字节

269 --- E O F --- 2008-12-11 04:31:16



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:54, on 2008-12-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
D:\卡卡\rstray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\HW99\HWPEN\HWshell.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\lingra.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\其他软件和杂件（2）\国际快车\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\其他软件和杂件（2）\国际快车\getflash.dll (file missing)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\PROGRA~1\Kingsoft\FASTAI~1\IEBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runeip] "D:\卡卡\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -systray -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [KKDelay] D:\卡卡\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HWShell.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &使用快车(FlashGet)下载 - E:\其他软件和杂件（2）\国际快车\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - E:\其他软件和杂件（2）\国际快车\jc_all.htm
O8 - Extra context menu item: Easy-WebPrint打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint添加到打印列表 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint预览 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint高速打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\qq\0612\AddToNetDisk.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\qq\0612\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\qq\0612\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\qq\0612\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - Trusted Zone: http://*.221.208.242.29
O15 - Trusted Zone: http://*.221.208.250.138
O15 - Trusted Zone: easyabc.95599.cn
O15 - Trusted Zone: www.95599.cn
O15 - Trusted Zone: http://*.cncmax.cn
O15 - Trusted Zone: http://*.cncmax.hl.cn
O15 - Trusted Zone: http://*.cncmax.tj.cn
O15 - Trusted Zone: http://www.icbc.com.cn
O15 - Trusted Zone: http://*.passport.cncmax.cn
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D90741B-F236-4D21-94F6-F70631BF3CA3} (GemOCX Control) - https://mybank.icbc.com.cn/icbc/GemOCX.cab
O16 - DPF: {5467862B-C477-437F-886E-EC5006B37DCA} (PwdEdit Control) - https://ebank.cmbc.com.cn/PwdEdit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6301F3A-5A04-4073-9CF8-CFD570815B08}: NameServer = 202.106.195.68 202.106.46.151
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: kmon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O24 - Desktop Component 0: (no name) - http://www.cncard.com./images/product_logo/030002.gif

--
End of file - 10332 bytes

[Shaba]

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\fqgnwfsv.ini

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[lingra]

Here's the requested logs, thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:09:24, on 2008-12-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
D:\卡卡\rstray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\HW99\HWPEN\HWshell.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\lingra.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\其他软件和杂件（2）\国际快车\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\其他软件和杂件（2）\国际快车\getflash.dll (file missing)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\PROGRA~1\Kingsoft\FASTAI~1\IEBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runeip] "D:\卡卡\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -systray -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [KKDelay] D:\卡卡\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HWShell.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &使用快车(FlashGet)下载 - E:\其他软件和杂件（2）\国际快车\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - E:\其他软件和杂件（2）\国际快车\jc_all.htm
O8 - Extra context menu item: Easy-WebPrint打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint添加到打印列表 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint预览 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint高速打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\qq\0612\AddToNetDisk.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\qq\0612\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\qq\0612\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\qq\0612\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - Trusted Zone: http://*.221.208.242.29
O15 - Trusted Zone: http://*.221.208.250.138
O15 - Trusted Zone: easyabc.95599.cn
O15 - Trusted Zone: www.95599.cn
O15 - Trusted Zone: http://*.cncmax.cn
O15 - Trusted Zone: http://*.cncmax.hl.cn
O15 - Trusted Zone: http://*.cncmax.tj.cn
O15 - Trusted Zone: http://www.icbc.com.cn
O15 - Trusted Zone: http://*.passport.cncmax.cn
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D90741B-F236-4D21-94F6-F70631BF3CA3} (GemOCX Control) - https://mybank.icbc.com.cn/icbc/GemOCX.cab
O16 - DPF: {5467862B-C477-437F-886E-EC5006B37DCA} (PwdEdit Control) - https://ebank.cmbc.com.cn/PwdEdit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6301F3A-5A04-4073-9CF8-CFD570815B08}: NameServer = 202.106.195.68 202.106.46.151
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: kmon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O24 - Desktop Component 0: (no name) - http://www.cncard.com./images/product_logo/030002.gif

--
End of file - 10333 bytes


ComboFix 08-12-24.01 - Owner 2008-12-25 23:06:28.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.936.1.2052.18.735.458 [GMT 8:00]
执行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\桌面\CFScript.txt
* 成功创造新还原点
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\链接

.
((((((((((((((((((((((((( 2008-11-25 至 2008-12-25 的新的档案 )))))))))))))))))))))))))))))))
.

2008-12-24 20:31 . 2008-12-24 20:31 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 08:43 . 2008-12-23 08:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-19 06:35 . 2008-12-19 06:35 <DIR> d-------- c:\windows\Internet Logs
2008-12-19 06:32 . 2008-12-19 06:32 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2008-12-19 06:32 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2008-12-19 06:32 . 2008-12-19 06:33 1,593 --a------ c:\windows\VPNInstall.MIF
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- C:\temp
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- c:\program files\Cisco Systems
2008-12-19 06:07 . 2008-12-19 06:07 1,639,241 ---hs---- c:\windows\system32\fqgnwfsv.ini
2008-12-18 20:57 . 2008-12-18 20:57 <DIR> d-------- c:\documents and settings\Owner\Lb
2008-12-18 12:32 . 2008-12-18 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 12:26 . 2008-12-18 12:26 91 --a------ c:\windows\wininit.ini
2008-12-18 06:03 . 2008-12-18 06:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 04:23 . 2008-12-18 04:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 04:23 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 04:23 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 04:16 . 2008-12-18 04:16 <DIR> d-------- c:\program files\VS Revo Group
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 11:11 . 2008-12-06 11:11 <DIR> d-------- c:\windows\已看未刻

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-11 01:59 45,056 ----a-w c:\windows\ccn-racerpc-bj-uninstall.exe
2008-11-11 01:59 37,781 ----a-w c:\windows\system32\uninst_avs.exe
2008-11-11 01:59 --------- d-----w c:\program files\racer-ccn-racerpc-bj
2008-11-11 01:59 --------- d-----w c:\program files\cncsafe
2008-11-10 15:50 477,808 ------w c:\windows\system32\kmon.dll
2008-11-05 08:40 --------- d-----w c:\program files\CncimAdsl
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:38 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:38 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 13:09 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-07 14:37 136 ----a-w c:\program files\Common Files\jyverify.dat
2008-10-07 11:42 96,880 ----a-w c:\windows\system32\KakaTool.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_ 6.52.33.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-17 14:45:46 1,666 ----a-w c:\windows\install.dat
+ 2008-11-23 11:34:08 1,666 ----a-w c:\windows\install.dat
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:36 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:26 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:26 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:30 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2008-12-25 14:59:06 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-17 208952]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-08-29 24576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"runeip"="d:\卡卡\rstray.exe" [2008-09-13 141936]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2008-12-23 161264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="d:\卡卡\RunOnce.exe" [2008-08-04 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「开始」菜单\程序\启动\
HWShell.lnk - e:\hw99\HWPEN\HWshell.EXE [2008-08-03 917504]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kmon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^「开始」菜单^程序^启动^腾讯QQ.LNK]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
--a------ 2003-07-14 22:57 13368 c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegNetPass]
--a------ 2004-05-09 15:30 45056 c:\windows\system32\RegCsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--a------ 2005-08-29 17:59 69632 c:\herosoft\HeroV8\SysExplr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LHotkey]
--a------ 2005-04-15 11:49 40960 c:\windows\LHOTKEY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 17:33 147456 c:\windows\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\qq\\0612\\QQ.exe"=
"e:\\qq\\0612\\QQUpdateCenter.exe"=
"e:\\qq\\0612\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 HpaFilt;HpaFilt;c:\windows\system32\drivers\HpaFilt.sys [2005-08-29 10880]
R0 HpaLower;HpaLower;c:\windows\system32\drivers\HpaLower.sys [2005-08-29 2048]
R0 pciidey;pciidey;c:\windows\system32\drivers\pciidey.sys [2005-08-29 4608]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-24 111184]
R1 FixDrv;FixDrv;c:\windows\system32\drivers\FixDrv.sys [2005-08-29 6144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-24 20560]
R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\DRIVERS\BaseTDI.SYS [2006-12-26 13364]
R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-05-14 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2006-12-28 3584]
S3 CALLKEY_IO;CALLKEY_IO;\??\c:\program files\lenovo\智能维护3.0\CALLKEY.sys [2005-08-29 3072]
S3 GKeyUSB;GKeyUSB;c:\windows\system32\Drivers\GKeyUSB.sys [2006-12-27 62096]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2007-02-08 31872]
.
‘计划任务’ 文件夹 里的内容

2008-12-21 c:\windows\Tasks\Update.job
- c:\windows\wintask.exe []
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: e:\qq\0612\SendMMS.htm
IE: &使用快车(FlashGet)下载 - e:\其他软件和杂件（2）\国际快车\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - e:\其他软件和杂件（2）\国际快车\jc_all.htm
IE: Easy-WebPrint打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint添加到打印列表 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint预览 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint高速打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: 上传到QQ网络硬盘 - e:\qq\0612\AddToNetDisk.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - e:\qq\0612\AddPanel.htm
IE: 添加到QQ表情 - e:\qq\0612\AddEmotion.htm
IE: 用QQ彩信发送该图片 - e:\qq\0612\SendMMS.htm
IE: 百度Flash搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
IE: 百度mp3搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
IE: 百度信息快递搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
IE: 百度图片搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
IE: 百度搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
IE: 百度新闻搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
IE: 豪杰超级解霸V8实时播放 - c:\herosoft\HeroV8\MPURLGET.HTM
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE -
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE -
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - d:\新建文件夹 (2)\QQIEHelper.dll
Trusted Zone: easyabc.95599.cn
Trusted Zone: www.95599.cn
TCP: {A6301F3A-5A04-4073-9CF8-CFD570815B08} = 202.106.195.68 202.106.46.151
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\CMBEdit.dll - O16 -: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}
hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
c:\windows\Downloaded Program Files\CMBEdit.inf

c:\windows\Downloaded Program Files\GemOCX.ocx - O16 -: {1D90741B-F236-4D21-94F6-F70631BF3CA3}
hxxps://mybank.icbc.com.cn/icbc/GemOCX.cab
c:\windows\Downloaded Program Files\GemOCX.inf

c:\windows\Downloaded Program Files\PwdEdit.ocx - O16 -: {5467862B-C477-437F-886E-EC5006B37DCA}
hxxps://ebank.cmbc.com.cn/PwdEdit.cab
c:\windows\Downloaded Program Files\PwdEdit.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\SubmitControl.dll
c:\windows\Downloaded Program Files\InputControl.dll
O16 -: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\AxSafeControls.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\CONFLICT.1\SubmitControl.dll
c:\windows\Downloaded Program Files\CONFLICT.1\InputControl.dll
O16 -: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\CONFLICT.1\AxSafeControls.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0jlamgx.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.http - 128.59.67.200:3124
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Acrobatchs\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 23:07:54
Windows 5.1.2600 Service Pack 3 FAT NTAPI

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath"="\??\c:\windows\system32\Drivers\CertClient.dat"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath"="\??\c:\windows\system32\Drivers\CMBProtector.dat"
.
完成时间: 2008-12-25 23:08:35
ComboFix-quarantined-files.txt 2008-12-25 15:08:34
ComboFix4.txt 2008-12-23 22:53:10
ComboFix3.txt 2008-12-24 13:30:48
ComboFix2.txt 2008-12-24 23:17:18

Pre-Run: 4,774,502,400 可用字节
Post-Run: 4,769,619,968 可用字节

244 --- E O F --- 2008-12-11 04:31:16

[Shaba]

Looks like it didn't go right.

Did you copy everything from code box to CFScript (including File:?

[lingra]

I did not copy it correctly, here's the second try.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:11, on 2008-12-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
D:\卡卡\rstray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\HW99\HWPEN\HWshell.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\lingra.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\其他软件和杂件（2）\国际快车\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\其他软件和杂件（2）\国际快车\getflash.dll (file missing)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\PROGRA~1\Kingsoft\FASTAI~1\IEBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runeip] "D:\卡卡\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -systray -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [KKDelay] D:\卡卡\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HWShell.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &使用快车(FlashGet)下载 - E:\其他软件和杂件（2）\国际快车\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - E:\其他软件和杂件（2）\国际快车\jc_all.htm
O8 - Extra context menu item: Easy-WebPrint打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint添加到打印列表 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint预览 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint高速打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\qq\0612\AddToNetDisk.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\qq\0612\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\qq\0612\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\qq\0612\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - Trusted Zone: http://*.221.208.242.29
O15 - Trusted Zone: http://*.221.208.250.138
O15 - Trusted Zone: easyabc.95599.cn
O15 - Trusted Zone: www.95599.cn
O15 - Trusted Zone: http://*.cncmax.cn
O15 - Trusted Zone: http://*.cncmax.hl.cn
O15 - Trusted Zone: http://*.cncmax.tj.cn
O15 - Trusted Zone: http://www.icbc.com.cn
O15 - Trusted Zone: http://*.passport.cncmax.cn
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D90741B-F236-4D21-94F6-F70631BF3CA3} (GemOCX Control) - https://mybank.icbc.com.cn/icbc/GemOCX.cab
O16 - DPF: {5467862B-C477-437F-886E-EC5006B37DCA} (PwdEdit Control) - https://ebank.cmbc.com.cn/PwdEdit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perb...feControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6301F3A-5A04-4073-9CF8-CFD570815B08}: NameServer = 202.106.195.68 202.106.46.151
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: kmon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O24 - Desktop Component 0: (no name) - http://www.cncard.com./images/product_logo/030002.gif

--
End of file - 10332 bytes



ComboFix 08-12-24.01 - Owner 2008-12-26 7:15:18.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.936.1.2052.18.735.439 [GMT 8:00]
执行位置: c:\documents and settings\Owner\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\桌面\CFScript.txt
* 成功创造新还原点

FILE ::
c:\windows\system32\fqgnwfsv.ini
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\链接
c:\windows\system32\fqgnwfsv.ini

.
((((((((((((((((((((((((( 2008-11-25 至 2008-12-25 的新的档案 )))))))))))))))))))))))))))))))
.

2008-12-24 20:31 . 2008-12-24 20:31 <DIR> d-------- c:\program files\Alwil Software
2008-12-23 08:43 . 2008-12-23 08:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-19 06:35 . 2008-12-19 06:35 <DIR> d-------- c:\windows\Internet Logs
2008-12-19 06:32 . 2008-12-19 06:32 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2008-12-19 06:32 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2008-12-19 06:32 . 2008-12-19 06:33 1,593 --a------ c:\windows\VPNInstall.MIF
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- C:\temp
2008-12-19 06:31 . 2008-12-19 06:31 <DIR> d-------- c:\program files\Cisco Systems
2008-12-18 20:57 . 2008-12-18 20:57 <DIR> d-------- c:\documents and settings\Owner\Lb
2008-12-18 12:32 . 2008-12-18 12:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 12:26 . 2008-12-18 12:26 91 --a------ c:\windows\wininit.ini
2008-12-18 06:03 . 2008-12-18 06:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 04:23 . 2008-12-18 04:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 04:23 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 04:23 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 04:16 . 2008-12-18 04:16 <DIR> d-------- c:\program files\VS Revo Group
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-18 03:59 . 2008-12-18 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 11:11 . 2008-12-06 11:11 <DIR> d-------- c:\windows\已看未刻

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-11 01:59 45,056 ----a-w c:\windows\ccn-racerpc-bj-uninstall.exe
2008-11-11 01:59 37,781 ----a-w c:\windows\system32\uninst_avs.exe
2008-11-11 01:59 --------- d-----w c:\program files\racer-ccn-racerpc-bj
2008-11-11 01:59 --------- d-----w c:\program files\cncsafe
2008-11-10 15:50 477,808 ------w c:\windows\system32\kmon.dll
2008-11-05 08:40 --------- d-----w c:\program files\CncimAdsl
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:38 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:38 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 13:09 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-07 14:37 136 ----a-w c:\program files\Common Files\jyverify.dat
2008-10-07 11:42 96,880 ----a-w c:\windows\system32\KakaTool.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:03 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 22:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-24_ 6.52.33.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-17 14:45:46 1,666 ----a-w c:\windows\install.dat
+ 2008-11-23 11:34:08 1,666 ----a-w c:\windows\install.dat
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:36 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:26 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:26 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:30 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2008-12-25 23:09:38 16,384 ----a-w c:\windows\temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-17 208952]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-08-29 24576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"runeip"="d:\卡卡\rstray.exe" [2008-09-13 141936]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2008-12-23 161264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-27 81000]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"KKDelay"="d:\卡卡\RunOnce.exe" [2008-08-04 68208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\「开始」菜单\程序\启动\
HWShell.lnk - e:\hw99\HWPEN\HWshell.EXE [2008-08-03 917504]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-12-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kmon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^「开始」菜单^程序^启动^腾讯QQ.LNK]
backup=c:\windows\pss\腾讯QQ.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMig]
--a------ 2003-07-14 22:57 13368 c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegNetPass]
--a------ 2004-05-09 15:30 45056 c:\windows\system32\RegCsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--a------ 2005-08-29 17:59 69632 c:\herosoft\HeroV8\SysExplr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LHotkey]
--a------ 2005-04-15 11:49 40960 c:\windows\LHOTKEY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 17:33 147456 c:\windows\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\qq\\0612\\QQ.exe"=
"e:\\qq\\0612\\QQUpdateCenter.exe"=
"e:\\qq\\0612\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 HpaFilt;HpaFilt;c:\windows\system32\drivers\HpaFilt.sys [2005-08-29 10880]
R0 HpaLower;HpaLower;c:\windows\system32\drivers\HpaLower.sys [2005-08-29 2048]
R0 pciidey;pciidey;c:\windows\system32\drivers\pciidey.sys [2005-08-29 4608]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-24 111184]
R1 FixDrv;FixDrv;c:\windows\system32\drivers\FixDrv.sys [2005-08-29 6144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-24 20560]
R2 BaseTDI;Rising TDI Base Driver;c:\windows\system32\DRIVERS\BaseTDI.SYS [2006-12-26 13364]
R2 CMB8100;CMB8100;\??\c:\windows\system32\Drivers\CertClient.dat [2007-05-14 3038]
R2 CMBProtector;CMBProtector;\??\c:\windows\system32\Drivers\CMBProtector.dat [2006-12-28 3584]
S3 CALLKEY_IO;CALLKEY_IO;\??\c:\program files\lenovo\智能维护3.0\CALLKEY.sys [2005-08-29 3072]
S3 GKeyUSB;GKeyUSB;c:\windows\system32\Drivers\GKeyUSB.sys [2006-12-27 62096]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2007-02-08 31872]
.
‘计划任务’ 文件夹 里的内容

2008-12-21 c:\windows\Tasks\Update.job
- c:\windows\wintask.exe []
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: e:\qq\0612\SendMMS.htm
IE: &使用快车(FlashGet)下载 - e:\其他软件和杂件（2）\国际快车\jc_link.htm
IE: &使用快车(FlashGet)下载全部链接 - e:\其他软件和杂件（2）\国际快车\jc_all.htm
IE: Easy-WebPrint打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint添加到打印列表 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint预览 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint高速打印 - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: 上传到QQ网络硬盘 - e:\qq\0612\AddToNetDisk.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - e:\qq\0612\AddPanel.htm
IE: 添加到QQ表情 - e:\qq\0612\AddEmotion.htm
IE: 用QQ彩信发送该图片 - e:\qq\0612\SendMMS.htm
IE: 百度Flash搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
IE: 百度mp3搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
IE: 百度信息快递搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
IE: 百度图片搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
IE: 百度搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
IE: 百度新闻搜索 - c:\windows\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
IE: 豪杰超级解霸V8实时播放 - c:\herosoft\HeroV8\MPURLGET.HTM
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
IE: {{367E0A21-8601-4986-9C9A-153BF5ACA118} - c:\herosoft\HeroV8\STHSDVD.EXE -
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\qq\0612\QQ.EXE -
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} - d:\新建文件夹 (2)\QQIEHelper.dll
Trusted Zone: easyabc.95599.cn
Trusted Zone: www.95599.cn
TCP: {A6301F3A-5A04-4073-9CF8-CFD570815B08} = 202.106.195.68 202.106.46.151
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\windows\system32\KuGoo3DownXControl.ocx

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\CMBEdit.dll - O16 -: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}
hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
c:\windows\Downloaded Program Files\CMBEdit.inf

c:\windows\Downloaded Program Files\GemOCX.ocx - O16 -: {1D90741B-F236-4D21-94F6-F70631BF3CA3}
hxxps://mybank.icbc.com.cn/icbc/GemOCX.cab
c:\windows\Downloaded Program Files\GemOCX.inf

c:\windows\Downloaded Program Files\PwdEdit.ocx - O16 -: {5467862B-C477-437F-886E-EC5006B37DCA}
hxxps://ebank.cmbc.com.cn/PwdEdit.cab
c:\windows\Downloaded Program Files\PwdEdit.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\SubmitControl.dll
c:\windows\Downloaded Program Files\InputControl.dll
O16 -: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\AxSafeControls.inf

c:\windows\system32\msvcp60.dll - c:\windows\Downloaded Program Files\CONFLICT.1\SubmitControl.dll
c:\windows\Downloaded Program Files\CONFLICT.1\InputControl.dll
O16 -: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2}
hxxps://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
c:\windows\Downloaded Program Files\CONFLICT.1\AxSafeControls.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m0jlamgx.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.http - 128.59.67.200:3124
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Acrobatchs\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 07:16:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMB8100]
"ImagePath"="\??\c:\windows\system32\Drivers\CertClient.dat"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\CMBProtector]
"ImagePath"="\??\c:\windows\system32\Drivers\CMBProtector.dat"
.
完成时间: 2008-12-26 7:17:15
ComboFix-quarantined-files.txt 2008-12-25 23:17:14
ComboFix4.txt 2008-12-24 13:30:48
ComboFix3.txt 2008-12-24 23:17:18
ComboFix5.txt 2008-12-25 23:14:42
ComboFix2.txt 2008-12-25 15:08:38

Pre-Run: 4,717,903,872 可用字节
Post-Run: 4,705,632,256 可用字节

247 --- E O F --- 2008-12-11 04:31:16

[Shaba]

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here