Fake. PCTools trojan infected ( Resolved)

W

wingwingwing922

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 05:45:52, on 2009/7/27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24F06550-65E3-4D1C-8CFE-839C296B5530} - (no file)
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Policies\Explorer\Run: [{8C5AD1F8-0700-1028-0402-031213200376}] "C:\Program Files\Common Files\{8C5AD1F8-0700-1028-0402-031213200376}\Update.exe" mc-110-12-0001411
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP 智慧型選取 - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-HK/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} (UnioncastDownloadAx Control) - http://live.jiguang.tv/1000test/traila/unioncastDownload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetWork Service (ntserv) - Unknown owner - c:\program files\common files\system\ntserv.exe (file missing)
O23 - Service: Serviceserverhelp - Unknown owner - C:\WINDOWS\system32\serverplays.exe (file missing)
O23 - Service: syster.exe - Unknown owner - C:\WINDOWS\syster.exe (file missing)
O23 - Service: Windows Advanced Manager (wamer) - Unknown owner - C:\Program Files\Microsoft Office\SYSTEM\dodolook_7493.exe (file missing)

--
End of file - 9226 bytes



thanks helper~~
 
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click TTWipe.bat
  • Reboot your machine for the changes to take effect.


Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )


Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.
 
info.txt logfile of random's system information tool 1.06 2009-07-29 00:03:35

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x404 -uninst
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Reader 7.1.0 - Chinese Traditional-->MsiExec.exe /I{AC76BA86-7AD7-1028-7B44-A71000000002}
Advanced DVD Player-->"C:\Program Files\AdvancedDVDPlayer\unins000.exe"
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
DVR-Explorer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39EDE80E-1364-403A-8E64-C17150194C78}\Setup.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GoldWave v5.25-->"C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.25" "C:\Program Files\GoldWave\unstall.log"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110404-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280404-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft VC80 Support DLLs-->MsiExec.exe /I{342F5437-C87D-4BB5-89B9-B23E16C6A395}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MicroStaff WINASPI-->C:\MWASPI\uninst.exe
mifsaver-->C:\WINDOWS\system32\mifsaver.scr /u
Mozilla Firefox (3.0.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Revo Uninstaller 1.83-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
SiS 650_651_M650_740-->Rundll32.exe SiSInst.dll,InfUnInst Driver.Uninst 4 sisgr.inf
SiS 650_651_M650_M652_740-->Rundll32.exe SiSInst.dll,InfUnInst Driver.Uninst 4 sisgr.inf
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\WINDOWS\SiS\900\Uninst.exe
SiS VGA Utilities-->Rundll32 SiSInst.dll,Uninstall VGA,R,oem12.inf
SiSAGP driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC226AC9-0314-496C-BE6A-B6A132628466}\setup.exe" -l0x404
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 7 Hotfix (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Windows Internet Explorer 7 安全性更新 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Windows Live Mail-->MsiExec.exe /I{8D49763E-A43C-45CB-9561-5267627ED243}
Windows Live Messenger-->MsiExec.exe /X{6560D90C-5223-49A3-B78C-A48C31EAEC56}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 安全性更新 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Windows Media Player 10 安全性更新 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Windows Media Player 10 安全性更新 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Windows Media Player 11 Hotfix (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Windows Media Player 11 安全性更新 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Windows Media Player 11 安全性更新 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Windows Media Player 11 重大更新 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player 安全性更新 (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Windows XP Hotfix (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Windows XP 安全性更新 (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Windows XP 更新 (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Windows XP 更新 (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows XP 更新 (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows XP 更新 (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wisdom-soft ScreenHunter 5.0 Free-->C:\PROGRA~1\WISDOM~1\UNWISE.EXE C:\PROGRA~1\WISDOM~1\INSTALL.LOG

======Hosts File======

65.54.239.80 dp.msnmessenger.akadns.net
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090727-0]

======System event log======

Computer Name: SZE-462B6673BE0
Event Code: 7023
Message: DCOM Service Process Manager 服務因下列錯誤而終止:
找不到指定的模組。


Record Number: 62368
Source Name: Service Control Manager
Time Written:
Event Type: 錯誤
User:

Computer Name: SZE-462B6673BE0
Event Code: 7000
Message: acpidisk 服務無法啟動,因為發生下列錯誤:
系統找不到指定的檔案。


Record Number: 62367
Source Name: Service Control Manager
Time Written:
Event Type: 錯誤
User:

Computer Name: SZE-462B6673BE0
Event Code: 7000
Message: 平行連接埠驅動程式 服務無法啟動,因為發生下列錯誤:
無法啟動服務,可能因為服務已停用,或它沒有相關的啟用裝置。


Record Number: 62366
Source Name: Service Control Manager
Time Written:
Event Type: 錯誤
User:

Computer Name: SZE-462B6673BE0
Event Code: 6005
Message: 事件日誌服務已啟動。

Record Number: 62365
Source Name: EventLog
Time Written:
Event Type: 資訊
User:

Computer Name: SZE-462B6673BE0
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.

Record Number: 62364
Source Name: EventLog
Time Written:
Event Type: 資訊
User:

=====Application event log=====

Computer Name: SZE-462B6673BE0
Event Code: 300
Message: msnmsgr (1648) \\.\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ahwing922@hotmail.com\SharingMetadata\Working\database_908C_5AF2_8C5A_D1F8\dfsr.db: 資料庫引擎正在起始修復步驟。

Record Number: 6818
Source Name: ESENT
Time Written: 20080624222119.000000+480
Event Type: 資訊
User:

Computer Name: SZE-462B6673BE0
Event Code: 102
Message: msnmsgr (1648) \\.\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ahwing922@hotmail.com\SharingMetadata\Working\database_908C_5AF2_8C5A_D1F8\dfsr.db: 資料庫引擎啟動了一個新的例項 (0)。

Record Number: 6817
Source Name: ESENT
Time Written: 20080624222118.000000+480
Event Type: 資訊
User:

Computer Name: SZE-462B6673BE0
Event Code: 100
Message: msnmsgr (1648) 資料庫引擎 5.01.2600 2780 已啟動。

Record Number: 6816
Source Name: ESENT
Time Written: 20080624222118.000000+480
Event Type: 資訊
User:

Computer Name: SZE-462B6673BE0
Event Code: 302
Message: msnmsgr (2056) \\.\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ahwing922@hotmail.com\SharingMetadata\Working\database_908C_5AF2_8C5A_D1F8\dfsr.db: 資料庫引擎已成功完成修復步驟。

Record Number: 6815
Source Name: ESENT
Time Written: 20080624205639.000000+480
Event Type: 資訊
User:

Computer Name: SZE-462B6673BE0
Event Code: 301
Message: msnmsgr (2056) \\.\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ahwing922@hotmail.com\SharingMetadata\Working\database_908C_5AF2_8C5A_D1F8\dfsr.db: 資料庫引擎正在重放記錄檔案 \\.\C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\ahwing922@hotmail.com\SharingMetadata\Working\database_908C_5AF2_8C5A_D1F8\fsr.log。

Record Number: 6814
Source Name: ESENT
Time Written: 20080624205632.000000+480
Event Type: 資訊
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Teleca Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"OldPath"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM

-----------------EOF-----------------

log.txt:::

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-07-29 00:02:46
Microsoft Windows XP Professional Service Pack 3
System drive C: has 60 GB (76%) free of 79 GB
Total RAM: 479 MB (17% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:03:30, on 2009/7/29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\桌面\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24F06550-65E3-4D1C-8CFE-839C296B5530} - (no file)
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Policies\Explorer\Run: [{8C5AD1F8-0700-1028-0402-031213200376}] "C:\Program Files\Common Files\{8C5AD1F8-0700-1028-0402-031213200376}\Update.exe" mc-110-12-0001411
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP 智慧型選取 - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-HK/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} (UnioncastDownloadAx Control) - http://live.jiguang.tv/1000test/traila/unioncastDownload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetWork Service (ntserv) - Unknown owner - c:\program files\common files\system\ntserv.exe (file missing)
O23 - Service: Serviceserverhelp - Unknown owner - C:\WINDOWS\system32\serverplays.exe (file missing)
O23 - Service: syster.exe - Unknown owner - C:\WINDOWS\syster.exe (file missing)
O23 - Service: Windows Advanced Manager (wamer) - Unknown owner - C:\Program Files\Microsoft Office\SYSTEM\dodolook_7493.exe (file missing)

--
End of file - 9097 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06433BFE-4946-4E89-823D-CD359C81CD06}]
ShowHKToolbar Class

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}]
Hong Kong Toolbar

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-12 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-12 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-03 59392]
"CJIMETIPSYNC"=C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE [2007-03-22 66400]
"PHIMETIPSYNC"=C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE [2007-03-22 98656]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2006-01-12 155648]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-14 141312]
"SiSPower"=SiSPower.dll,ModeAgent []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-12 148888]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-06 81000]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"PowerBar"=C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [2004-04-21 86016]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{8C5AD1F8-0700-1028-0402-031213200376}"=C:\Program Files\Common Files\{8C5AD1F8-0700-1028-0402-031213200376}\Update.exe mc-110-12-0001411 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2
"Avg7UpdSvc"=2
"Avg7Alrt"=2

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe

C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 266280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"NoDriveAutoRun"=16777215

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\internet explorer\iexplore.exe"="C:\Program Files\internet explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
.txt - open - C:\WINDOWS\system32\notepad.exe %1

======List of files/folders created in the last 1 months======

2009-07-29 00:02:46 ----D---- C:\rsit
2009-07-27 17:44:53 ----D---- C:\Program Files\Trend Micro
2009-07-27 17:18:47 ----D---- C:\WINDOWS\ERDNT
2009-07-27 17:18:32 ----D---- C:\Program Files\ERUNT
2009-07-27 14:23:13 ----D---- C:\Program Files\xerox
2009-07-26 23:39:42 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2009-07-26 23:36:45 ----D---- C:\Program Files\Common Files\Macromedia
2009-07-26 23:36:44 ----D---- C:\Program Files\Macromedia
2009-07-24 16:16:13 ----D---- C:\Documents and Settings\Administrator\Application Data\ImTOO Software Studio
2009-07-24 15:52:36 ----D---- C:\Documents and Settings\Administrator\Application Data\IObit
2009-07-24 15:52:35 ----D---- C:\Program Files\IObit
2009-07-16 01:47:52 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 01:47:38 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 01:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-12 15:14:56 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-12 15:14:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-12 15:14:55 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-12 15:14:55 ----A---- C:\WINDOWS\system32\java.exe
2009-07-01 16:53:32 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-07-01 16:53:32 ----A---- C:\WINDOWS\system32\pncrt.dll

======List of files/folders modified in the last 1 months======

2009-07-29 00:02:53 ----D---- C:\WINDOWS\Prefetch
2009-07-29 00:00:30 ----D---- C:\Program Files\Mozilla Firefox
2009-07-28 23:55:48 ----D---- C:\WINDOWS\Temp
2009-07-28 23:52:26 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:20:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-27 17:44:53 ----D---- C:\Program Files
2009-07-27 17:20:47 ----D---- C:\WINDOWS\system32\config
2009-07-27 17:18:47 ----D---- C:\WINDOWS
2009-07-27 15:55:32 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-26 23:49:09 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2009-07-26 23:45:07 ----SHD---- C:\WINDOWS\Installer
2009-07-26 23:36:58 ----HD---- C:\Config.Msi
2009-07-26 23:36:45 ----D---- C:\Program Files\Common Files
2009-07-26 23:33:46 ----D---- C:\WINDOWS\Downloaded Installations
2009-07-24 16:14:27 ----D---- C:\WINDOWS\system32
2009-07-24 16:04:41 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-24 16:04:41 ----D---- C:\WINDOWS\security
2009-07-24 16:04:40 ----D---- C:\WINDOWS\system32\MsDtc
2009-07-24 16:04:40 ----D---- C:\WINDOWS\repair
2009-07-24 16:04:40 ----D---- C:\WINDOWS\Debug
2009-07-24 16:04:40 ----D---- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2009-07-24 16:04:40 ----D---- C:\Program Files\OfficeUpdate11
2009-07-24 16:04:40 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-07-24 16:04:40 ----D---- C:\Program Files\GoldWave
2009-07-24 16:04:40 ----D---- C:\MWASPI
2009-07-24 16:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\WLInstaller
2009-07-24 16:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-07-24 16:04:40 ----D---- C:\Documents and Settings
2009-07-24 01:21:44 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-23 12:36:52 ----D---- C:\Program Files\Microsoft Silverlight
2009-07-16 01:47:56 ----HD---- C:\WINDOWS\inf
2009-07-16 01:47:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-16 01:47:45 ----A---- C:\WINDOWS\imsins.BAK
2009-07-16 01:47:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-12 15:12:56 ----D---- C:\Program Files\Java
2009-07-07 23:10:56 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-02 19:14:19 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-06 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-06 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-06 51376]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2001-09-05 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 39168]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2006-03-09 12160]
R1 WS2IFSL;Windows 通訊端 2.0 非 IFS 服務提供者支援環境; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-09-05 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-06 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-06 94032]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-06 23152]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-08-23 821760]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-03-09 245248]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-12-07 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S2 acpidisk;acpidisk; \??\C:\WINDOWS\system32\drivers\acpidisk.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;滑鼠 HID 驅動程式; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-31 12160]
S3 NOWMEMDF;NOWMEMDF; \??\C:\WINDOWS\system32\NOWMEMDF.sys []
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbccgp;Microsoft USB 一般上層驅動程式; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-06 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-06 138680]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-12 152984]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-06 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-06 352920]
S2 COMLoader;DCOM Service Process Manager; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 hpqddsvc;HP CUE DeviceDiscovery 服務; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 IZNZMXK;YWLFVLARDTJVQ; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 ntserv;NetWork Service; c:\program files\common files\system\ntserv.exe -system []
S2 Serviceserverhelp;Serviceserverhelp; C:\WINDOWS\system32\serverplays.exe []
S2 syster.exe;syster.exe; C:\WINDOWS\syster.exe []
S2 wamer;Windows Advanced Manager; C:\Program Files\Microsoft Office\SYSTEM\dodolook_7493.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-03-09 654848]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 00:28:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF368D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF368D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF368DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF368D14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF368D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF368D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF368D0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF368D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF368D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF368D8AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[576] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003E0002
IAT C:\WINDOWS\system32\services.exe[576] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003E0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@矏卉s^L?\xe48ec豦\0\0\0\0 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@矏卉s^L?\xe48ec豦\0\0\0\0 1?
Reg HKLM\SYSTEM\ControlSet004\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@矏卉s^L?\xe48ec豦\0\0\0\0 1?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@0}\16f? 32904
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@送0}\16f?\0 136

---- EOF - GMER 1.0.15 ----


thank you very much !!!
 
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If requested, please reboot
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Click to expand...
 
excuse me, I am running the mbam already. (I will post the log when it ends)
however, the tutorial of combofix is not working, I wondered if I can just search for it on the Web but I guess it's not too secure so I am asking here. Thanks a whole lot for helping!
 
You can download Combofix from either of the two following links

  • ComboFix.exe
    ComboFix.exe
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
 
Malwarebytes' Anti-Malware 1.39
Database version: 2520
Windows 5.1.2600 Service Pack 3

2009/7/29 下午 08:27:17
mbam-log-2009-07-29 (20-27-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 174066
Time elapsed: 1 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{385ab8c4-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{385ab8c5-fb22-4d17-8834-064e2ba0a6f0} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54ebd53a-9bc1-480b-966a-843a333ca162} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\acpidisk (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{8c5ad1f8-0700-1028-0402-031213200376} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\Drive\shell\(default) (Hijack.Drives) -> Bad: (open) Good: (none) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools (Trojan.Yigather) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\mywehit.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\svchosts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\PlugsList.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscpx32r.det (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3d1caps.SRG (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) -> Quarantined and deleted successfully.

ComboFix 09-07-28.04 - Administrator /07/29 星期三 21:45.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.479.173 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090728-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DelSelf.bat
c:\windows\Installer\113104f.msi
c:\windows\Installer\11310af.msi
c:\windows\Installer\13048a3.msi
c:\windows\Installer\13048af.msi
c:\windows\Installer\166112f.msi
c:\windows\Installer\1663766.msi
c:\windows\Installer\166376e.msi
c:\windows\Installer\1663784.msi
c:\windows\Installer\1663db0.msi
c:\windows\Installer\1663db6.msi
c:\windows\Installer\1663dd1.msi
c:\windows\Installer\1663e0a.msi
c:\windows\Installer\1663e2b.msi
c:\windows\Installer\3d60d3.msi
c:\windows\Installer\932aa6.msi
c:\windows\Installer\932aab.msi
c:\windows\Installer\d7eef5.msi
c:\windows\Installer\d7eefb.msi
c:\windows\Installer\d7ef01.msi
c:\windows\Installer\d7ef07.msi
c:\windows\Installer\d7ef0d.msi
c:\windows\Installer\d7ef13.msi
c:\windows\Installer\d7ef19.msi
c:\windows\Installer\d7ef20.msi
c:\windows\Installer\d7ef2e.msi
c:\windows\Installer\d7ef35.msi
c:\windows\Installer\d7ef3c.msi
c:\windows\Installer\d7ef42.msi
c:\windows\Installer\d7ef4f.msi
c:\windows\Installer\d7ef55.msi
c:\windows\Installer\d7ef6a.msi
c:\windows\Installer\d7ef73.msi
c:\windows\Installer\d7ef79.msi
c:\windows\Installer\d7ef99.msi
c:\windows\pwisys.ini
c:\windows\system32\6099e58357.dll
c:\windows\system32\inf
c:\windows\system32\mshtmll.dll
c:\windows\system32\wbem\ZEKQYELRYDKQWD.MDA

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_WAMER
-------\Service_wamer


((((((((((((((((((((((((( 2009-06-28 至 2009-07-29 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-07-28 17:30 . 2009-07-28 17:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 17:24 . 2009-07-13 05:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 17:24 . 2009-07-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-28 17:24 . 2009-07-13 05:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 17:24 . 2009-07-28 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 16:02 . 2009-07-28 16:03 -------- d-----w- C:\rsit
2009-07-27 09:44 . 2009-07-27 09:44 -------- d-----w- c:\program files\Trend Micro
2009-07-27 09:18 . 2009-07-27 09:18 -------- d-----w- c:\program files\ERUNT
2009-07-26 15:47 . 2005-08-30 07:19 1052672 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver 8\Configuration\Flash Player\FlashPlayerW.dll
2009-07-26 15:36 . 2009-07-26 15:44 -------- d-----w- c:\program files\Common Files\Macromedia
2009-07-26 15:36 . 2009-07-26 15:39 -------- d-----w- c:\program files\Macromedia
2009-07-24 08:16 . 2009-07-24 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImTOO Software Studio
2009-07-24 07:52 . 2009-07-24 07:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-07-24 07:52 . 2009-07-24 07:52 -------- d-----w- c:\program files\IObit
2009-07-12 07:14 . 2009-07-12 07:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 07:09 . 2009-07-12 07:09 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 15:52 . 2006-12-07 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-27 08:14 . 2005-07-23 13:51 80080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 08:04 . 2008-06-28 07:57 -------- d-----w- c:\program files\GoldWave
2009-07-24 08:04 . 2008-03-31 08:28 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-07-24 08:04 . 2008-03-09 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-24 08:04 . 2008-02-26 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-07-24 08:04 . 2005-10-07 06:19 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-07-24 08:04 . 2005-07-23 14:28 -------- d-----w- c:\program files\OfficeUpdate11
2009-07-23 17:21 . 2006-12-07 09:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 04:36 . 2009-04-21 09:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-12 07:12 . 2007-10-10 03:02 -------- d-----w- c:\program files\Java
2009-06-24 12:57 . 2009-06-24 12:56 -------- d-----w- c:\program files\AdvancedDVDPlayer
2009-06-16 14:36 . 2004-08-03 16:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-09-05 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 07:40 . 2007-01-09 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxy
2009-06-12 07:55 . 2001-09-05 12:00 334386 ----a-w- c:\windows\system32\prfh0404.dat
2009-06-12 07:55 . 2001-09-05 12:00 115940 ----a-w- c:\windows\system32\prfc0404.dat
2009-06-03 19:09 . 2004-08-03 16:47 1272832 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 13:35 . 2009-06-03 13:29 126610 ----a-w- c:\windows\hpqins00.dat
2009-05-07 15:32 . 2004-08-03 16:47 340992 ----a-w- c:\windows\system32\localspl.dll
2004-03-11 05:27 . 2005-10-12 09:08 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-07-23 12:22 . 2009-01-06 07:24 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 141312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-12 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-03-08 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-12-7 262144]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26716:TCP"= 26716:TCP:BitComet 26716 TCP
"26716:UDP"= 26716:UDP:BitComet 26716 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008/4/2 下午 04:24 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008/4/2 下午 04:24 20560]
S2 COMLoader;DCOM Service Process Manager;c:\windows\system32\svchost.exe -k netsvcs [2004/8/4 上午 12:48 14336]
S2 IZNZMXK;YWLFVLARDTJVQ;c:\windows\system32\svchost.exe -k VTIBRGWMYODP [2004/8/4 上午 12:48 14336]
S2 ntserv;NetWork Service;c:\program files\common files\system\ntserv.exe -system --> c:\program files\common files\system\ntserv.exe -system [?]
S2 Serviceserverhelp;Serviceserverhelp;c:\windows\system32\serverplays.exe --> c:\windows\system32\serverplays.exe [?]
S2 syster.exe;syster.exe;c:\windows\syster.exe --> c:\windows\syster.exe [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
VTIBRGWMYODP REG_MULTI_SZ IZNZMXK
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
COMLoader
.
‘計劃任務’ 文件夾 裡的內容

2009-07-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 14:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} - hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} - hxxp://live.jiguang.tv/1000test/traila/unioncastDownload.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sqzfe3y5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#restore

---- 火狐配置文件 ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 21:54
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\COMLoader]
"ServiceDll"="c:\windows\inf\dvdromdrv32.inf"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\送 *W*e*b* *MOn\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\送 *W*e*b* *MOn\View]
"Data"=hex:04,16,00,43,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\View]
"Data"=hex:04,16,00,43,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\X*S*L* *Ic\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\X*S*L* *Ic\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Nq? *駤? *n蠨qui *F_ ?~家 *Q妻9?*駤? *n蠨qui]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\AutoSync\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}]
@Allowed: (A B 1 2 3 4 5 6) (S-1-5-4)
"ItemsChecked"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\AutoSync\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Idle\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}]
"ItemsChecked"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Idle\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Manual\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000001
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'explorer.exe'(2668)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conime.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間: 2009-07-29 22:02 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-07-29 14:02

Pre-Run: 62,369,378,304 位元組可用
Post-Run: 62,252,838,912 位元組可用

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

289 --- E O F --- 2009-07-22 17:27


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 10:06:21, on 2009/7/29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24F06550-65E3-4D1C-8CFE-839C296B5530} - (no file)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP 智慧型選取 - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-HK/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} (UnioncastDownloadAx Control) - http://live.jiguang.tv/1000test/traila/unioncastDownload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetWork Service (ntserv) - Unknown owner - c:\program files\common files\system\ntserv.exe (file missing)
O23 - Service: Serviceserverhelp - Unknown owner - C:\WINDOWS\system32\serverplays.exe (file missing)
O23 - Service: syster.exe - Unknown owner - C:\WINDOWS\syster.exe (file missing)

--
End of file - 8481 bytes

i have been a bit late~
thanks so much my helper!
 
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    NetSvc::
COMLoader
File::
c:\windows\inf\dvdromdrv32.inf
Driver::
COMLoader
IZNZMXK
ntserv
Serviceserverhelp
syster.exe
REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"VTIBRGWMYODP"=-

ADS::
  • Save this as CFScript.txt and place it on your desktop.


    CFScriptb.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Comofix Log
  • Kaspersky Log
  • How are things running now ?
 
ComboFix 09-07-29.04 - Administrator /07/30 星期四 20:49.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.479.265 [GMT 8:00]
執行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\桌面\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\inf\dvdromdrv32.inf"
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COMLOADER
-------\Legacy_IZNZMXK
-------\Legacy_NTSERV
-------\Legacy_SERVICESERVERHELP
-------\Legacy_SYSTER.EXE
-------\Service_COMLoader
-------\Service_IZNZMXK
-------\Service_ntserv
-------\Service_Serviceserverhelp
-------\Service_syster.exe


((((((((((((((((((((((((( 2009-06-28 至 2009-07-30 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-07-29 15:16 . 2009-06-02 10:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-29 15:16 . 2008-06-08 15:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-07-29 15:16 . 2009-07-29 15:16 -------- d-----w- c:\program files\ffdshow
2009-07-29 14:50 . 2009-07-29 14:51 -------- d-----w- c:\program files\YouTube Downloader
2009-07-28 17:30 . 2009-07-28 17:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 17:24 . 2009-07-13 05:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 17:24 . 2009-07-28 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-28 17:24 . 2009-07-13 05:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 17:24 . 2009-07-28 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 16:02 . 2009-07-28 16:03 -------- d-----w- C:\rsit
2009-07-27 09:44 . 2009-07-27 09:44 -------- d-----w- c:\program files\Trend Micro
2009-07-27 09:18 . 2009-07-27 09:18 -------- d-----w- c:\program files\ERUNT
2009-07-26 15:47 . 2005-08-30 07:19 1052672 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Dreamweaver 8\Configuration\Flash Player\FlashPlayerW.dll
2009-07-26 15:36 . 2009-07-26 15:44 -------- d-----w- c:\program files\Common Files\Macromedia
2009-07-26 15:36 . 2009-07-26 15:39 -------- d-----w- c:\program files\Macromedia
2009-07-24 08:16 . 2009-07-24 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImTOO Software Studio
2009-07-24 07:52 . 2009-07-24 07:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-07-24 07:52 . 2009-07-24 07:52 -------- d-----w- c:\program files\IObit
2009-07-12 07:14 . 2009-07-12 07:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 07:09 . 2009-07-12 07:09 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 15:52 . 2006-12-07 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-27 08:14 . 2005-07-23 13:51 80080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 08:04 . 2008-06-28 07:57 -------- d-----w- c:\program files\GoldWave
2009-07-24 08:04 . 2008-03-31 08:28 -------- d-----w- c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-07-24 08:04 . 2008-03-09 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-24 08:04 . 2008-02-26 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-07-24 08:04 . 2005-10-07 06:19 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-07-24 08:04 . 2005-07-23 14:28 -------- d-----w- c:\program files\OfficeUpdate11
2009-07-23 17:21 . 2006-12-07 09:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 04:36 . 2009-04-21 09:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-12 07:12 . 2007-10-10 03:02 -------- d-----w- c:\program files\Java
2009-06-29 15:55 . 2004-08-03 16:47 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:55 . 2004-08-03 16:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:55 . 2004-08-03 16:47 17408 ------w- c:\windows\system32\corpol.dll
2009-06-24 12:57 . 2009-06-24 12:56 -------- d-----w- c:\program files\AdvancedDVDPlayer
2009-06-16 14:36 . 2004-08-03 16:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-09-05 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 07:40 . 2007-01-09 12:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxy
2009-06-12 07:55 . 2001-09-05 12:00 334386 ----a-w- c:\windows\system32\prfh0404.dat
2009-06-12 07:55 . 2001-09-05 12:00 115940 ----a-w- c:\windows\system32\prfc0404.dat
2009-06-03 19:09 . 2004-08-03 16:47 1272832 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 13:35 . 2009-06-03 13:29 126610 ----a-w- c:\windows\hpqins00.dat
2009-05-07 15:32 . 2004-08-03 16:47 340992 ----a-w- c:\windows\system32\localspl.dll
2004-03-11 05:27 . 2005-10-12 09:08 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-07-23 12:22 . 2009-01-06 07:24 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_13.56.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 11:41 . 2009-07-11 11:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-07-30 12:25 . 2009-07-30 12:25 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2009-07-30 12:57 . 2009-07-30 12:57 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2004-08-03 16:47 . 2009-06-29 15:55 44544 c:\windows\system32\pngfilt.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 44544 c:\windows\system32\pngfilt.dll
+ 2007-08-13 10:54 . 2009-06-29 15:55 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 10:54 . 2009-04-29 04:42 52224 c:\windows\system32\msfeedsbs.dll
- 2009-01-06 07:39 . 2009-03-07 05:36 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-06 07:39 . 2009-07-29 14:44 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-08-03 16:47 . 2009-06-29 15:55 27648 c:\windows\system32\jsproxy.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-13 10:39 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
- 2007-08-13 10:39 . 2009-04-28 09:04 13824 c:\windows\system32\ieudinit.exe
- 2004-08-03 16:47 . 2009-04-29 04:41 44544 c:\windows\system32\iernonce.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 44544 c:\windows\system32\iernonce.dll
- 2004-08-03 16:47 . 2009-04-28 09:04 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-03 16:47 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 10:36 . 2009-06-29 15:55 63488 c:\windows\system32\icardie.dll
- 2007-08-13 10:36 . 2009-04-29 04:41 63488 c:\windows\system32\icardie.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2008-02-11 11:57 . 2009-04-29 04:42 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-02-11 11:57 . 2009-06-29 15:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-02-11 11:57 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2008-02-11 11:57 . 2009-04-28 09:04 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-03 16:47 . 2009-04-29 04:41 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 16:49 . 2009-04-29 04:41 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 16:49 . 2009-06-29 15:55 78336 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-03 16:47 . 2009-04-28 09:04 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-03 16:47 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-02-11 11:57 . 2009-04-29 04:41 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-02-11 11:57 . 2009-06-29 15:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 15:55 . 2009-06-29 15:55 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-07-29 17:05 . 2009-04-28 09:04 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-07-29 17:05 . 2009-04-29 04:41 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-07-29 17:05 . 2009-04-28 09:04 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-07-29 17:05 . 2009-04-29 04:41 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-07-29 17:05 . 2008-04-14 13:59 35328 c:\windows\ie7updates\KB972260-IE7\corpol.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 233472 c:\windows\system32\webcheck.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 233472 c:\windows\system32\webcheck.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 105984 c:\windows\system32\url.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 105984 c:\windows\system32\url.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 102912 c:\windows\system32\occache.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 102912 c:\windows\system32\occache.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 671232 c:\windows\system32\mstime.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 671232 c:\windows\system32\mstime.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 193024 c:\windows\system32\msrating.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 193024 c:\windows\system32\msrating.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 477696 c:\windows\system32\mshtmled.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-13 10:54 . 2009-06-29 15:55 459264 c:\windows\system32\msfeeds.dll
- 2007-08-13 10:54 . 2009-04-29 04:42 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-13 10:34 . 2009-06-29 15:55 268288 c:\windows\system32\iertutil.dll
- 2007-08-13 10:34 . 2009-04-29 04:41 268288 c:\windows\system32\iertutil.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 385024 c:\windows\system32\iedkcs32.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 04:27 . 2009-06-29 15:55 380928 c:\windows\system32\ieapfltr.dll
+ 2001-09-05 12:00 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll
- 2001-09-05 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 230400 c:\windows\system32\ieaksie.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 133120 c:\windows\system32\extmgr.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 133120 c:\windows\system32\extmgr.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 827392 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 827392 c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2008-02-11 11:57 . 2009-04-29 04:42 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-02-11 11:57 . 2009-06-29 15:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2005-07-23 13:40 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe
+ 2008-02-11 11:57 . 2009-06-29 15:55 268288 c:\windows\system32\dllcache\iertutil.dll
- 2008-02-11 11:57 . 2009-04-29 04:41 268288 c:\windows\system32\dllcache\iertutil.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-02-11 11:57 . 2009-06-29 15:55 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2001-09-05 12:00 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll
- 2001-09-05 12:00 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-03 16:47 . 2009-04-29 04:41 124928 c:\windows\system32\advpack.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 124928 c:\windows\system32\advpack.dll
+ 2009-07-29 17:04 . 2009-07-29 17:04 248832 c:\windows\Installer\b033a7.msi
+ 2009-07-29 17:05 . 2009-04-29 04:42 827392 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-07-29 17:05 . 2009-05-26 11:43 340344 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-07-29 17:05 . 2008-07-08 13:22 225144 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-07-29 17:05 . 2009-04-29 04:42 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-07-29 17:05 . 2009-04-25 05:27 636088 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-07-29 17:05 . 2009-04-29 04:41 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-07-29 17:05 . 2009-04-25 05:26 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
+ 2009-07-30 12:25 . 2009-07-30 12:25 225280 c:\windows\ERDNT\AutoBackup\2009-7-30\Users\00000002\UsrClass.dat
+ 2009-07-30 12:25 . 2005-10-20 04:02 163328 c:\windows\ERDNT\AutoBackup\2009-7-30\ERDNT.EXE
+ 2004-08-03 16:47 . 2009-06-29 15:55 1159680 c:\windows\system32\urlmon.dll
- 2004-08-03 16:47 . 2009-04-29 04:42 1159680 c:\windows\system32\urlmon.dll
+ 2004-08-03 16:47 . 2009-07-19 13:25 3597824 c:\windows\system32\mshtml.dll
+ 2007-08-13 10:54 . 2009-07-19 13:25 6067200 c:\windows\system32\ieframe.dll
+ 2007-02-12 08:10 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
- 2004-08-03 16:47 . 2009-04-29 04:42 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 16:47 . 2009-06-29 15:55 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 16:47 . 2009-07-19 13:25 3597824 c:\windows\system32\dllcache\mshtml.dll
+ 2008-02-11 11:57 . 2009-07-19 13:25 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2008-02-11 11:57 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-07-29 17:05 . 2009-04-29 04:42 1159680 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-07-29 17:05 . 2009-04-29 04:42 3596288 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-07-29 17:05 . 2009-04-29 04:41 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-07-29 17:05 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
+ 2009-07-30 12:25 . 2009-07-30 12:25 13295616 c:\windows\ERDNT\AutoBackup\2009-7-30\Users\00000001\ntuser.dat
.
-- 快照技術重新設置 --
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 141312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-12 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-03-08 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\「開始」功能表\程式集\啟動\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-12-7 262144]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26716:TCP"= 26716:TCP:BitComet 26716 TCP
"26716:UDP"= 26716:UDP:BitComet 26716 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008/4/2 下午 04:24 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008/4/2 下午 04:24 20560]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
‘計劃任務’ 文件夾 裡的內容

2009-07-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 14:18]
.
.
------- 而外的掃描 -------
.
uStart Page = hxxp://hk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} - hxxps://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} - hxxp://live.jiguang.tv/1000test/traila/unioncastDownload.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sqzfe3y5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#restore

---- 火狐配置文件 ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 20:58
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 ...

掃描被隱藏的啟動組 ...

掃描被隱藏的文件 ...

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\送 *W*e*b* *MOn\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\送 *W*e*b* *MOn\View]
"Data"=hex:04,16,00,43,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft FrontPage\Settings\?_U *W*e*b*\View]
"Data"=hex:04,16,00,43,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,44,0d,00,fa,08,00,00,8b,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\X*S*L* *Ic\File Name MRU]
"Value"=multi:"\00\00"
"Maximum Entries"=dword:0000000a

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\X*S*L* *Ic\View]
"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_USERS\S-1-5-21-1482476501-436374069-1343024091-500\Software\Nq? *駤? *n蠨qui *F_ ?~家 *Q妻9?*駤? *n蠨qui]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\DefaultIcon]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe,14"

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\open\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\print\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /p \"%1\""

[HKEY_LOCAL_MACHINE\software\Classes\N*e*r*o*lxKa\shell\printto\command]
@="c:\\PROGRA~1\\Ahead\\nero\\nero.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\AutoSync\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}]
@Allowed: (A B 1 2 3 4 5 6) (S-1-5-4)
"ItemsChecked"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\AutoSync\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Idle\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}]
"ItemsChecked"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Idle\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Syncmgr\Manual\SZE-462B6673BE0_Administrator\L*A*N* *#}\{7FC0B86E-5FA7-11D1-BC7C-00C04FD929DB}\{0383BF20-8F60-01C5-0000-00002BCC8B35}]
"CheckState"=dword:00000001
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

- - - - - - - > 'explorer.exe'(2476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conime.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
完成時間: 2009-07-30 21:06 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2009-07-30 13:06
ComboFix2.txt 2009-07-29 14:02

Pre-Run: 62,063,144,960 位元組可用
Post-Run: 62,012,448,768 位元組可用

408 --- E O F --- 2009-07-29 17:06


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 31, 2009 08:16:30
Records in database: 2565932
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 88472
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:16:39

No malware has been detected. The scan area is clean.

The selected area was scanned.


My computer actually performs quite normally, every program can runs, it only lags often
I wondered if there are too many files, but I found from "MY COMPUTER" that the files only occupied ~25% of the entire hard-disks
And, there are still some pop-up windows from the Windows, saying that there isn't enough space
 
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-07-31 20:54:52
Microsoft Windows XP Professional Service Pack 3
System drive C: has 59 GB (75%) free of 79 GB
Total RAM: 479 MB (9% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:56:18, on 2009/7/31
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\桌面\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24F06550-65E3-4D1C-8CFE-839C296B5530} - (no file)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP 智慧型選取 - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/EWinSKey.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-HK/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.com.tw/neo.fld/GNowStarter.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6EC361-726D-4C6B-A284-F391A60A21C0} (UnioncastDownloadAx Control) - http://live.jiguang.tv/1000test/traila/unioncastDownload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 8235 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06433BFE-4946-4E89-823D-CD359C81CD06}]
ShowHKToolbar Class

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}]
Hong Kong Toolbar

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-12 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-12 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-03 59392]
"CJIMETIPSYNC"=C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE [2007-03-22 66400]
"PHIMETIPSYNC"=C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE [2007-03-22 98656]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2006-01-12 155648]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-14 141312]
"SiSPower"=SiSPower.dll,ModeAgent []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-12 148888]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-06 81000]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"PowerBar"=C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [2004-04-21 86016]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2
"Avg7UpdSvc"=2
"Avg7Alrt"=2

C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe

C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 266280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoResolveSearch"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
.txt - open - C:\WINDOWS\system32\notepad.exe %1

======List of files/folders created in the last 1 months======

2009-07-31 15:28:47 ----SHD---- C:\RECYCLER
2009-07-30 21:06:30 ----A---- C:\ComboFix.txt
2009-07-29 23:16:36 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2009-07-29 23:16:35 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2009-07-29 23:16:32 ----A---- C:\WINDOWS\system32\pthreadGC2.dll
2009-07-29 23:16:28 ----D---- C:\Program Files\ffdshow
2009-07-29 22:50:57 ----D---- C:\Program Files\YouTube Downloader
2009-07-29 21:44:13 ----A---- C:\Boot.bak
2009-07-29 21:44:06 ----RASHD---- C:\cmdcons
2009-07-29 21:42:28 ----A---- C:\WINDOWS\zip.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\SWSC.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\SWREG.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\sed.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\PEV.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-29 21:42:28 ----A---- C:\WINDOWS\grep.exe
2009-07-29 21:42:16 ----D---- C:\Qoobox
2009-07-29 01:30:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-07-29 01:24:49 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-29 01:24:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-29 00:02:46 ----D---- C:\rsit
2009-07-27 17:44:53 ----D---- C:\Program Files\Trend Micro
2009-07-27 17:18:47 ----D---- C:\WINDOWS\ERDNT
2009-07-27 17:18:32 ----D---- C:\Program Files\ERUNT
2009-07-27 14:23:13 ----D---- C:\Program Files\xerox
2009-07-26 23:39:42 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2009-07-26 23:36:45 ----D---- C:\Program Files\Common Files\Macromedia
2009-07-26 23:36:44 ----D---- C:\Program Files\Macromedia
2009-07-24 16:16:13 ----D---- C:\Documents and Settings\Administrator\Application Data\ImTOO Software Studio
2009-07-24 15:52:36 ----D---- C:\Documents and Settings\Administrator\Application Data\IObit
2009-07-24 15:52:35 ----D---- C:\Program Files\IObit
2009-07-16 01:47:52 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 01:47:38 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 01:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-12 15:14:56 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-12 15:14:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-12 15:14:55 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-12 15:14:55 ----A---- C:\WINDOWS\system32\java.exe
2009-07-01 16:53:32 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-07-01 16:53:32 ----A---- C:\WINDOWS\system32\pncrt.dll

======List of files/folders modified in the last 1 months======

2009-07-31 20:55:13 ----D---- C:\WINDOWS\Prefetch
2009-07-31 20:52:33 ----D---- C:\Program Files\Mozilla Firefox
2009-07-31 20:52:32 ----D---- C:\WINDOWS\Temp
2009-07-31 15:30:15 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-31 01:27:44 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-30 21:06:35 ----D---- C:\WINDOWS\system32\drivers
2009-07-30 21:06:35 ----D---- C:\WINDOWS\system32
2009-07-30 21:00:17 ----D---- C:\WINDOWS
2009-07-30 21:00:17 ----A---- C:\WINDOWS\system.ini
2009-07-30 20:55:41 ----D---- C:\WINDOWS\system32\config
2009-07-30 20:53:49 ----D---- C:\WINDOWS\AppPatch
2009-07-30 20:53:44 ----D---- C:\Program Files\Common Files
2009-07-30 01:06:02 ----HD---- C:\WINDOWS\inf
2009-07-30 01:05:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-30 01:05:43 ----D---- C:\WINDOWS\system32\zh-tw
2009-07-30 01:05:43 ----D---- C:\Program Files\internet explorer
2009-07-30 01:05:28 ----D---- C:\WINDOWS\ie7updates
2009-07-30 01:04:52 ----SHD---- C:\WINDOWS\Installer
2009-07-30 01:04:52 ----HD---- C:\Config.Msi
2009-07-30 01:04:51 ----D---- C:\WINDOWS\WinSxS
2009-07-29 23:20:47 ----A---- C:\WINDOWS\NeroDigital.ini
2009-07-29 23:16:28 ----D---- C:\Program Files
2009-07-29 21:51:03 ----D---- C:\WINDOWS\system32\wbem
2009-07-29 21:44:13 ----RASH---- C:\boot.ini
2009-07-29 18:59:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-28 23:52:26 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-27 15:55:32 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-26 23:49:09 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2009-07-26 23:33:46 ----D---- C:\WINDOWS\Downloaded Installations
2009-07-24 16:04:41 ----D---- C:\WINDOWS\security
2009-07-24 16:04:40 ----D---- C:\WINDOWS\system32\MsDtc
2009-07-24 16:04:40 ----D---- C:\WINDOWS\repair
2009-07-24 16:04:40 ----D---- C:\WINDOWS\Debug
2009-07-24 16:04:40 ----D---- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2009-07-24 16:04:40 ----D---- C:\Program Files\OfficeUpdate11
2009-07-24 16:04:40 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-07-24 16:04:40 ----D---- C:\Program Files\GoldWave
2009-07-24 16:04:40 ----D---- C:\MWASPI
2009-07-24 16:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\WLInstaller
2009-07-24 16:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-07-24 16:04:40 ----D---- C:\Documents and Settings
2009-07-24 01:21:44 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-23 12:36:52 ----D---- C:\Program Files\Microsoft Silverlight
2009-07-19 21:25:46 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 21:25:43 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-16 01:47:45 ----A---- C:\WINDOWS\imsins.BAK
2009-07-12 15:12:56 ----D---- C:\Program Files\Java
2009-07-07 23:10:56 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-06 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-06 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-06 51376]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2001-09-05 12160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 39168]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2006-03-09 12160]
R1 WS2IFSL;Windows 通訊端 2.0 非 IFS 服務提供者支援環境; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-09-05 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-06 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-06 94032]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-06 23152]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-08-23 821760]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-03-09 245248]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-12-07 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;滑鼠 HID 驅動程式; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-31 12160]
S3 NOWMEMDF;NOWMEMDF; \??\C:\WINDOWS\system32\NOWMEMDF.sys []
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbccgp;Microsoft USB 一般上層驅動程式; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-06 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-06 138680]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-12 152984]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-06 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-06 352920]
S2 hpqddsvc;HP CUE DeviceDiscovery 服務; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-03-09 654848]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------

thanks :)
 
Information
And, there are still some pop-up windows from the Windows, saying that there isn't enough space
Click to expand...
That will be due to RAM :-
Your log shows Total RAM: 479 MB (9% free)

This is quite low for current programs.

----------------------------------------------------------------------------------------

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O2 - BHO: ShowHKToolbar Class - {06433BFE-4946-4E89-823D-CD359C81CD06} - (no file)
O2 - BHO: (no name) - {24F06550-65E3-4D1C-8CFE-839C296B5530} - (no file)
O2 - BHO: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Hong Kong Toolbar - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - (no file)

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
Click to expand...
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


----------------------------------------------------------------------------------------
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png



OTCleanup
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt




You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
 
OT CleanIt ran smooth :)
I wanna ask how may I "free" some RAM or add some more ???
I really don't want the computer to LAG so often!!!
anyways, THANKS REALLY MUCH FOR YOUR HELP!:p:
 
wingwingwing922 said:
1) I wanna ask how may I "free" some RAM
2) add some more ???
Click to expand...

1) the only way to free ram is by having less programs running.
You can safely remove the following with HJT as before.
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
Click to expand...

2) You would need to ask on a hardware forum about adding RAM.

http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html
 
You must log in or register to reply here.
Back
Top