Inactive Please Help me my Task manager open and close less than 1 minute

[yongwei1992]

My computer is notebook computer HP compaq nx6320 and Windows XP professional service package 2 and previously i using AVG antivirus. On a day my computer is infected by virus so i make a scan by using a software to delete the infected file and malware in the safe mode, Then, my task manager suddenly cannot use and the AVG also cannot function after the scan. So i uninstall it and install avast antivirus. Then starting from that time my task manager cannot run already, once i press ctrl alt del it run then close. I try many suggestion from the website, but also can't recover my task manager.Somebody help me to recover my task manager please.....Thanks.

 

[crunchie]

Hi and welcome to TechSpot forums .

====

Please read the directions given here and when done, post the requested logs.
Please paste the logs, do not attach them.

 

[yongwei1992]

if i unable to make a scan using anti-malware. what i gonna do?

 

[yongwei1992]

what i gonna do is i unable to make a malware scan using anti malware? the scan run until half then stop and come out a error report and ask me whether to send or don't send after that the Dr. Watson error report come out again and ask me whether to send and don't send again. At last, i unable to perform the malware scan.

 

[crunchie]

Are you able to do a system restore?

 

[yongwei1992]

ya i can perform the system restore in my computer.

 

[crunchie]

Go to Start | Run and type in msconfig and hit OK. Select the Launch System Restore button.
The radio button for Restore my computer to an earlier time should be selected then go next.
Select a date that goes back to a time before the problem started and select next.

How is the PC after doing that?

 

[yongwei1992]

i did make a system restore but i unable to make the restore to an earlier time before the problem happen and it comes out an incomplete restore when i make the restore to the earlier time before the problem happen.. This is because the problem is happen several week before from now.

 

[crunchie]

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[yongwei1992]

This is my log after the performing the ComboFIx

 

[crunchie]

No attachments please. Just paste them into your reply.

 

[yongwei1992]

ComboFix 10-11-24.03 - Administrator 5/2010 Thu 17:21:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.2551.1978 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\.#
c:\documents and settings\Administrator\Application Data\.#\MBX@B1C@3C4140.###
c:\documents and settings\Administrator\Application Data\.#\MBX@B1C@3C4170.###
c:\documents and settings\Administrator\Application Data\.#\MBX@B1C@3C41A0.###
c:\documents and settings\Administrator\Application Data\p4p
c:\documents and settings\Administrator\Application Data\p4p\dlmgr.dat
c:\documents and settings\Administrator\Application Data\p4p\rss.opml
c:\documents and settings\Administrator\Application Data\p4p\rsslasturl.txt
c:\documents and settings\Administrator\Application Data\Smart Engine
c:\documents and settings\Administrator\Application Data\Smart Engine\cookies.sqlite
c:\documents and settings\Administrator\Application Data\Smart Engine\Instructions.ini
c:\documents and settings\Administrator\Desktop\Coopen.lnk
c:\documents and settings\Administrator\Recent\ANTIGEN.dll
c:\documents and settings\Administrator\Recent\ANTIGEN.tmp
c:\documents and settings\Administrator\Recent\cb.sys
c:\documents and settings\Administrator\Recent\cid.tmp
c:\documents and settings\Administrator\Recent\CLSV.dll
c:\documents and settings\Administrator\Recent\DBOLE.drv
c:\documents and settings\Administrator\Recent\energy.dll
c:\documents and settings\Administrator\Recent\exec.exe
c:\documents and settings\Administrator\Recent\gid.sys
c:\documents and settings\Administrator\Recent\grid.sys
c:\documents and settings\Administrator\Recent\PE.drv
c:\documents and settings\Administrator\Recent\sld.tmp
c:\documents and settings\Administrator\Recent\std.exe
c:\documents and settings\Administrator\Recent\tjd.sys
c:\documents and settings\Administrator\Start Menu\Programs\Coopen
c:\documents and settings\Administrator\Start Menu\Programs\Coopen\Coopen播放器.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Coopen播放器.lnk
c:\documents and settings\Administrator\Start Menu\Smart Engine.lnk
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\progra~1\Yahoo!\ASSIST~1\Assist\yaNGling.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\yaSBar.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\yaSNoad.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\yaSSist.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\YDRAgs~1.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\yeHEocx.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\ypHOtoseasy.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\ypHTb.dll
c:\progra~1\Yahoo!\ASSIST~1\Assist\yzSNetproto.dll
c:\progra~1\Yahoo!\ASSIST~1\yaLIve.dll
c:\progra~1\Yahoo!\ASSIST~1\YnOTifier.dll
c:\program files\Coopen
c:\program files\Coopen\conf\Administrator.ini
c:\program files\Coopen\conf\All Users.ini
c:\program files\Coopen\conf\Coopen.inf
c:\program files\Coopen\conf\Debug
c:\program files\Coopen\conf\Log.txt
c:\program files\Coopen\conf\MainParams
c:\program files\Coopen\conf\ModeAChannelList.txt
c:\program files\Coopen\conf\ModeAChannelList.txt.bak
c:\program files\Coopen\conf\ModeAChannelListReal.txt
c:\program files\Coopen\conf\PluginConfig.ini
c:\program files\Coopen\conf\ServerList.txt
c:\program files\Coopen\conf\TodayInfo
c:\program files\Coopen\Coopen.exe
c:\program files\Coopen\Coopen.scr
c:\program files\Coopen\CoOPenactivecontrol108.dll
c:\program files\Coopen\CoopenAir.exe
c:\program files\Coopen\CoopenMainManager.dll
c:\program files\Coopen\image\CoopenWallpaper.bmp
c:\program files\Coopen\image\Photo\local Photo\B_0.jpg
c:\program files\Coopen\image\Photo\local Photo\B_1.jpg
c:\program files\Coopen\image\Photo\local Photo\ModeBList.ini
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\DefaultCoopenWallpaper.jpg
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\PicList.ini
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\todaypic\128998118219.jpg
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\todaypic\128998118219.xml
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\todaypic\AdList.ini
c:\program files\Coopen\image\Wallpaper\coopen wallpaper\todaypic\PicList.ini
c:\program files\Coopen\image\Wallpaper\local wallpaper\DefaultCoopenWallpaper.jpg
c:\program files\Coopen\image\Wallpaper\local wallpaper\ModeAList.ini
c:\program files\Coopen\licence.txt
c:\program files\Coopen\Resource\SkinFormal\Background.png
c:\program files\Coopen\Resource\SkinFormal\Button_Channel.png
c:\program files\Coopen\Resource\SkinFormal\Button_Close.png
c:\program files\Coopen\Resource\SkinFormal\Button_Commit.png
c:\program files\Coopen\Resource\SkinFormal\Button_Next.png
c:\program files\Coopen\Resource\SkinFormal\Button_Pause.png
c:\program files\Coopen\Resource\SkinFormal\Button_Play.png
c:\program files\Coopen\Resource\SkinFormal\Button_Prev.png
c:\program files\Coopen\Resource\SkinFormal\Button_Widget.png
c:\program files\Coopen\Resource\SkinFormal\CheckC.png
c:\program files\Coopen\Resource\SkinFormal\CheckU.png
c:\program files\Coopen\Resource\SkinFormal\Indicator1.png
c:\program files\Coopen\Resource\SkinFormal\Indicator2.png
c:\program files\Coopen\Resource\SkinFormal\MainIcon.png
c:\program files\Coopen\Resource\SkinFormal\Message.png
c:\program files\Coopen\Resource\SkinFormal\Notify.png
c:\program files\Coopen\Resource\SkinFormal\Progress.png
c:\program files\Coopen\Resource\SkinFormal\Push_Cancel.png
c:\program files\Coopen\Resource\SkinFormal\Push_Config.png
c:\program files\Coopen\Resource\SkinFormal\Push_Confirm.png
c:\program files\Coopen\Resource\SkinFormal\Push_Folder.png
c:\program files\Coopen\Resource\SkinFormal\RadioC.png
c:\program files\Coopen\Resource\SkinFormal\RadioU.png
c:\program files\Coopen\Resource\SkinFormal\SkinClient.ini
c:\program files\Coopen\Resource\SkinFormal\SkinClose.ini
c:\program files\Coopen\Resource\SkinFormal\Synopsis1.ini
c:\program files\Coopen\Resource\SkinFormal\Synopsis1.png
c:\program files\Coopen\Templete\CoopenPhoto.jpg
c:\program files\Coopen\Templete\Default.tpl
c:\program files\Coopen\Templete\DefaultCoopenWallpaper.jpg
c:\program files\Coopen\Templete\ModeB.tpl
c:\program files\Coopen\Templete\ModeB_logo.jpg
c:\program files\Coopen\Templete\ModeC.tpl
c:\program files\Coopen\uninst.exe
c:\program files\P4P\waVAna.ax
c:\program files\ppsaddr\ppsAddr.dll
c:\program files\UNIKEY~1\addr.dll
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\program files\yahoo!\assist~1
c:\program files\yahoo!\assist~1\Assist\CoolBar\prodef.ini
c:\program files\yahoo!\assist~1\Assist\CoolBar\profile.ini
c:\program files\yahoo!\assist~1\Assist\float.gif
c:\program files\yahoo!\assist~1\Assist\Images\adkiller.bmp
c:\program files\yahoo!\assist~1\Assist\Images\alert.bmp
c:\program files\yahoo!\assist~1\Assist\Images\alertnew.bmp
c:\program files\yahoo!\assist~1\Assist\Images\anitvirus.bmp
c:\program files\yahoo!\assist~1\Assist\Images\assist.bmp
c:\program files\yahoo!\assist~1\Assist\Images\clear.bmp
c:\program files\yahoo!\assist~1\Assist\Images\custheme.bmp
c:\program files\yahoo!\assist~1\Assist\Images\gouwu.bmp
c:\program files\yahoo!\assist~1\Assist\Images\hilight.bmp
c:\program files\yahoo!\assist~1\Assist\Images\iefix.bmp
c:\program files\yahoo!\assist~1\Assist\Images\logo.bmp
c:\program files\yahoo!\assist~1\Assist\Images\music.bmp
c:\program files\yahoo!\assist~1\Assist\Images\musiclink.bmp
c:\program files\yahoo!\assist~1\Assist\Images\musictop.bmp
c:\program files\yahoo!\assist~1\Assist\Images\picture.bmp
c:\program files\yahoo!\assist~1\Assist\Images\search.bmp
c:\program files\yahoo!\assist~1\Assist\Images\searchtop.bmp
c:\program files\yahoo!\assist~1\Assist\Images\settings.bmp
c:\program files\yahoo!\assist~1\Assist\Images\yphtb.bmp
c:\program files\yahoo!\assist~1\Assist\Images\yrss.bmp
c:\program files\yahoo!\assist~1\Assist\myrss.xml
c:\program files\yahoo!\assist~1\Assist\SearchBar\prodef.ini
c:\program files\yahoo!\assist~1\Assist\SearchBar\profile.ini
c:\program files\yahoo!\assist~1\Assist\SecurityBar\prodef.ini
c:\program files\yahoo!\assist~1\Assist\SecurityBar\profile.ini
c:\program files\yahoo!\assist~1\Assist\sound.wav
c:\program files\yahoo!\assist~1\Assist\Update\yadfilter.dll
c:\program files\yahoo!\assist~1\Assist\yadfilter.dll
c:\program files\yahoo!\assist~1\Assist\yadwreg.dll
c:\program files\yahoo!\assist~1\Assist\yangling.dll
c:\program files\yahoo!\assist~1\Assist\yasbar.dll
c:\program files\yahoo!\assist~1\Assist\yascenter.exe
c:\program files\yahoo!\assist~1\Assist\yasierres.dll
c:\program files\yahoo!\assist~1\Assist\yasiesec.dll
c:\program files\yahoo!\assist~1\Assist\yaskpsec.dat
c:\program files\yahoo!\assist~1\Assist\yasnoad.dll
c:\program files\yahoo!\assist~1\Assist\yassecblk.dll
c:\program files\yahoo!\assist~1\Assist\yassisres.dll
c:\program files\yahoo!\assist~1\Assist\yassist.dll
c:\program files\yahoo!\assist~1\Assist\yassistex.dll
c:\program files\yahoo!\assist~1\Assist\yassistn.ini
c:\program files\yahoo!\assist~1\Assist\yassistnsw.ini
c:\program files\yahoo!\assist~1\Assist\yaswiper.dll
c:\program files\yahoo!\assist~1\Assist\ydragsearch.dll
c:\program files\yahoo!\assist~1\Assist\yeheocx.dll
c:\program files\yahoo!\assist~1\Assist\ykeepmain.dll
c:\program files\yahoo!\assist~1\Assist\yoptimum.dll
c:\program files\yahoo!\assist~1\Assist\yphishbrule.dat
c:\program files\yahoo!\assist~1\Assist\yphishrule.dat
c:\program files\yahoo!\assist~1\Assist\yphotoseasy.dll
c:\program files\yahoo!\assist~1\Assist\yphtb.dll
c:\program files\yahoo!\assist~1\Assist\yrss.dll
c:\program files\yahoo!\assist~1\Assist\ysettings.dll
c:\program files\yahoo!\assist~1\Assist\yuninst.dll
c:\program files\yahoo!\assist~1\Assist\ywiper.dll
c:\program files\yahoo!\assist~1\Assist\yxpstyle.dll
c:\program files\yahoo!\assist~1\Assist\yzsnetproto.dll
c:\program files\yahoo!\assist~1\Shell\yAsMenu.dll
c:\program files\yahoo!\assist~1\Shell\yAssecblk.dll
c:\program files\yahoo!\assist~1\Shell\yIEAngel.dll
c:\program files\yahoo!\assist~1\Shell\yMenuInfo.dll
c:\program files\yahoo!\assist~1\Update\yscrblock.dll
c:\program files\yahoo!\assist~1\yal01.dat
c:\program files\yahoo!\assist~1\yalive.dll
c:\program files\yahoo!\assist~1\yalive.dll.1.log
c:\program files\yahoo!\assist~1\yalive.dll.2.log
c:\program files\yahoo!\assist~1\yalive.ini
c:\program files\yahoo!\assist~1\yalliveex.dll
c:\program files\yahoo!\assist~1\yalvsw.ini
c:\program files\yahoo!\assist~1\yassistse.exe
c:\program files\yahoo!\assist~1\yhelper.dll
c:\program files\yahoo!\assist~1\ylive.exe
c:\program files\yahoo!\assist~1\ynotifier.dll
c:\program files\yahoo!\assist~1\yscrblock.dll
c:\program files\yahoo!\assistant\assist\CoolBar\prodef.ini
c:\program files\yahoo!\assistant\assist\CoolBar\profile.ini
c:\program files\yahoo!\assistant\assist\float.gif
c:\program files\yahoo!\assistant\assist\Images\adkiller.bmp
c:\program files\yahoo!\assistant\assist\Images\alert.bmp
c:\program files\yahoo!\assistant\assist\Images\alertnew.bmp
c:\program files\yahoo!\assistant\assist\Images\anitvirus.bmp
c:\program files\yahoo!\assistant\assist\Images\assist.bmp
c:\program files\yahoo!\assistant\assist\Images\clear.bmp
c:\program files\yahoo!\assistant\assist\Images\custheme.bmp
c:\program files\yahoo!\assistant\assist\Images\gouwu.bmp
c:\program files\yahoo!\assistant\assist\Images\hilight.bmp
c:\program files\yahoo!\assistant\assist\Images\iefix.bmp
c:\program files\yahoo!\assistant\assist\Images\logo.bmp
c:\program files\yahoo!\assistant\assist\Images\music.bmp
c:\program files\yahoo!\assistant\assist\Images\musiclink.bmp
c:\program files\yahoo!\assistant\assist\Images\musictop.bmp
c:\program files\yahoo!\assistant\assist\Images\picture.bmp
c:\program files\yahoo!\assistant\assist\Images\search.bmp
c:\program files\yahoo!\assistant\assist\Images\searchtop.bmp
c:\program files\yahoo!\assistant\assist\Images\settings.bmp
c:\program files\yahoo!\assistant\assist\Images\yphtb.bmp
c:\program files\yahoo!\assistant\assist\Images\yrss.bmp
c:\program files\yahoo!\assistant\assist\myrss.xml
c:\program files\yahoo!\assistant\assist\SearchBar\prodef.ini
c:\program files\yahoo!\assistant\assist\SearchBar\profile.ini
c:\program files\yahoo!\assistant\assist\SecurityBar\prodef.ini
c:\program files\yahoo!\assistant\assist\SecurityBar\profile.ini
c:\program files\yahoo!\assistant\assist\sound.wav
c:\program files\yahoo!\assistant\assist\Update\yadfilter.dll
c:\program files\yahoo!\assistant\assist\yadfilter.dll
c:\program files\yahoo!\assistant\assist\yadwreg.dll
c:\program files\yahoo!\assistant\assist\yangling.dll
c:\program files\yahoo!\assistant\assist\yasbar.dll
c:\program files\yahoo!\assistant\assist\yascenter.exe
c:\program files\yahoo!\assistant\assist\yasierres.dll
c:\program files\yahoo!\assistant\assist\yasiesec.dll
c:\program files\yahoo!\assistant\assist\yaskpsec.dat
c:\program files\yahoo!\assistant\assist\yasnoad.dll
c:\program files\yahoo!\assistant\assist\yassecblk.dll
c:\program files\yahoo!\assistant\assist\yassisres.dll
c:\program files\yahoo!\assistant\assist\yassist.dll
c:\program files\yahoo!\assistant\assist\yassistex.dll
c:\program files\yahoo!\assistant\assist\yassistn.ini
c:\program files\yahoo!\assistant\assist\yassistnsw.ini
c:\program files\yahoo!\assistant\assist\yaswiper.dll
c:\program files\yahoo!\assistant\assist\ydragsearch.dll
c:\program files\yahoo!\assistant\assist\yeheocx.dll
c:\program files\yahoo!\assistant\assist\ykeepmain.dll
c:\program files\yahoo!\assistant\assist\yoptimum.dll
c:\program files\yahoo!\assistant\assist\yphishbrule.dat
c:\program files\yahoo!\assistant\assist\yphishrule.dat
c:\program files\yahoo!\assistant\assist\yphotoseasy.dll
c:\program files\yahoo!\assistant\assist\yphtb.dll
c:\program files\yahoo!\assistant\assist\yrss.dll
c:\program files\yahoo!\assistant\assist\ysettings.dll
c:\program files\yahoo!\assistant\assist\yuninst.dll
c:\program files\yahoo!\assistant\assist\ywiper.dll
c:\program files\yahoo!\assistant\assist\yxpstyle.dll
c:\program files\yahoo!\assistant\assist\yzsnetproto.dll
c:\windows\CoopenOldWallPaper.bmp
c:\windows\DOWNLO~1\cnSHook.dll
c:\windows\Downloaded Program Files\3721
c:\windows\Downloaded Program Files\3721\cnsmin2.dat
c:\windows\Downloaded Program Files\3721\ListInfo.dat
c:\windows\Downloaded Program Files\keepmainm.cab
c:\windows\Downloaded Program Files\sms.ico
c:\windows\Downloaded Program Files\taobao.ico
c:\windows\Downloaded Program Files\yahoomsg.ico
c:\windows\Downloaded Program Files\ymail.ico
c:\windows\ocinfo.dat
c:\windows\system32\Coopen.inf
c:\windows\system32\Coopen.scr
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\Sys
c:\windows\system32\Sys\norton.001
c:\windows\system32\Sys\norton.002
c:\windows\system32\win32.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CNSMINKP
-------\Legacy_NPF
-------\Legacy_P4P_SERVICE
-------\Service_CnsMinKP
-------\Service_NPF


((((((((((((((((((((((((( 2010-10-25 至 2010-11-25 的新的档案 )))))))))))))))))))))))))))))))
.

2010-11-24 09:30 . 2010-11-24 09:30 -------- d-----w- c:\program files\Baidu
2010-11-24 09:30 . 2010-11-25 09:27 -------- d-----w- c:\program files\ppsaddr
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- C:\My Music
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\All Users\Real
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xunlei
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunder Network
2010-11-24 09:01 . 2010-11-24 09:01 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-23 12:28 . 2010-11-24 09:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 08:45 . 2010-11-24 09:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2010-11-19 08:45 . 2010-11-24 09:19 -------- d-----w- c:\program files\ConduitEngine
2010-11-19 08:42 . 2010-11-22 09:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\D07D217C-5CDB-5EA8-8201-78F7E447A939
2010-11-17 14:19 . 2010-11-23 13:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\ppsAddr
2010-11-17 14:15 . 2010-11-24 09:20 -------- d-----w- c:\program files\PPSGame
2010-11-14 14:34 . 2010-11-24 09:21 -------- d-----w- c:\program files\WinDirStat
2010-11-09 13:04 . 2010-11-09 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\TSLOG
2010-11-07 09:15 . 2010-11-07 09:15 -------- d-----w- c:\windows\system32\NtmsData
2010-11-06 16:14 . 2010-11-24 09:25 -------- d-----w- c:\program files\VirtualDJ
2010-10-30 11:43 . 2010-11-24 09:27 -------- d-----w- c:\program files\DebugMode

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 16:55 . 2010-10-23 16:54 519168 ----a-w- C:\OTM.exe
2010-10-22 13:43 . 2010-10-22 13:43 31728 ----a-w- c:\windows\dbrmdwb.exe
2010-10-22 13:43 . 2010-10-22 13:43 26 ----a-w- c:\windows\dbrmdwb.bat
2010-10-22 13:43 . 2010-10-22 13:43 245840 ----a-w- c:\windows\system32\DNLEng.dll
2010-10-22 13:43 . 2010-10-22 13:43 894616 ----a-w- c:\windows\dbplugin.exe
2010-10-22 13:43 . 2010-10-22 13:43 2327704 ----a-w- c:\windows\dbplugin.ocx
2010-10-22 13:43 . 2010-10-22 13:43 2179072 ----a-w- c:\windows\npdbplug.dll
2010-09-07 15:12 . 2010-10-24 09:09 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-10-24 09:09 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-10-24 09:09 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-10-24 09:09 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-10-24 09:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-10-24 09:09 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-10-24 09:09 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-10-24 09:09 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-10-24 09:09 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2004-10-01 07:00 . 2007-08-02 13:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-10-27 01:21 . 2010-10-06 08:47 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2gdr\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[-] 2007-10-30 . EF7834C1D9DDF4C7DA697D8C24A03791 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 45265CBAD25C6254AFAFC7BDD88BDB4B . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{346de098-61f9-4b42-89da-6dfba7091bb6}"= "c:\program files\IMBooster4web-en\tbIMB2.dll" [2010-10-18 3908192]
"{84FF7BD6-B47F-46F8-9130-01B2696B36CB}"= "c:\program files\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll" [2010-08-17 111608]

[HKEY_CLASSES_ROOT\clsid\{346de098-61f9-4b42-89da-6dfba7091bb6}]

[HKEY_CLASSES_ROOT\clsid\{84ff7bd6-b47f-46f8-9130-01b2696b36cb}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{59E6E159-57CC-4DA5-8700-2AD17DC31DD1}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346de098-61f9-4b42-89da-6dfba7091bb6}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\IMBooster4web-en\tbIMB2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2008-09-02 14:04 398768 ----a-w- c:\program files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
2010-07-02 01:54 2607872 ----a-w- c:\program files\IMinent Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}]
2010-08-17 08:18 111608 ----a-w- c:\program files\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{346de098-61f9-4b42-89da-6dfba7091bb6}"= "c:\program files\IMBooster4web-en\tbIMB2.dll" [2010-10-18 3908192]
"{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
"{63DF766D-C050-44b1-BB8A-C3ABB44C0E96}"= "c:\program files\unikeyword\uktb.dll" [2010-10-18 465152]

[HKEY_CLASSES_ROOT\clsid\{346de098-61f9-4b42-89da-6dfba7091bb6}]

[HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
[HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]

[HKEY_CLASSES_ROOT\clsid\{63df766d-c050-44b1-bb8a-c3abb44c0e96}]
[HKEY_CLASSES_ROOT\Knet.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{A521756C-4EE1-44c5-852E-6D679588966F}]
[HKEY_CLASSES_ROOT\Knet.PugiObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-28 171448]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Thunder"="c:\program files\Thunder Network\Thunder\Program\Thunder.exe" [2010-11-02 835888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 88203]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-21 144784]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-15 118784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-24 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-20 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-14 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-01-17 548864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PPS.lnk - c:\program files\PPStream\PPStream.exe [2010-11-16 5255048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-6-28 184320]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-15 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tudou\\飞速Tudou\\TudouVa.exe"=
"c:\\Program Files\\速播网络影视\\hrstv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.2.2014_1\\Program\\XLDoctorUI.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\PPSGame\\PPSGame.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\ThunderPlatform.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\XLBugReport.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19682:TCP"= 19682:TCP:BitComet 19682 TCP
"19682:UDP"= 19682:UDP:BitComet 19682 UDP
"56280:TCP"= 56280:TCPando Media Booster
"56280:UDP"= 56280:UDPando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/24/2010 5:09 PM 165584]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/24/2010 5:09 PM 17744]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 Ukwsvr;Ukwsvr;c:\program files\unikeyword\ukwsvr.exe [10/18/2010 1:41 PM 157952]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [6/10/2009 10:54 PM 79104]
S0 kcqbljp;kcqbljp;\SystemRoot\\SystemRoot\System32\drivers\kcqbljp.sys --> \SystemRoot\\SystemRoot\System32\drivers\kcqbljp.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 CnsStd;CnsStd;c:\windows\system32\drivers\CnsStd.sys --> c:\windows\system32\drivers\CnsStd.sys [?]
S2 fqtijpsyb;Security Driver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 mxkwtyjn;Image Installer;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 nterp;Image Installer;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 pwgyoati;Image Center;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 tmsfoulra;Network Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [6/10/2009 10:54 PM 131072]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 R2A;R2A;\??\c:\windows\system32a2.sys --> c:\windows\system32a2.sys [?]
S3 XDva193;XDva193;\??\c:\windows\system32\XDva193.sys --> c:\windows\system32\XDva193.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmsfoulra
fqtijpsyb
nterp
pwgyoati
mxkwtyjn
.
‘计划任务’ 文件夹 里的内容

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &?????? - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: &?????????? - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: &¨?￥?¨31p¤U?ü - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: &¨?￥?¨31p¤U?ü￥t3??ì±μ - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: &使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: &使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ·￠?íí???μ?ê??ú - c:\program files\P4P\cx.htm
IE: ê1ó?iTudou?????ú?? - c:\program files\Tudou\iTudou\iTudou_Link.HTM
IE: ê1ó???1·?±í¨3μ???? - c:\program files\P4P\dl.htm
IE: ìí?óμ??°?òμ??????± - c:\program files\P4P\rss.htm
IE: 使用搜狗直通车下载 - c:\program files\P4P\dl.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\BHO\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: 发送图片到手机 - c:\program files\P4P\cx.htm
IE: 妏蚚捃濘狟婥 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 妏蚚捃濘狟婥?窒蟈諉 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 雅虎搜索 - c:\progra~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\program files\Stylish Profile\ct.htm
IE: {{507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail
IE: {{59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adf...obao.com/vertical/mall/pro.php?allyesPara=816
IE: {{5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist
IE: {{6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns
IE: {{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair
IE: {{FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2032792&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=23341367-3051-485d-a776-a4571934aa26
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{1B33E42F-EF14-4cd3-B6DC-174571C4349C}\components\ThunderComponent.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - component: c:\program files\Mozilla Firefox\extensions\webbooster@iminent.com\components\Iminent.XPCOM.dll
FF - plugin: c:\program files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\pref\all-iminent.js - pref("iminent.appInstanceUid", "23341367-3051-485d-a776-a4571934aa26");
c:\program files\Mozilla Firefox\defaults\pref\all-iminent.js - pref("iminent.currentLcid", "1033");
.
- - - - ORPHANS REMOVED - - - -

BHO-{A08E5DC3-E611-2529-D8F4-56D1508F8D7B} - c:\program files\ppsaddr\ppsAddr.dll
BHO-{D07D217C-5CDB-5EA8-8201-78F7E447A939} - c:\program files\ppsaddr\ppsAddr.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
AddRemove-AddressBarExpress - c:\windows\system32\unsocul.exe
AddRemove-Coopen播放器 - c:\program files\Coopen\uninst.exe
AddRemove-GOGOBOX - c:\program files\NextLink\GOGOBOX\GOGOBOXUninstall.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-25 17:32
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????n?|????? ??B??????????????B? ?????

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fqtijpsyb]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mxkwtyjn]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nterp]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pwgyoati]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmsfoulra]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\msi.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(2316)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\conime.exe
c:\windows\AGRSMMSG.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
完成时间: 2010-11-25 17:40:00 - 电脑已重新启动
ComboFix-quarantined-files.txt 2010-11-25 09:39

Pre-Run: 6,854,918,144 bytes free
Post-Run: 6,713,856,000 bytes free

- - End Of File - - 87FC6974AAB839494DF20B4BF89C6DA5

 

[crunchie]

Sorry for the late reply.

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\hnzdvy.dll

============

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\$NtUninstallKB951748$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\$NtUninstallKB941644$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

============

Let me know how things are now.

 

[yongwei1992]

ComboFix 10-11-24.03 - Administrator 8/2010 Sun 12:50:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.2551.1944 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* 成功创造新还原点

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coopen
c:\program files\Coopen\conf\Debug
c:\program files\Coopen\conf\Log.txt
c:\program files\Coopen\conf\MainParams
c:\program files\Coopen\conf\TodayInfo
c:\program files\Coopen\Templete\Default.tpl
c:\windows\CoopenOldWallPaper.bmp

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\$NtUninstallKB951748$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\$NtUninstallKB941644$\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
.
((((((((((((((((((((((((( 2010-10-28 至 2010-11-28 的新的档案 )))))))))))))))))))))))))))))))
.

2010-11-28 03:29 . 2010-11-28 03:29 94208 ----a-w- c:\windows\system32\pwd.dll
2010-11-25 11:55 . 2010-11-25 11:55 -------- d-----w- C:\《完美世界免费版》
2010-11-25 11:39 . 2010-11-25 11:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-25 11:21 . 2010-11-25 11:38 -------- d-----w- C:\RECYCLER(3)
2010-11-24 09:30 . 2010-11-25 11:38 -------- d-----w- c:\program files\Baidu
2010-11-24 09:30 . 2010-11-25 11:38 -------- d-----w- c:\program files\ppsaddr
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- C:\My Music
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\All Users\Real
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xunlei
2010-11-24 09:29 . 2010-11-24 09:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunder Network
2010-11-23 12:28 . 2010-11-25 11:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 08:45 . 2010-11-24 09:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2010-11-19 08:45 . 2010-11-24 09:19 -------- d-----w- c:\program files\ConduitEngine
2010-11-19 08:42 . 2010-11-22 09:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\D07D217C-5CDB-5EA8-8201-78F7E447A939
2010-11-17 14:19 . 2010-11-23 13:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\ppsAddr
2010-11-17 14:15 . 2010-11-24 09:20 -------- d-----w- c:\program files\PPSGame
2010-11-14 14:34 . 2010-11-24 09:21 -------- d-----w- c:\program files\WinDirStat
2010-11-09 13:04 . 2010-11-09 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\TSLOG
2010-11-07 09:15 . 2010-11-07 09:15 -------- d-----w- c:\windows\system32\NtmsData
2010-11-06 16:14 . 2010-11-24 09:25 -------- d-----w- c:\program files\VirtualDJ
2010-10-30 11:43 . 2010-11-24 09:27 -------- d-----w- c:\program files\DebugMode

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 16:55 . 2010-10-23 16:54 519168 ----a-w- C:\OTM.exe
2010-10-22 13:43 . 2010-10-22 13:43 31728 ----a-w- c:\windows\dbrmdwb.exe
2010-10-22 13:43 . 2010-10-22 13:43 26 ----a-w- c:\windows\dbrmdwb.bat
2010-10-22 13:43 . 2010-10-22 13:43 245840 ----a-w- c:\windows\system32\DNLEng.dll
2010-10-22 13:43 . 2010-10-22 13:43 894616 ----a-w- c:\windows\dbplugin.exe
2010-10-22 13:43 . 2010-10-22 13:43 2327704 ----a-w- c:\windows\dbplugin.ocx
2010-10-22 13:43 . 2010-10-22 13:43 2179072 ----a-w- c:\windows\npdbplug.dll
2010-09-07 15:12 . 2010-10-24 09:09 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-10-24 09:09 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-10-24 09:09 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-10-24 09:09 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-10-24 09:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-10-24 09:09 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-10-24 09:09 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-10-24 09:09 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-10-24 09:09 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2004-10-01 07:00 . 2007-08-02 13:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-10-27 01:21 . 2010-10-06 08:47 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{346de098-61f9-4b42-89da-6dfba7091bb6}"= "c:\program files\IMBooster4web-en\tbIMB2.dll" [2010-10-18 3908192]
"{84FF7BD6-B47F-46F8-9130-01B2696B36CB}"= "c:\program files\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll" [2010-08-17 111608]

[HKEY_CLASSES_ROOT\clsid\{346de098-61f9-4b42-89da-6dfba7091bb6}]

[HKEY_CLASSES_ROOT\clsid\{84ff7bd6-b47f-46f8-9130-01b2696b36cb}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{59E6E159-57CC-4DA5-8700-2AD17DC31DD1}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346de098-61f9-4b42-89da-6dfba7091bb6}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\IMBooster4web-en\tbIMB2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2008-09-02 14:04 398768 ----a-w- c:\program files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
2010-07-02 01:54 2607872 ----a-w- c:\program files\IMinent Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}]
2010-08-17 08:18 111608 ----a-w- c:\program files\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{346de098-61f9-4b42-89da-6dfba7091bb6}"= "c:\program files\IMBooster4web-en\tbIMB2.dll" [2010-10-18 3908192]
"{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
"{63DF766D-C050-44b1-BB8A-C3ABB44C0E96}"= "c:\program files\unikeyword\uktb.dll" [2010-10-18 465152]

[HKEY_CLASSES_ROOT\clsid\{346de098-61f9-4b42-89da-6dfba7091bb6}]

[HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
[HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]

[HKEY_CLASSES_ROOT\clsid\{63df766d-c050-44b1-bb8a-c3abb44c0e96}]
[HKEY_CLASSES_ROOT\Knet.PugiObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{A521756C-4EE1-44c5-852E-6D679588966F}]
[HKEY_CLASSES_ROOT\Knet.PugiObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-28 171448]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"PPS Accelerator"="c:\program files\PPStream\ppsap.exe" [2010-02-24 214408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Thunder"="c:\program files\Thunder Network\Thunder\Program\Thunder.exe" [2010-11-02 835888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 88203]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-21 144784]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-15 118784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-24 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-20 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-14 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-01-17 548864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PPS.lnk - c:\program files\PPStream\PPStream.exe [2010-11-16 5255048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-6-28 184320]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-15 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tudou\\飞速Tudou\\TudouVa.exe"=
"c:\\Program Files\\速播网络影视\\hrstv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.2.2014_1\\Program\\XLDoctorUI.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\PPSGame\\PPSGame.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\ThunderPlatform.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.36_1110\\XLBugReport.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19682:TCP"= 19682:TCP:BitComet 19682 TCP
"19682:UDP"= 19682:UDP:BitComet 19682 UDP
"56280:TCP"= 56280:TCPando Media Booster
"56280:UDP"= 56280:UDPando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/24/2010 5:09 PM 165584]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/24/2010 5:09 PM 17744]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 Ukwsvr;Ukwsvr;c:\program files\unikeyword\ukwsvr.exe [10/18/2010 1:41 PM 157952]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [6/10/2009 10:54 PM 79104]
S0 kcqbljp;kcqbljp;\SystemRoot\\SystemRoot\System32\drivers\kcqbljp.sys --> \SystemRoot\\SystemRoot\System32\drivers\kcqbljp.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 CnsStd;CnsStd;c:\windows\system32\drivers\CnsStd.sys --> c:\windows\system32\drivers\CnsStd.sys [?]
S2 fqtijpsyb;Security Driver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 mxkwtyjn;Image Installer;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 nterp;Image Installer;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 pwgyoati;Image Center;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S2 tmsfoulra;Network Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 4:00 PM 14336]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [6/10/2009 10:54 PM 131072]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 R2A;R2A;\??\c:\windows\system32a2.sys --> c:\windows\system32a2.sys [?]
S3 XDva193;XDva193;\??\c:\windows\system32\XDva193.sys --> c:\windows\system32\XDva193.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmsfoulra
fqtijpsyb
nterp
pwgyoati
mxkwtyjn
.
‘计划任务’ 文件夹 里的内容

2010-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &?????? - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: &?????????? - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: &¨?￥?¨31p¤U?ü - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: &¨?￥?¨31p¤U?ü￥t3??ì±μ - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: &使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: &使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: ·￠?íí???μ?ê??ú - c:\program files\P4P\cx.htm
IE: ê1ó?iTudou?????ú?? - c:\program files\Tudou\iTudou\iTudou_Link.HTM
IE: ê1ó???1·?±í¨3μ???? - c:\program files\P4P\dl.htm
IE: ìí?óμ??°?òμ??????± - c:\program files\P4P\rss.htm
IE: 使用搜狗直通车下载 - c:\program files\P4P\dl.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\BHO\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: 发送图片到手机 - c:\program files\P4P\cx.htm
IE: 妏蚚捃濘狟婥 - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 妏蚚捃濘狟婥?窒蟈諉 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 雅虎搜索 - c:\progra~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\program files\Stylish Profile\ct.htm
IE: {{507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail
IE: {{59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adf...obao.com/vertical/mall/pro.php?allyesPara=816
IE: {{5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist
IE: {{6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns
IE: {{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair
IE: {{FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2032792&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=23341367-3051-485d-a776-a4571934aa26
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{1B33E42F-EF14-4cd3-B6DC-174571C4349C}\components\ThunderComponent.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fguosiui.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - component: c:\program files\Mozilla Firefox\extensions\webbooster@iminent.com\components\Iminent.XPCOM.dll
FF - plugin: c:\program files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\pref\all-iminent.js - pref("iminent.appInstanceUid", "23341367-3051-485d-a776-a4571934aa26");
c:\program files\Mozilla Firefox\defaults\pref\all-iminent.js - pref("iminent.currentLcid", "1033");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 13:12
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????n?|?`??? ??B??????????????B? ?????

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fqtijpsyb]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mxkwtyjn]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nterp]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pwgyoati]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmsfoulra]
"ServiceDll"="c:\windows\system32\hnzdvy.dll"
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\msi.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(4780)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\DllHost.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\conime.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
完成时间: 2010-11-28 13:18:16 - 电脑已重新启动
ComboFix-quarantined-files.txt 2010-11-28 05:18
ComboFix2.txt 2010-11-25 09:40

Pre-Run: 5,528,653,824 bytes free
Post-Run: 5,583,888,384 bytes free

- - End Of File - - 590483B3EFB4486707F8541526C04A72

 

[yongwei1992]

Crunchie, i unable to make the scan using Jotti's or virustotal because
c:\windows\system32\hnzdvy.dll
is not situated in my computer

 

[crunchie]

Ok. How are things now with your PC?

 

[yongwei1992]

Wow! now my computer's task manager can use already... And can i delete the combofix from my computer already?
Thanks. Crunchie.

 

[crunchie]

Make sure that your computer functions normally for a day and then come back and let me know and we will remove the tools we have used.

 

[yongwei1992]

One day already.. my computer function as normal and the task manager can be function already.

 

[crunchie]

That's great .

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

==

Happy surfing.