Solved cannot use ctrl+alt+del

shopjennie · 2009/10/31

[Resolved] cannot use ctrl+alt+del

Hi, really need your help!

I think my computer has been infected with virus(es). Often the computer would freeze and the blue screen would appear. I have ran Malwarebytes and found couple trojans and deleted.

But now I cannot use ctrl+alt+del, nothing happens.

Tried scanning Kaspersky, passed by C drive okay, but midway through D drive, a window appears: "hard disk error" and forcing me to restart.

I deleted Kaspersky and installed AVG Anti-Virus. Again, same issue. Midway scanning through D drive a window appears: "hard disk error" and forcing me to reboot.

I also cannot boot in safemode by pressing F8, and I can't install HijackThis either.

Can someone help?
really appreciate it!
Jennie

Update: I'm able to reboot in safemood (using Msconfig), tried scanning with AVG Anti-Virus. Same thing, able to go through C drive, but midway through D drive the scanning window disappears.

Update2: I used Ad-Aware and was able to detect and delete some infected files and .exe. Now I tried scanning with AVG Anti-Virus, it's working. No apparent viruses are found, just some cookies.

But still cannot use ctrl+alt+del. Still can't install HijackThis.
What should I do? Should I run ComboFix.exe or gmer.exe?

shopjennie · 2009/10/31

Hi,

Now I'm able to run HijackThis. Here is the log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:51, on 2009-10-31
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: 中国工商银行BHO - {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\Icbc_AntiPhishing.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download by easyMule - D:\emule\easyMule\IE2EM.htm
O8 - Extra context menu item: 使用电驴下载 - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} (GDGetTokenInfo Class) - https://mybank.icbc.com.cn/icbc/GDReadPub.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
O16 - DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} (InfoSecICBCNetSign Class) - https://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC05A96-A0D6-403E-8D45-0B7ACD216552}: NameServer = 124.74.213.68 202.96.209.133
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: ICBC Daemon Service - Unknown owner - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6289 bytes

shopjennie · 2009/10/31

And here is the ComboFix report.

ComboFix 09-10-30.01 - Administrator -10-31 星期六 18:39.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.3327.2804 [GMT 8:00]
执行位置: d:\my documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\StormII
c:\program files\StormII\baofeng.swf
c:\program files\StormII\BfOptDll.dll
c:\program files\StormII\BFThumbs.dll
c:\program files\StormII\Box\HttpServer.dll
c:\program files\StormII\Box\MovieBoxCore.dll
c:\program files\StormII\Box\MovieBoxPS.dll
c:\program files\StormII\Box\Skin\MovieBox.zip
c:\program files\StormII\Box\Stline.exe
c:\program files\StormII\Box\UILib.dll
c:\program files\StormII\Box\UiManager.dll
c:\program files\StormII\Box\UiPlay.dll
c:\program files\StormII\Box\UitvWrapper_dll.dll
c:\program files\StormII\codec\264be.dll
c:\program files\StormII\codec\264dmmx.dll
c:\program files\StormII\codec\264dsse.dll
c:\program files\StormII\codec\264dsse2.dll
c:\program files\StormII\codec\264dsse3.dll
c:\program files\StormII\codec\aasc32.dll
c:\program files\StormII\codec\ac3filter.ax
c:\program files\StormII\codec\ACDV.dll
c:\program files\StormII\codec\acelpdec.ax
c:\program files\StormII\codec\asusasv1.dll
c:\program files\StormII\codec\asusasv2.dll
c:\program files\StormII\codec\ativcr2.dll
c:\program files\StormII\codec\avcodec.dll
c:\program files\StormII\codec\avformat.dll
c:\program files\StormII\codec\avidavicodec.dll
c:\program files\StormII\codec\AviSplitter.ax
c:\program files\StormII\codec\avutil.dll
c:\program files\StormII\codec\bass.dll
c:\program files\StormII\codec\bass_aac.dll
c:\program files\StormII\codec\bass_alac.dll
c:\program files\StormII\codec\bass_ape.dll
c:\program files\StormII\codec\bass_flac.dll
c:\program files\StormII\codec\bass_mpc.dll
c:\program files\StormII\codec\bass_tta.dll
c:\program files\StormII\codec\bass_wv.dll
c:\program files\StormII\codec\binkw32.dll
c:\program files\StormII\codec\BSPVDEC.dll
c:\program files\StormII\codec\bsrsrc.ax
c:\program files\StormII\codec\BsrVideoDec.ax
c:\program files\StormII\codec\bw10.dll
c:\program files\StormII\codec\cddareader.ax
c:\program files\StormII\codec\cdxareader.ax
c:\program files\StormII\codec\ChpSrcFilter.ax
c:\program files\StormII\codec\CinemasterAudio.DLL
c:\program files\StormII\codec\cl264dec.ax
c:\program files\StormII\codec\CLNavX.ax
c:\program files\StormII\codec\CLRVIDDC.DLL
c:\program files\StormII\codec\clrviddd.dll
c:\program files\StormII\codec\CLVc1Dec.ax
c:\program files\StormII\codec\CLVSD.ax
c:\program files\StormII\codec\clvsdx.ax
c:\program files\StormII\codec\coreavc.ax
c:\program files\StormII\codec\CUVCcodc.dll
c:\program files\StormII\codec\DCBassSource.ax
c:\program files\StormII\codec\DECVW_32.DLL
c:\program files\StormII\codec\divxdec.ax
c:\program files\StormII\codec\DmoDec.dll
c:\program files\StormII\codec\DSMSplitter.ax
c:\program files\StormII\codec\dxvadec.ax
c:\program files\StormII\codec\empgdmx.ax
c:\program files\StormII\codec\ff_kernelDeint.dll
c:\program files\StormII\codec\ff_liba52.dll
c:\program files\StormII\codec\ff_libavcodec.dll
c:\program files\StormII\codec\ff_libdts.dll
c:\program files\StormII\codec\ff_libfaad2.dll
c:\program files\StormII\codec\ff_libmad.dll
c:\program files\StormII\codec\ff_libmpeg2.dll
c:\program files\StormII\codec\ff_libmplayer.dll
c:\program files\StormII\codec\ff_realaac.dll
c:\program files\StormII\codec\ff_samplerate.dll
c:\program files\StormII\codec\ff_theora.dll
c:\program files\StormII\codec\ff_TomsMoComp.dll
c:\program files\StormII\codec\ff_tremor.dll
c:\program files\StormII\codec\ff_unrar.dll
c:\program files\StormII\codec\ff_wmv9.dll
c:\program files\StormII\codec\ff_xvidcore.dll
c:\program files\StormII\codec\ffdshow.ax
c:\program files\StormII\codec\ffdshow.ax.manifest
c:\program files\StormII\codec\ffmpeg.dll
c:\program files\StormII\codec\ffsource.ax
c:\program files\StormII\codec\Flash.ocx
c:\program files\StormII\codec\FLT_ffdshow.dll
c:\program files\StormII\codec\FLVSplitter.ax
c:\program files\StormII\codec\frapsvid.dll
c:\program files\StormII\codec\G722ADEC.dll
c:\program files\StormII\codec\GeoCodec.dll
c:\program files\StormII\codec\H264VDEC.dll
c:\program files\StormII\codec\HBGKDec.ax
c:\program files\StormII\codec\HBGKSrc.ax
c:\program files\StormII\codec\HikAudioDec.ax
c:\program files\StormII\codec\HikFileSource.ax
c:\program files\StormII\codec\HikFileSplitter.ax
c:\program files\StormII\codec\HIKM4DEC.dll
c:\program files\StormII\codec\HikVideoDec.ax
c:\program files\StormII\codec\i263_32.drv
c:\program files\StormII\codec\icmw_32.dll
c:\program files\StormII\codec\iconv.dll
c:\program files\StormII\codec\kdh4.dll
c:\program files\StormII\codec\kdm4.dll
c:\program files\StormII\codec\keys.dat
c:\program files\StormII\codec\l3codecx.ax
c:\program files\StormII\codec\LCodcCMP.dll
c:\program files\StormII\codec\libavcodec.dll
c:\program files\StormII\codec\libmpeg2_ff.dll
c:\program files\StormII\codec\libmplayer.dll
c:\program files\StormII\codec\LMVRGBxf.dll
c:\program files\StormII\codec\LMVYUVxf.dll
c:\program files\StormII\codec\lsvxdec.dll
c:\program files\StormII\codec\mfplat.dll
c:\program files\StormII\codec\mkunicode.dll
c:\program files\StormII\codec\mkx.dll
c:\program files\StormII\codec\mkzlib.dll
c:\program files\StormII\codec\mmamrdmx.ax
c:\program files\StormII\codec\Mp3Decdll.dll
c:\program files\StormII\codec\MP3DMOD.DLL
c:\program files\StormII\codec\mp4.dll
c:\program files\StormII\codec\mp43dmod.dll
c:\program files\StormII\codec\MP4Demux.ax
c:\program files\StormII\codec\mp4sdmod.dll
c:\program files\StormII\codec\MP4Splitter.ax
c:\program files\StormII\codec\MpaDecFilter.ax
c:\program files\StormII\codec\MpaSplitter.ax
c:\program files\StormII\codec\mpcvideodec.ax
c:\program files\StormII\codec\Mpeg2DecFilter.ax
c:\program files\StormII\codec\mpeg2dmx.ax
c:\program files\StormII\codec\MpegSplitter.ax
c:\program files\StormII\codec\mpg2splt.ax
c:\program files\StormII\codec\mpg4dmod.dll
c:\program files\StormII\codec\mpg4ds32.ax
c:\program files\StormII\codec\MPlayer.exe
c:\program files\StormII\codec\msdmo.dll
c:\program files\StormII\codec\msms001.vwp
c:\program files\StormII\codec\msvcp71.dll
c:\program files\StormII\codec\msvcr71.dll
c:\program files\StormII\codec\MZP4_DEC.DLL
c:\program files\StormII\codec\NDParser.ax
c:\program files\StormII\codec\NeMP4Splitter.ax
c:\program files\StormII\codec\nvviddec.ax
c:\program files\StormII\codec\OggSplitter.ax
c:\program files\StormII\codec\ogm.dll
c:\program files\StormII\codec\Plugins\nppl3260.dll
c:\program files\StormII\codec\Plugins\nppl3260.xpt
c:\program files\StormII\codec\Plugins\npqtplugin.dll
c:\program files\StormII\codec\Plugins\nprpjplug.dll
c:\program files\StormII\codec\Plugins\nsIQTScriptablePlugin.xpt
c:\program files\StormII\codec\Plugins\nsJSRealPlayerPlugin.xpt
c:\program files\StormII\codec\Plugins\QuickTimePlugin.class
c:\program files\StormII\codec\PmpSplt.ax
c:\program files\StormII\codec\pncrt.dll
c:\program files\StormII\codec\pndx5016.dll
c:\program files\StormII\codec\pndx5032.dll
c:\program files\StormII\codec\pthreadVC2.dll
c:\program files\StormII\codec\pvmjpg21.dll
c:\program files\StormII\codec\PVWV220.DLL
c:\program files\StormII\codec\qasf.dll
c:\program files\StormII\codec\QTSystem\CFCharacterSetBitmaps.bitmap
c:\program files\StormII\codec\QTSystem\CoreVideo.qtx
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\CoreVideo.qtr
c:\program files\StormII\codec\QTSystem\CoreVideo.Resources\en.lproj\CoreVideoLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.qts
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.dll
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.qtr
c:\program files\StormII\codec\QTSystem\QuickTime.Resources\QuickTime.qtxs
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.qtx
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTime3GPP.Resources\QuickTime3GPP.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\en.lproj\QuickTimeAudioSupportLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeAudioSupport.Resources\QuickTimeAudioSupport.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\en.lproj\QuickTimeEssentialsLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\en.lproj\QuickTimeH264Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeH264.Resources\QuickTimeH264.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\en.lproj\QuickTimeInternetExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeInternetExtras.Resources\QuickTimeInternetExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\en.lproj\QuickTimeMPEG4Localized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMPEG4.Resources\QuickTimeMPEG4.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.Resources\en.lproj\QuickTimeMusicLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeMusic.Resources\QuickTimeMusic.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.dll
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\en.lproj\QuickTimeStreamingLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreaming.Resources\QuickTimeStreaming.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\en.lproj\QuickTimeStreamingExtrasLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeStreamingExtras.Resources\QuickTimeStreamingExtras.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.qtx
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\en.lproj\QuickTimeVRLocalized.qtr
c:\program files\StormII\codec\QTSystem\QuickTimeVR.Resources\QuickTimeVR.qtr
c:\program files\StormII\codec\QuickTime.qts
c:\program files\StormII\codec\QuickTimeVR.qtx
c:\program files\StormII\codec\RadGtSplitter.ax
c:\program files\StormII\codec\Real\Codecs\14_43260.dll
c:\program files\StormII\codec\Real\Codecs\28_83260.dll
c:\program files\StormII\codec\Real\Codecs\atrc.dll
c:\program files\StormII\codec\Real\Codecs\cook.dll
c:\program files\StormII\codec\Real\Codecs\ddnt3260.dll
c:\program files\StormII\codec\Real\Codecs\dnet3260.dll
c:\program files\StormII\codec\Real\Codecs\drv1.dll
c:\program files\StormII\codec\Real\Codecs\drv2.dll
c:\program files\StormII\codec\Real\Codecs\drvc.dll
c:\program files\StormII\codec\Real\Codecs\hxltcolor.dll
c:\program files\StormII\codec\Real\Codecs\raac.dll
c:\program files\StormII\codec\Real\Codecs\ralf.dll
c:\program files\StormII\codec\Real\Codecs\rv10.dll
c:\program files\StormII\codec\Real\Codecs\rv20.dll
c:\program files\StormII\codec\Real\Codecs\rv30.dll
c:\program files\StormII\codec\Real\Codecs\rv40.dll
c:\program files\StormII\codec\Real\Codecs\sipr.dll
c:\program files\StormII\codec\Real\Common\objb3201.dll
c:\program files\StormII\codec\Real\Common\pnen3260.dll
c:\program files\StormII\codec\Real\Common\pngu3267.dll
c:\program files\StormII\codec\Real\Common\pnrs3260.dll
c:\program files\StormII\codec\Real\Common\rppr3260.dll
c:\program files\StormII\codec\Real\Common\security.dll
c:\program files\StormII\codec\Real\Plugins\audplin.dll
c:\program files\StormII\codec\Real\Plugins\authmgr.dll
c:\program files\StormII\codec\Real\Plugins\clbascauth.dll
c:\program files\StormII\codec\Real\Plugins\clntxres.dll
c:\program files\StormII\codec\Real\Plugins\ExtResources\coreres.xrs
c:\program files\StormII\codec\Real\Plugins\fpsechnd.dll
c:\program files\StormII\codec\Real\Plugins\httpfsys.dll
c:\program files\StormII\codec\Real\Plugins\hxsdp.dll
c:\program files\StormII\codec\Real\Plugins\hxxml.dll
c:\program files\StormII\codec\Real\Plugins\imgrender.dll
c:\program files\StormII\codec\Real\Plugins\memfsys.dll
c:\program files\StormII\codec\Real\Plugins\mp3fformat.dll
c:\program files\StormII\codec\Real\Plugins\mp3render.dll
c:\program files\StormII\codec\Real\Plugins\mp4arender.dll
c:\program files\StormII\codec\Real\Plugins\ntlmauth.dll
c:\program files\StormII\codec\Real\Plugins\oggfformat.dll
c:\program files\StormII\codec\Real\Plugins\pacplin.dll
c:\program files\StormII\codec\Real\Plugins\plusplin.dll
c:\program files\StormII\codec\Real\Plugins\pxcb3210.dll
c:\program files\StormII\codec\Real\Plugins\ramfformat.dll
c:\program files\StormII\codec\Real\Plugins\ramrender.dll
c:\program files\StormII\codec\Real\Plugins\rarender.dll
c:\program files\StormII\codec\Real\Plugins\rmfformat.dll
c:\program files\StormII\codec\Real\Plugins\rmxfpln.dll
c:\program files\StormII\codec\Real\Plugins\rmxrend.dll
c:\program files\StormII\codec\Real\Plugins\rn5auth.dll
c:\program files\StormII\codec\Real\Plugins\rtfformat.dll
c:\program files\StormII\codec\Real\Plugins\rtrender.dll
c:\program files\StormII\codec\Real\Plugins\rvrender.dll
c:\program files\StormII\codec\Real\Plugins\sdpplin.dll
c:\program files\StormII\codec\Real\Plugins\security.dll
c:\program files\StormII\codec\Real\Plugins\smlfformat.dll
c:\program files\StormII\codec\Real\Plugins\smlrender.dll
c:\program files\StormII\codec\Real\Plugins\smmrender.dll
c:\program files\StormII\codec\Real\Plugins\smplfsys.dll
c:\program files\StormII\codec\Real\Plugins\stubdrm.dll
c:\program files\StormII\codec\Real\Plugins\tfilesys.dll
c:\program files\StormII\codec\Real\Plugins\vidplin.dll
c:\program files\StormII\codec\Real\Plugins\vidsite.dll
c:\program files\StormII\codec\Real\Plugins\vorbisrend.dll
c:\program files\StormII\codec\Real\Plugins\vsrlocal.dll
c:\program files\StormII\codec\Real\rpplugins\cn\embed_cn.dll
c:\program files\StormII\codec\Real\rpplugins\cn\rpclsvc_cn.dll
c:\program files\StormII\codec\Real\rpplugins\embd3260.dll
c:\program files\StormII\codec\Real\rpplugins\rpcl3260.dll
c:\program files\StormII\codec\Real\rpplugins\rput3260.dll
c:\program files\StormII\codec\RenderFilter.ax
c:\program files\StormII\codec\RLMPCDec.ax
c:\program files\StormII\codec\rmoc3260.dll
c:\program files\StormII\codec\RMSplt.ax
c:\program files\StormII\codec\Sc726dec.ax
c:\program files\StormII\codec\scmpack.dll
c:\program files\StormII\codec\scsource.ax
c:\program files\StormII\codec\skinsres.dll
c:\program files\StormII\codec\smackw32.dll
c:\program files\StormII\codec\SonicLicenseManager9.dll
c:\program files\StormII\codec\splitter.ax
c:\program files\StormII\codec\swscale.dll
c:\program files\StormII\codec\TomsMoComp_ff.dll
c:\program files\StormII\codec\ts.dll
c:\program files\StormII\codec\tsccvid.dll
c:\program files\StormII\codec\TTL2Dec.dll
c:\program files\StormII\codec\v2k2_dec.dll
c:\program files\StormII\codec\v2kdspde.dll
c:\program files\StormII\codec\vc1dc.dll
c:\program files\StormII\codec\vc1dmmx.dll
c:\program files\StormII\codec\vc1dsse.dll
c:\program files\StormII\codec\vc1dsse2.dll
c:\program files\StormII\codec\vc1wp.ax
c:\program files\StormII\codec\VDODEC32.dll
c:\program files\StormII\codec\vdowave.drv
c:\program files\StormII\codec\VgmAudio.ax
c:\program files\StormII\codec\vgmbgr.ax
c:\program files\StormII\codec\VgmSplt.ax
c:\program files\StormII\codec\vgmv2k2.ax
c:\program files\StormII\codec\Vid1Dec.dll
c:\program files\StormII\codec\vmnc.dll
c:\program files\StormII\codec\voxmsdec.ax
c:\program files\StormII\codec\vp6vfw.dll
c:\program files\StormII\codec\vp7vfw.dll
c:\program files\StormII\codec\vssver2.scc
c:\program files\StormII\codec\WMADMOD.dll
c:\program files\StormII\codec\wmpasf.dll
c:\program files\StormII\codec\wmsdmod.dll
c:\program files\StormII\codec\WMVDECOD.dll
c:\program files\StormII\codec\wmvdmod.dll
c:\program files\StormII\codec\xvid.ax
c:\program files\StormII\codec\xvidcore.dll
c:\program files\StormII\codec\yv12vfw.dll
c:\program files\StormII\Config.dll
c:\program files\StormII\corelog.dll
c:\program files\StormII\current.ecs
c:\program files\StormII\GdiPlus.dll
c:\program files\StormII\gifParser.dll
c:\program files\StormII\jscript.dll
c:\program files\StormII\keys.dat
c:\program files\StormII\media\def\def.flv
c:\program files\StormII\media\def\def.ini
c:\program files\StormII\media\empty.swf
c:\program files\StormII\media\media4in1.swf
c:\program files\StormII\media\mediabp.swf
c:\program files\StormII\media\others.xml
c:\program files\StormII\media\others.xml.ini
c:\program files\StormII\media\stcon.ini
c:\program files\StormII\media\toff.ini
c:\program files\StormII\media\video_material_list.xml
c:\program files\StormII\media\video_material_list.xml.ini
c:\program files\StormII\media\video_style_list.xml
c:\program files\StormII\media\video_style_list.xml.ini
c:\program files\StormII\Media2.dll
c:\program files\StormII\mediainfo.dll
c:\program files\StormII\medialib.dll
c:\program files\StormII\mee.db
c:\program files\StormII\meedb.dll
c:\program files\StormII\MovieInfo.dll
c:\program files\StormII\mps.dll
c:\program files\StormII\msscript.ocx
c:\program files\StormII\msvcp60.dll
c:\program files\StormII\Option.dll
c:\program files\StormII\playlist.smpl
c:\program files\StormII\rndrmgr.dll
c:\program files\StormII\server.ecs
c:\program files\StormII\Skin\暴风1经典.zip
c:\program files\StormII\Skin\暴风2经典.zip
c:\program files\StormII\Skin\见龙卸甲.zip
c:\program files\StormII\spfa.dll
c:\program files\StormII\splayers.dll
c:\program files\StormII\stMgr.exe
c:\program files\StormII\storm.exe
c:\program files\StormII\StormDebug.exe
c:\program files\StormII\StormExcept.log
c:\program files\StormII\stormliv.exe
c:\program files\StormII\stormpop.exe
c:\program files\StormII\StormRes.dll
c:\program files\StormII\StormSkinRes.dll
c:\program files\StormII\subdecoder.dll
c:\program files\StormII\swDirScaner.dll
c:\program files\StormII\Tips.dll
c:\program files\StormII\uninst.exe
c:\program files\StormII\unrar.dll
c:\windows\system32\ieuinit.inf
c:\windows\system32\msconfig.exe

c:\windows\notepad.exe . . . 受感染！！

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SAFEBOXKRNL
-------\Legacy_ccosm
-------\Service_ccosm

((((((((((((((((((((((((( 2009-09-28 至 2009-10-31 的新的档案 )))))))))))))))))))))))))))))))
.

2009-10-31 10:01 . 2009-10-31 10:01 -------- d-----w- c:\program files\DiskInternals
2009-10-31 09:07 . 2009-10-31 07:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 08:49 . 2009-10-31 08:49 -------- d-----w- c:\documents and settings\LocalService\桌面
2009-10-31 07:48 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 07:48 . 2009-10-31 07:48 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 07:44 . 2009-10-31 07:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 07:43 . 2009-10-31 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-31 07:43 . 2009-10-31 07:43 -------- d-----w- c:\program files\Lavasoft
2009-10-31 07:21 . 2009-10-31 07:21 -------- d-----w- c:\windows\Sun
2009-10-31 06:17 . 2009-10-31 06:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 06:17 . 2009-10-31 06:17 -------- d-----w- c:\program files\Java
2009-10-31 04:18 . 2009-10-31 04:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-10-31 04:17 . 2009-10-31 04:35 -------- d-----w- C:\$AVG
2009-10-31 04:17 . 2009-10-31 04:17 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-31 04:17 . 2009-10-31 04:17 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-31 04:17 . 2009-10-31 04:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-31 04:16 . 2009-10-31 04:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-31 04:16 . 2009-10-31 04:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-31 04:16 . 2009-10-31 04:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-31 04:16 . 2009-10-31 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-31 04:16 . 2009-10-31 04:16 -------- d-----w- c:\program files\AVG
2009-10-31 04:16 . 2009-10-31 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-30 10:53 . 2009-10-30 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\360safe
2009-10-30 10:53 . 2009-10-30 10:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\360safe
2009-10-30 09:14 . 2009-10-30 09:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-30 09:13 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 09:13 . 2009-10-30 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 09:13 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 09:13 . 2009-10-30 09:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 07:57 . 2009-10-30 07:58 -------- d-----w- c:\program files\easyMule
2009-10-27 01:47 . 2009-10-29 11:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-27 01:46 . 2009-10-27 01:46 -------- d-----w- c:\program files\Skype
2009-10-27 01:46 . 2009-10-28 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-14 09:46 . 2009-09-06 07:09 118784 ------w- c:\windows\system32\dllcache\ftpsvc2.dll
2009-10-09 12:23 . 2009-10-30 11:01 -------- d-----w- c:\program files\Unlocker
2009-10-09 12:21 . 2009-10-09 12:21 -------- d-----w- C:\found.001
2009-10-06 09:38 . 2009-10-06 09:38 -------- d-----w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 10:29 . 2008-07-10 01:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY
2009-10-31 04:52 . 2008-07-09 09:58 -------- d-----r- c:\program files\Tools
2009-10-30 10:11 . 2009-09-30 20:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\MxBoost
2009-10-30 01:55 . 2009-08-04 14:03 -------- d-----w- c:\program files\Sucop
2009-10-29 09:27 . 2009-09-30 20:16 -------- d-----w- c:\program files\FlashGet
2009-10-28 09:42 . 2009-08-04 12:43 -------- d-----w- c:\program files\AliWangWang
2009-10-23 01:57 . 2009-08-16 14:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2009-10-15 07:30 . 2009-08-16 13:17 -------- d-----w- c:\program files\Vuze
2009-10-12 16:34 . 2009-09-30 19:38 -------- d-----w- c:\program files\SPlayer
2009-10-03 16:48 . 2009-09-23 10:01 -------- d-----w- c:\program files\OFFSystem
2009-10-02 08:15 . 2009-08-04 06:30 -------- d-----w- c:\program files\SogouInput
2009-09-30 19:39 . 2009-09-30 19:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\SPlayer
2009-09-29 11:38 . 2009-09-23 10:18 0 ----a-w- c:\windows\test.dat
2009-09-28 10:24 . 2009-09-16 14:45 -------- d-----w- c:\program files\ImageConverter Plus
2009-09-27 16:14 . 2009-08-05 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Storm
2009-09-26 12:27 . 2009-09-24 09:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\GTunnel
2009-09-25 05:36 . 2008-04-30 16:00 652288 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:36 . 2008-04-30 16:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 22:36 . 2009-08-04 10:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-09-23 22:34 . 2009-09-23 22:33 -------- d-----w- c:\program files\iTunes
2009-09-23 22:34 . 2009-09-23 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-23 22:34 . 2009-09-23 22:33 -------- d-----w- c:\program files\iPod
2009-09-23 22:33 . 2009-08-04 10:03 -------- d-----w- c:\program files\Common Files\Apple
2009-09-23 22:32 . 2009-09-23 22:32 -------- d-----w- c:\program files\QuickTime
2009-09-23 22:31 . 2009-08-04 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-23 10:18 . 2009-09-23 10:18 83 ------w- c:\windows\winomnifile.dat
2009-09-17 15:51 . 2009-09-17 15:51 13855 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-09-16 14:01 . 2009-09-16 14:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2009-09-16 14:00 . 2009-09-16 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Ipswitch
2009-09-16 14:00 . 2009-09-16 14:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-16 14:00 . 2009-09-16 14:00 -------- d-----w- c:\program files\Ipswitch
2009-09-16 14:00 . 2009-09-16 14:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-09-11 14:14 . 2008-04-30 16:00 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-30 16:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 11:42 . 2009-08-04 10:03 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:42 . 2009-08-04 10:03 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-30 16:00 246814 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 05:08 . 2008-04-30 16:00 59218 ----a-w- c:\windows\system32\prfc0804.dat
2009-08-22 05:08 . 2008-04-30 16:00 199250 ----a-w- c:\windows\system32\prfh0804.dat
2009-08-11 11:34 . 2009-08-11 11:34 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-08-11 11:25 . 2009-08-11 11:25 3107 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2009-08-05 08:59 . 2008-04-30 16:00 201728 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:20 . 2008-04-30 16:00 2188928 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:50 . 2008-04-13 02:56 2065792 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 13:21 . 2009-08-04 13:21 0 ----a-w- c:\windows\nsreg.dat
2009-08-04 06:32 . 2008-07-09 09:57 23920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-04 06:28 . 2009-08-04 06:28 0 ----a-w- c:\windows\ativpsrm.bin
.

------- Sigcheck -------

[-] 2008-04-30 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2008-04-30 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2008-04-30 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2008-04-30 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-30 . 5B4D15CD20869778EBF282DB0FC08A29 . 23296 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\kbdclass.sys
[-] 2008-04-30 . 5B4D15CD20869778EBF282DB0FC08A29 . 23296 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-30 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-30 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-30 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-30 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2008-04-30 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2008-04-30 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-30 . B5030062DC5D227B063B65FEF328E36F . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
[-] 2008-04-30 . B5030062DC5D227B063B65FEF328E36F . 77824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\browser.dll

[-] 2008-04-30 . BC16A35900D8ABDBCE0D87E9FCF21F65 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[-] 2008-04-30 . BC16A35900D8ABDBCE0D87E9FCF21F65 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lsass.exe

[-] 2008-04-30 . 64D3D7FC996F063FF39B705DFF9077FF . 197120 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2008-04-30 . 64D3D7FC996F063FF39B705DFF9077FF . 197120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netman.dll

[-] 2008-05-01 . 77136D334EEBB32F38FDDD74E6D20380 . 408576 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[-] 2008-05-01 . 77136D334EEBB32F38FDDD74E6D20380 . 408576 . . [6.7.2600.5512] . . c:\windows\system32\dllcache\qmgr.dll

[-] 2009-02-09 . E9D71100B51AF947485C1A1D5BB96420 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . E9D71100B51AF947485C1A1D5BB96420 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2008-04-30 . B2432C9A8142D504542F7EA87EB75BE4 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll

[-] 2009-02-09 . 803423C13395019F2DD004FF5A3C0290 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-09 . 803423C13395019F2DD004FF5A3C0290 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2008-04-30 . 5EDC33C1CFC364BC2E3EA66A75647914 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-30 . 6475496DEA6EAE2046E15CF422C205FA . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2008-04-30 . 6475496DEA6EAE2046E15CF422C205FA . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-05-08 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-05-08 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-30 . F03851B900C688667E1BF30AB48BE3C9 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-04-30 . F03851B900C688667E1BF30AB48BE3C9 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[-] 2008-04-30 . 30F1C6EDDBA5D5B1DA054B07D31843DB . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
[-] 2008-04-30 . 30F1C6EDDBA5D5B1DA054B07D31843DB . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll

[-] 2008-07-07 20:26 . DE60A74E82358CEDBE8C94151F134DC3 . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . DE60A74E82358CEDBE8C94151F134DC3 . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . C2973CDF8424457CE7E4CC819C88426F . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-04-30 16:00 . 9F31E7A24B1DB88E2D12F45485C5C829 . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-30 . 7645B57DF463E4DFAA2C6E99420060DA . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[-] 2008-04-30 . 7645B57DF463E4DFAA2C6E99420060DA . 110080 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\imm32.dll

[-] 2009-03-21 . 40976499C7E53CB02F35E0D07205F317 . 1150464 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . 40976499C7E53CB02F35E0D07205F317 . 1150464 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . CE5EDEDBF5FD0727BC41F20A1B0CD73F . 1152512 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-30 . BF1CDAF5792B78D4730727FACF307D46 . 1150464 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[-] 2008-04-30 . 505804B2BDD0EDEEADF31BE26E546979 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2008-04-30 . 505804B2BDD0EDEEADF31BE26E546979 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\linkinfo.dll

[-] 2008-04-30 . 1EFB14775B5FEEE55DC744EBFCCA1CFD . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
[-] 2008-04-30 . 1EFB14775B5FEEE55DC744EBFCCA1CFD . 22016 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lpk.dll

[-] 2009-09-25 . 2F8E692717DF3F2CF9BB1C8A26E867AD . 3091968 . . [6.00.2900.5880] . . c:\windows\system32\mshtml.dll
[-] 2009-09-25 . 2F8E692717DF3F2CF9BB1C8A26E867AD . 3091968 . . [6.00.2900.5880] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-09-25 . 65342CD5953AA9419681B109606814B0 . 3093504 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\mshtml.dll
[-] 2009-07-18 . 3EA2D0AF58461C2B80AD2331B076ECDF . 3090432 . . [6.00.2900.5848] . . c:\windows\$NtUninstallKB974455$\mshtml.dll
[-] 2009-07-18 . 8DF056FC8C34ED7487061F5F1C893AF1 . 3090944 . . [6.00.2900.5848] . . c:\windows\$hf_mig$\KB972260\SP3QFE\mshtml.dll
[-] 2009-04-29 . A3A8E19B5F82532EDEFACC93E614962D . 3089920 . . [6.00.2900.5803] . . c:\windows\$NtUninstallKB972260$\mshtml.dll
[-] 2009-04-29 . A9D718623ABE0D02177DAD3E064E06F1 . 3090432 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\mshtml.dll
[-] 2008-12-12 . 35C1955841E1DA739DE6C61201531E0D . 3088896 . . [6.00.2900.5726] . . c:\windows\$hf_mig$\KB960714\SP3QFE\mshtml.dll
[-] 2008-12-12 . 0F7CA7845EA3EFCC0DE5FF0C3AE84656 . 3088896 . . [6.00.2900.5726] . . c:\windows\$NtUninstallKB969897$\mshtml.dll
[-] 2008-10-16 . 26E7D03B40BD4E379C778E8388D38999 . 3088896 . . [6.00.2900.5694] . . c:\windows\$NtUninstallKB960714$\mshtml.dll
[-] 2008-10-15 . 176E26D73AE21ACD8C3E70BD0E70B595 . 3088896 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\mshtml.dll
[-] 2008-04-21 . 27EEB2424B8DDA719711913509CED48B . 3087872 . . [6.00.2900.5583] . . c:\windows\$NtUninstallKB958215$\mshtml.dll

[-] 2008-04-30 . 3845EBE57AD6A4EFA5E0194285AFAEF4 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[-] 2008-04-30 . 3845EBE57AD6A4EFA5E0194285AFAEF4 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\dllcache\msvcrt.dll

[-] 2008-06-20 . 426452FFCC8EADF2DB276FCDE1EF7AA3 . 240640 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 426452FFCC8EADF2DB276FCDE1EF7AA3 . 240640 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2008-04-30 . 3027A3ECE900F832E3795B6B1EF11CEF . 407040 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB944043-v3$\netlogon.dll
[-] 2008-04-17 . ABCF9DDA33C63D49381C8A974EAAC837 . 407040 . . [5.1.2600.5582] . . c:\windows\system32\netlogon.dll
[-] 2008-04-17 . ABCF9DDA33C63D49381C8A974EAAC837 . 407040 . . [5.1.2600.5582] . . c:\windows\system32\dllcache\netlogon.dll

[-] 2009-08-04 . 6CA56BA7894AB74C2B67BF33B1FF4176 . 2188928 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-08-04 . 6CA56BA7894AB74C2B67BF33B1FF4176 . 2188928 . . [5.1.2600.5857] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-08-04 . 6CA56BA7894AB74C2B67BF33B1FF4176 . 2188928 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-02-10 . 2384D161EF1B2902443636C48F72CD53 . 2188800 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2008-08-14 . DB6B7E97924400459FBA01975C559188 . 2188800 . . [5.1.2600.5657] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-08-14 . 708797A6A86EF22DF0FACE7CEDBE638E . 2188800 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-04-13 . D550A583C0991AC3917C0042B7C8FE14 . 2188672 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe

[-] 2008-04-30 . 46B536FC727208F37F0E3FCD2E27183A . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
[-] 2008-04-30 . 46B536FC727208F37F0E3FCD2E27183A . 17408 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\powrprof.dll

[-] 2008-04-30 . A1EEF4AFE28750729B5D085C19F2D5A6 . 172032 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
[-] 2008-04-30 . A1EEF4AFE28750729B5D085C19F2D5A6 . 172032 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\scecli.dll

[-] 2008-04-30 . FE4945A769F7F9E6AC2E066AFB7F820D . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
[-] 2008-04-30 . FE4945A769F7F9E6AC2E066AFB7F820D . 5120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfc.dll

[-] 2008-04-30 . E31FB4F13F5949B868C117714BB44375 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2008-04-30 . E31FB4F13F5949B868C117714BB44375 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-30 . CB0B9E8766FFC557C0349E598312FDD4 . 247296 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2008-04-30 . CB0B9E8766FFC557C0349E598312FDD4 . 247296 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll

[-] 2008-04-30 . F697644D5F59050FBE6AF896C19CCA93 . 574976 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-30 . F697644D5F59050FBE6AF896C19CCA93 . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll

[-] 2008-04-30 . 431FED77E71B1831CD485890159D467C . 25088 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2008-04-30 . 431FED77E71B1831CD485890159D467C . 25088 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe

[-] 2009-09-25 . ABBB8F465FC04FA23422EFAFD2B583C9 . 652288 . . [6.00.2900.5880] . . c:\windows\system32\wininet.dll
[-] 2009-09-25 . ABBB8F465FC04FA23422EFAFD2B583C9 . 652288 . . [6.00.2900.5880] . . c:\windows\system32\dllcache\wininet.dll
[-] 2009-09-25 . AEFF472A99A8D077DA07C365B0B588C3 . 653824 . . [6.00.2900.5880] . . c:\windows\$hf_mig$\KB974455\SP3QFE\wininet.dll
[-] 2009-06-26 . 17532A6F77334370EA76435841514347 . 651776 . . [6.00.2900.5835] . . c:\windows\$NtUninstallKB974455$\wininet.dll
[-] 2009-06-26 . 534B774AB6C33A0AE1152DDC6C719A0C . 653312 . . [6.00.2900.5835] . . c:\windows\$hf_mig$\KB972260\SP3QFE\wininet.dll
[-] 2009-04-29 . 7E5B0FB58323B65DEFD1436AF53CDFCE . 651776 . . [6.00.2900.5803] . . c:\windows\$NtUninstallKB972260$\wininet.dll
[-] 2009-04-29 . E4A8782F0BEC66FC8AA7C7D408EEC527 . 653312 . . [6.00.2900.5803] . . c:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[-] 2008-10-16 . CDA45F9A08D04ECAD99700714F1869E8 . 652288 . . [6.00.2900.5694] . . c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-10-16 . 0556A1FC8EED25E82CC7184F8DE9A8E5 . 651264 . . [6.00.2900.5694] . . c:\windows\$NtUninstallKB969897$\wininet.dll
[-] 2008-04-21 . E82CB6A5881C8612409FF4416B1EECEE . 651264 . . [6.00.2900.5583] . . c:\windows\$NtUninstallKB958215$\wininet.dll

[-] 2008-04-30 . 1FAE38ADCBEC656DB1F26156720FAC89 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
[-] 2008-04-30 . 1FAE38ADCBEC656DB1F26156720FAC89 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2_32.dll

[-] 2008-04-30 . 9EB867933136AD37EAF7F2ECB97E3A4D . 978432 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-30 . 9EB867933136AD37EAF7F2ECB97E3A4D . 978432 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe

[-] 2008-05-01 . F90582AC2B3433776B37D811D2D3BAF6 . 169472 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
[-] 2008-05-01 . F90582AC2B3433776B37D811D2D3BAF6 . 169472 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll

[-] 2008-04-30 . 9BE0A49C4C62CC0B9DCA19F8A834D234 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2008-04-30 . 9BE0A49C4C62CC0B9DCA19F8A834D234 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe

[-] 2008-04-30 . 9CEA8D414AB50632562A4CACE60A5E49 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-30 . 9CEA8D414AB50632562A4CACE60A5E49 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\xmlprov.dll

[-] 2008-04-30 . CA5AA6BE7BE071E9A21D9027D729DC2E . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
[-] 2008-04-30 . CA5AA6BE7BE071E9A21D9027D729DC2E . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll

[-] 2008-04-30 . B36B44E45B205A62694C915CE33BA7A4 . 1573376 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2008-04-30 . 9339A79FA7D415DC39CF021880AF7992 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-30 . 9339A79FA7D415DC39CF021880AF7992 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe

[-] 2009-07-27 . AF896127A929C5CDBBBBDC609578CAA3 . 134144 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[-] 2009-07-27 . AF896127A929C5CDBBBBDC609578CAA3 . 134144 . . [6.00.2900.5853] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2009-07-27 . CAC2F1069DF4BF88247ACEEFD263F2B4 . 134144 . . [6.00.2900.5853] . . c:\windows\$hf_mig$\KB971029\SP3QFE\shsvcs.dll
[-] 2008-04-30 . 5DAA2D4EBD23F1458BDCF1804AC99C5A . 134144 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB971029$\shsvcs.dll

[-] 2008-04-30 . 347CF4F119823D39F4652D7B9B929559 . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
[-] 2008-04-30 . 347CF4F119823D39F4652D7B9B929559 . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll

[-] 2008-05-01 . F5AA11C7FAF36D9DB4BDCFD83F3DBDEB . 186880 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
[-] 2008-05-01 . F5AA11C7FAF36D9DB4BDCFD83F3DBDEB . 186880 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\schedsvc.dll

[-] 2008-05-01 . C4F05393CD7C1FB5B4A095CF9585483E . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
[-] 2008-05-01 . C4F05393CD7C1FB5B4A095CF9585483E . 71680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ssdpsrv.dll

[-] 2008-05-01 . 5313F3226526210EC9F9379591C0A63F . 285696 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2008-05-01 . 5313F3226526210EC9F9379591C0A63F . 285696 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll

[-] 2008-04-30 . 28B700B7FDC38F343197798E0403C584 . 146432 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
[-] 2008-04-30 . 28B700B7FDC38F343197798E0403C584 . 146432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\appmgmts.dll

[-] 2008-04-30 . 28046B6867800B3F12C652CE2C9EA340 . 11648 . . [5.1.2600.0] . . c:\windows\system32\dllcache\acpiec.sys
[-] 2008-04-30 . 28046B6867800B3F12C652CE2C9EA340 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-12 17:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\dllcache\aec.sys
[-] 2008-04-12 17:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-12 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\agp440.sys
[-] 2008-04-12 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2008-04-30 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2008-04-30 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-30 16:00 . FE9263C8BA97DDB0A6D1FD7B4C55CBD0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2008-04-30 16:00 . FE9263C8BA97DDB0A6D1FD7B4C55CBD0 . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2008-04-30 . 6A0E18BC3E2B2F795B5F1B0BEC181E7A . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
[-] 2008-04-30 . 6A0E18BC3E2B2F795B5F1B0BEC181E7A . 33792 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\msgsvc.dll

[-] 2006-10-18 13:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2006-10-18 13:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2009-08-04 . A48FAE97CA2BF166738A3814916477AA . 2065792 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-08-04 . A48FAE97CA2BF166738A3814916477AA . 2065792 . . [5.1.2600.5857] . . c:\windows\system32\ntkrnlpa.exe
[-] 2009-08-04 . A48FAE97CA2BF166738A3814916477AA . 2065792 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2009-02-09 . 9E61DF383E688CF5AEE9B715D6F776FB . 2065792 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2008-08-14 . 1A7F0856406D83B756F3371EC2012ADA . 2065664 . . [5.1.2600.5657] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-08-14 . 3ADB951EBBB122AA755DE774245DE7E3 . 2065664 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-04-13 . E3639BE24D0D5A075D0BF0769CC685BF . 2065536 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe

[-] 2008-04-30 16:00 . 3FBF2F782879406528E71617757EC2DC . 429056 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
[-] 2008-04-30 16:00 . 3FBF2F782879406528E71617757EC2DC . 429056 . . [5.1.2400.5512] . . c:\windows\system32\dllcache\ntmssvc.dll

[-] 2008-05-01 . 604830407848314CAD8A7AE05D1A729C . 183808 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2008-05-01 . 604830407848314CAD8A7AE05D1A729C . 183808 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-09-07 08:36 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 04:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY "= "c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-31 2010904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-30 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3 "= "advpack.dll" - c:\windows\system32\advpack.dll [2008-04-30 96256]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-31 04:17 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\AliWangWang\\AliIM.exe "=
"c:\\Program Files\\easyMule\\emule.exe "=
"c:\\Program Files\\Vuze\\Azureus.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

R0 ahci8086;ahci8086;c:\windows\system32\drivers\ahci8086.sys [2008-7-15 14:10 119808]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-10-31 161800]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-31 64288]
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2009-8-4 14:27 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2009-8-4 14:27 53248]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-31 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-31 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-10-31 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-10-31 285392]
R2 CMBWPS;Cmb WebProtect Support;c:\program files\CMBCHINA\WebProtect\WPService.exe [2009-8-24 17:14 232848]
R2 ICBC Daemon Service;ICBC Daemon Service;c:\program files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe [2009-7-8 16:17 397192]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-9-24 19:17 1179232]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2008-7-13 16:10 6656]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-8-4 14:27 37376]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-8-4 14:27 11696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
"˜计划任务â€™ 文件夹里的内容

2009-10-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 07:46]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
mStart Page = hxxp://7999.com
uInternet Settings,ProxyOverride = local
IE: Download by easyMule - d:\emule\easyMule\IE2EM.htm
IE: 使用电驴下载 - c:\program files\easyMule\IE2EM.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} - hxxps://mybank.icbc.com.cn/icbc/GDReadPub.cab
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3l0a4oxa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-storm2 - c:\program files\StormII\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 18:47
Windows 5.1.2600 Service Pack 3 NTFS

扫描被隐藏的进程。。。

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sermouse]
"ImagePath "=multi: "System32\Drivers\sermouse.sys\00\00 "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sermouse]
"ImagePath "=multi: "System32\Drivers\sermouse.sys\00\00 "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3089693439-1487672669-4014093365-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"PositionInfo-Monitor1 "=hex:57,01,00,00,b3,00,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-3089693439-1487672669-4014093365-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
"Value "=multi: "\00\00 "
"Maximum Entries "=dword:0000000a

[HKEY_USERS\S-1-5-21-3089693439-1487672669-4014093365-500\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
"Data "=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

[HKEY_LOCAL_MACHINE\software\Classes\*\shell\(u皨婲,gSb*_\command]
@= "notepad.exe \ "%1\" "

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]
@= "{809B6661-94C4-49E6-B6EC-3F0F862215AA} "

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]
@= "BDATuner.组件.1 "
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3204)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.

shopjennie · 2009/10/31

combofix deleted my msconfig

Hi again,

It appears that combofix has deleted my msconfig. What should I do?

broni · 2009/10/31

Are you non-Latin language user? I'm curious about those Asian characters, like:

c:\documents and settings\LocalService\桌面
Click to expand...

c:\windows\system32\msconfig.exe
c:\windows\notepad.exe . . . 受感染！！
Click to expand...

Possibly infected files, that's why.

Navigate to:
C:\Qoobox\Quarantine
You'll see a lot of files there.
Find:
- msconfig.exe.vir
- notepad.exe.vir
Copy both files to your desktop, rename them by removing .vir extension and upload them to http://www.virustotal.com/ for security check.
Post scan results and we'll go from there.
DO NOT do anything else.

shopjennie · 2009/10/31

Hi,

I'm currently in China and my XP was installed using a Chinese version, thus the Asian characters.

The two files you mentioned, I only found msconfig.exe.vir in the folder C:\Qoobox\Quarantine\C\WINDOWS\system32.

C:\Qoobox\Quarantine didn't have anything except the folder C, Registry_backups, and a file called catchme.log.

Couldn't find the file notepad.exe.vir.

Here is the scan result from http://www.virustotal.com/

Thanks so much for your help!
Jennie

File msconfig.exe received on 2009.10.20 07:58:06 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.20 -
AhnLab-V3 5.0.0.2 2009.10.20 -
AntiVir 7.9.1.35 2009.10.19 -
Antiy-AVL 2.0.3.7 2009.10.20 -
Authentium 5.1.2.4 2009.10.20 -
Avast 4.8.1351.0 2009.10.19 -
AVG 8.5.0.420 2009.10.19 -
BitDefender 7.2 2009.10.20 -
CAT-QuickHeal 10.00 2009.10.20 -
ClamAV 0.94.1 2009.10.20 -
Comodo 2663 2009.10.20 -
DrWeb 5.0.0.12182 2009.10.20 -
eSafe 7.0.17.0 2009.10.19 -
eTrust-Vet 35.1.7075 2009.10.19 -
F-Prot 4.5.1.85 2009.10.20 -
F-Secure 9.0.15300.0 2009.10.20 -
Fortinet 3.120.0.0 2009.10.20 -
GData 19 2009.10.20 -
Ikarus T3.1.1.72.0 2009.10.20 -
Jiangmin 11.0.800 2009.10.20 -
K7AntiVirus 7.10.874 2009.10.19 Email-Worm.Win32.Brontok.cu
Kaspersky 7.0.0.125 2009.10.20 -
McAfee 5776 2009.10.19 -
McAfee+Artemis 5776 2009.10.19 -
McAfee-GW-Edition 6.8.5 2009.10.20 -
Microsoft 1.5101 2009.10.20 -
NOD32 4524 2009.10.20 -
Norman 6.03.02 2009.10.19 -
nProtect 2009.1.8.0 2009.10.20 -
Panda 10.0.2.2 2009.10.20 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.20 -
Rising 21.52.11.00 2009.10.20 -
Sophos 4.46.0 2009.10.20 -
Sunbelt 3.2.1858.2 2009.10.20 -
Symantec 1.4.4.12 2009.10.20 -
TheHacker 6.5.0.2.048 2009.10.20 -
TrendMicro 8.950.0.1094 2009.10.20 -
VBA32 3.12.10.11 2009.10.19 -
ViRobot 2009.10.20.1995 2009.10.20 -
VirusBuster 4.6.5.0 2009.10.19 -
Additional information
File size: 163328 bytes
MD5 : 1c2e26dda709912b8c4d84a64c50cdaa
SHA1 : 347bc51cf6d0cfb1b932e190a78c4b34b1863ded
SHA256: 1be29ea00d517089406dac2292aea153e539f4091cce94330fbae819fc4ffd9c
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101C7DF
timedatestamp.....: 0x480252BB (Sun Apr 13 20:36:43 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x214CA 0x21600 6.09 b2e495a7dfc9263c5650054bcd50db94
.data 0x23000 0x11F4 0x1000 4.90 afb6f79d7f2d289adb9be6b776ee738d
.rsrc 0x25000 0x53CC 0x5400 4.76 d41ec1f0a4769a1854657125d09b133c

( 0 imports )

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=1c2e26dda709912b8c4d84a64c50cdaa
ssdeep: 3072:KbS3hXbtR1nCi6dcApMFA0GZZzgkxUOadTB2jgxkrIYhMHTxQo:KbSVtRNOcamDGT8eWFugxyhMJ
PEiD : -
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=1c2e26dda709912b8c4d84a64c50cdaa
RDS : NSRL Reference Data Set
-

broni · 2009/11/01

Sorry for misleading you.
You'll find notepad.exe in:
C:\Qoobox\Quarantine\C\WINDOWS
Please, scan it too.

shopjennie · 2009/11/01

Hi,

Couldn't find notepad.exe in C:\Qoobox\Quarantine\C\WINDOWS. There is only the folder system32, inside there is msconfig.exe.vir and ieuinit.inf.vir.

I did a search for notepad and found 2 locations.

C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe

Ran through http://www.virustotal.com/ and here are the 2 results.
http://www.virustotal.com/analisis/...61474f2bfedd13f58f31aac02b683f904a-1250133793

http://www.virustotal.com/analisis/...61474f2bfedd13f58f31aac02b683f904a-1250133793

shopjennie · 2009/11/01

Also, at this stage, is it safe for me to do online shopping? (mostly entering passwords)

What about checking emails?

shopjennie · 2009/11/01

Don't know why my last post didn't show up. Here it is again.

Couldn't find notepad.exe in C:\Qoobox\Quarantine\C\WINDOWS.
Only has the folder system32, and inside 2 files, ieuinit.inf.vir and msconfig.exe.vir.

I did a search and found notepad.exe in 2 places.
C:\WINDOWS
C:\WINDOWS\system32

Here is the scan result.
http://www.virustotal.com/analisis/...61474f2bfedd13f58f31aac02b683f904a-1250133793

File notepad.exe received on 2009.08.13 03:23:13 (UTC)
Current status: finished
Result: 6/41 (14.63%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.13 Trojan-Downloader.14124!IK
AhnLab-V3 5.0.0.2 2009.08.12 -
AntiVir 7.9.1.1 2009.08.12 -
Antiy-AVL 2.0.3.7 2009.08.12 -
Authentium 5.1.2.4 2009.08.13 -
Avast 4.8.1335.0 2009.08.12 -
AVG 8.5.0.406 2009.08.12 -
BitDefender 7.2 2009.08.13 -
CAT-QuickHeal 10.00 2009.08.12 -
ClamAV 0.94.1 2009.08.12 -
Comodo 1951 2009.08.13 -
DrWeb 5.0.0.12182 2009.08.12 -
eSafe 7.0.17.0 2009.08.11 -
eTrust-Vet 31.6.6673 2009.08.12 -
F-Prot 4.4.4.56 2009.08.12 -
F-Secure 8.0.14470.0 2009.08.12 -
Fortinet 3.120.0.0 2009.08.12 -
GData 19 2009.08.13 -
Ikarus T3.1.1.64.0 2009.08.12 Trojan-Downloader.14124
Jiangmin 11.0.800 2009.08.12 -
K7AntiVirus 7.10.817 2009.08.12 -
Kaspersky 7.0.0.125 2009.08.13 -
McAfee 5707 2009.08.12 -
McAfee+Artemis 5707 2009.08.12 Artemis!B5E7B9131F55
McAfee-GW-Edition 6.8.5 2009.08.12 -
Microsoft 1.4903 2009.08.12 -
NOD32 4330 2009.08.12 -
Norman 2009.08.12 W32/DLoader.DWRR
nProtect 2009.1.8.0 2009.08.12 -
Panda 10.0.0.14 2009.08.12 Suspicious file
PCTools 4.4.2.0 2009.08.12 -
Prevx 3.0 2009.08.13 Medium Risk Malware
Rising 21.42.23.00 2009.08.12 -
Sophos 4.44.0 2009.08.13 -
Sunbelt 3.2.1858.2 2009.08.12 -
Symantec 1.4.4.12 2009.08.13 -
TheHacker 6.3.4.3.382 2009.08.12 -
TrendMicro 8.950.0.1094 2009.08.12 -
VBA32 3.12.10.9 2009.08.12 -
ViRobot 2009.8.12.1881 2009.08.12 -
VirusBuster 4.6.5.0 2009.08.12 -
Additional information
File size: 1642496 bytes
MD5 : b5e7b9131f55a937b79d5dc40d019b55
SHA1 : e7db93c8f55f1cfd316f1a09738f1ccd16189837
SHA256: d8f543e3dc7c18c091f4681630812361474f2bfedd13f58f31aac02b683f904a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xA2ADC
timedatestamp.....: 0x44C86F90 (Thu Jul 27 09:47:28 2006)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xC5327 0xC6000 6.60 f177f78509c2e56f271ba0f860d8f312
.rdata 0xC7000 0x1E8C6 0x1F000 5.48 c55d9185cdde1b76e97d186c8ed77d2c
.data 0xE6000 0xDEC4 0xB000 1.85 28c48b09170764cf8abb1e736e16678e
.rsrc 0xF4000 0x9F450 0xA0000 5.57 cf06725d53aa274085c49c778e747d45

( 11 imports )

> advapi32.dll: RegEnumValueA, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegEnumKeyExA, RegDeleteKeyA, RegQueryInfoKeyA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegCloseKey
> comctl32.dll: -, ImageList_Destroy, ImageList_Create, InitCommonControlsEx, ImageList_AddMasked
> comdlg32.dll: GetSaveFileNameA, PrintDlgA, PageSetupDlgA, ChooseFontA, ChooseColorA, GetOpenFileNameA
> gdi32.dll: StartPage, StartDocA, GetTextMetricsA, SelectObject, CreateFontA, DPtoLP, SetMapMode, GetObjectA, AddFontResourceA, CreateCompatibleDC, SetBkMode, CreateFontIndirectA, GetStockObject, SetTextColor, SelectPalette, CreateCompatibleBitmap, GetNearestColor, Polygon, Rectangle, CreatePatternBrush, RoundRect, Ellipse, BitBlt, RealizePalette, IntersectClipRect, ExtTextOutW, GetTextExtentPoint32W, GetTextExtentExPointA, GetTextExtentExPointW, CombineRgn, CreateRectRgn, CreateBitmap, SetBkColor, SetTextAlign, ExtTextOutA, GetTextExtentPoint32A, CreatePen, MoveToEx, LineTo, EndPage, EndDoc, DeleteDC, GetDeviceCaps, CreateSolidBrush, CreatePalette, DeleteObject
> imm32.dll: ImmReleaseContext, ImmGetCompositionStringW, ImmGetContext, ImmSetCompositionFontA, ImmNotifyIME, ImmSetCompositionWindow
> kernel32.dll: ExpandEnvironmentStringsA, GetFullPathNameA, GetLongPathNameA, LocalFree, FormatMessageA, GetLastError, LockResource, SizeofResource, LoadResource, FindResourceA, LeaveCriticalSection, EnterCriticalSection, QueryPerformanceCounter, OutputDebugStringA, IsDBCSLeadByteEx, DebugBreak, DeleteCriticalSection, InitializeCriticalSection, GlobalSize, GetTickCount, GetUserDefaultLCID, GetStringTypeExA, LCMapStringA, GlobalUnlock, GetStringTypeA, GetCurrentProcessId, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LoadLibraryW, HeapSize, ExitProcess, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, SetLastError, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetOEMCP, GetCPInfo, GetProcessHeap, GetCommandLineA, GetSystemTimeAsFileTime, GetModuleFileNameW, GetTempPathA, GetFileType, WriteConsoleW, HeapAlloc, HeapReAlloc, CreateThread, GetCurrentThreadId, ExitThread, RtlUnwind, RaiseException, HeapFree, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InterlockedDecrement, InterlockedIncrement, FindFirstFileA, FindClose, CreateFileA, WideCharToMultiByte, GlobalAlloc, GlobalFree, SetErrorMode, GetModuleHandleA, GetProcAddress, EnumSystemCodePagesA, GetCPInfoExA, SetFileAttributesA, GetModuleFileNameA, CopyFileA, DeleteFileA, MultiByteToWideChar, GetNumberFormatA, InterlockedCompareExchange, GetFileTime, GetFileAttributesA, CompareFileTime, GetACP, GetLocalTime, GetDateFormatA, GetTimeFormatA, GetLocaleInfoA, MulDiv, GetVersionExA, CreatePipe, GetStartupInfoA, CreateProcessA, PeekNamedPipe, Sleep, GetExitCodeProcess, InterlockedExchange, WaitForSingleObject, SetEndOfFile, GetFileSize, WriteFile, SetFilePointer, ReadFile, CloseHandle, GetConsoleCP, GetConsoleMode, GetWindowsDirectoryA, LCMapStringW, LoadLibraryA, FreeLibrary, GetStdHandle, GlobalLock, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, GetStringTypeW
> ole32.dll: RegisterDragDrop, ReleaseStgMedium, CoUninitialize, CoInitialize, OleUninitialize, OleInitialize, RevokeDragDrop, DoDragDrop, CoCreateInstance
> shell32.dll: SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHAppBarMessage, SHGetMalloc, SHBindToParent, DragQueryFileA, DragFinish, DragAcceptFiles, ShellExecuteExA, SHGetSpecialFolderPathA, Shell_NotifyIconA, SHGetDesktopFolder, SHChangeNotify, ShellExecuteA, SHGetFileInfoA, -
> shlwapi.dll: PathQuoteSpacesA, PathIsRootA, PathMatchSpecA, SHCopyKeyA, SHAutoComplete, PathIsDirectoryA
> user32.dll: IsClipboardFormatAvailable, GetClipboardData, ShowCaret, CreateCaret, DestroyCaret, HideCaret, SetCaretPos, GetUpdateRgn, MsgWaitForMultipleObjects, GetMessageTime, IsChild, DrawAnimatedRects, GetDesktopWindow, PeekMessageA, LoadStringA, CharPrevA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, GetMenuState, GetMenuItemID, CallWindowProcA, LoadAcceleratorsA, GetMessageA, TranslateAcceleratorA, TranslateMessage, DispatchMessageA, GetScrollInfo, LoadIconA, RegisterClassA, SetClipboardViewer, ChangeClipboardChain, PostQuitMessage, ShowOwnedPopups, GetKeyState, GetActiveWindow, SystemParametersInfoA, GetWindowPlacement, IsZoomed, OemToCharBuffA, CharToOemBuffA, IsCharAlphaNumericA, CharNextA, GetMenu, wsprintfA, CheckMenuRadioItem, ModifyMenuA, IsDialogMessageA, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, DefWindowProcA, ClientToScreen, TrackPopupMenuEx, FindWindowExA, IsWindowEnabled, IsIconic, ShowWindowAsync, SetScrollInfo, ScrollWindow, SetTimer, KillTimer, GetKeyboardLayout, IsWindow, RegisterClassExA, SetWindowLongA, IsWindowVisible, UnregisterClassA, CheckMenuItem, EnableMenuItem, RemoveMenu, IsMenu, InvalidateRect, UpdateWindow, CreatePopupMenu, LoadBitmapA, ReleaseCapture, SetCapture, GetDC, GetDoubleClickTime, BeginPaint, EndPaint, AdjustWindowRectEx, InflateRect, DrawTextW, DrawTextA, DrawFocusRect, FillRect, RegisterClipboardFormatA, DialogBoxIndirectParamA, GetSysColorBrush, GetMenuStringA, GetWindowTextA, MapDialogRect, SetMenuDefaultItem, SetActiveWindow, GetWindowLongA, EnableWindow, GetDlgItem, ShowWindow, MoveWindow, SendMessageA, MapWindowPoints, GetWindowRect, DestroyCursor, SetCursor, ReleaseDC, GetSysColor, RedrawWindow, IsDlgButtonChecked, LoadMenuA, GetSubMenu, SetForegroundWindow, GetCursorPos, TrackPopupMenu, DestroyMenu, AppendMenuA, CheckDlgButton, MessageBeep, GetFocus, SetFocus, GetDlgCtrlID, GetDlgItemInt, SetDlgItemInt, CreateWindowExA, GetClientRect, GetSystemMetrics, SetWindowPos, DialogBoxParamA, CreateDialogParamA, PostMessageA, GetParent, EndDialog, PtInRect, GetMessagePos, ScreenToClient, LoadImageA, SetWindowTextA, GetDlgItemTextA, SetDlgItemTextA, MessageBoxA, SendDlgItemMessageA, DestroyWindow, LoadCursorA, GetMenuItemCount
> version.dll: VerQueryValueA, GetFileVersionInfoA, GetFileVersionInfoSizeA

( 0 exports )
TrID : File type identification
62.5% (.EXE) Win64 Executable Generic (85619/45/3)
22.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.2% (.EXE) Win32 Executable Generic (8527/13/3)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
1.4% (.EXE) Generic Win/DOS Executable (2002/3)
ssdeep: 49152:b1z4q2R/NysLYBVLbNs9x0qt6nYMMMMMMMMMMDMWMMMMMMMMM3h2:hkLRlDKS9xft6nYMMMMMMMMMMDMWMMMM
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=4E1D3F3500371FF310B219306C55BC000F0F7593
PEiD : -
PDFiD : ['-', None, None]
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b5e7b9131f55a937b79d5dc40d019b55
RDS : NSRL Reference Data Set
-

broni · 2009/11/01

Both, notepad.exe, and msconfig.exe legit locations are in C:\Windows\System32, but in any case, it looks like all 3 files are infected (2 notepads, 1 msconfig).
We can easily replace them with good files, but before we go there....

Upload following files to http://www.virustotal.com/ for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.

shopjennie · 2009/11/01

Hi, as I wrote earlier, combofix.exe has already deleted my msconfig.exe. I had to retrieve a copy from the internet.

Here are the results you asked:
explorer.exe
http://www.virustotal.com/analisis/...06fd201a639e100e3cb87e86cb06e0e400-1256975245

userinit.exe
http://www.virustotal.com/analisis/...5b9a1491f8efbdf7274141ed7e420fb93a-1256997253

svchost.exe
http://www.virustotal.com/analisis/...f5d324a099fe6a6f1500c53c7943b91499-1256915658

broni · 2009/11/01

I had to retrieve a copy from the internet
Click to expand...

Very good

I'm not thrilled with explorer.exe and userinit.exe results, but let's see what will happen...

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

==================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

shopjennie · 2009/11/01

Here is the result from DrWeb. Next to the Asian characters, I've written translations in ( ).
STOPzilla_Setup.exe;D:\My Documents\Downloads;Trojan.DownLoad.40428;已删除 (deleted).;
ppstream.exe\data031;C:\WINDOWS\Svcpack\GSOFT\soft\ppstream.exe;Adware.Yayad.232;;
ppstream.exe;C:\WINDOWS\Svcpack\GSOFT\soft;发现压缩文件中有被感染的对象;已隔离 (found compressed file containing possible infected items, separated).;

Here is the fresh HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:20, on 2009-11-2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: 中国工商银行BHO - {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\Icbc_AntiPhishing.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: 使用电驴下载 - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} (GDGetTokenInfo Class) - https://mybank.icbc.com.cn/icbc/GDReadPub.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
O16 - DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} (InfoSecICBCNetSign Class) - https://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: ICBC Daemon Service - Unknown owner - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 5734 bytes

broni · 2009/11/01

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

7. Restart computer.

8. Post new HijackThis log.

shopjennie · 2009/11/01

Hi, I unchecked and fixed those files. Here is the new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:40, on 2009-11-2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: 中国工商银行BHO - {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\Icbc_AntiPhishing.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} (GDGetTokenInfo Class) - https://mybank.icbc.com.cn/icbc/GDReadPub.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
O16 - DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} (InfoSecICBCNetSign Class) - https://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: ICBC Daemon Service - Unknown owner - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 5220 bytes

broni · 2009/11/02

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

shopjennie · 2009/11/02

Hi,

I've done all you've listed. Couple questions.

1. How do you my computer is clean? What about the infected notepad.exe, explorer.exe, userinit.exe and svchost.exe? Did we clean them?

2. My ctrl+alt+del still doesn't work. Could it be that taskmgr has been deleted from the computer?

3. When running in safemode using AVG or Malwarebytes or any anti-virus software, midway through scanning the screen would become blurry, blue screen would appear, or computer would be forced to shut down. I suspect there might be a hidden nasty virus somewhere that the virus protection softwares cannot get rid off? I'm not sure... when running all the anti-virus softwares without safemode, they all work fine, but only in safemode they won't process through. Someone has suggested to reformat and reinstall XP, what is your opinion?

Thanks so much for your help!
Jennie

broni · 2009/11/02

We checked explorer.exe, userinit.exe and svchost.exe, because I was afraid, you might be infected with some polymorphic virus, like Virut, or Sality.
The scan didn't show any of that kind of infection.
explorer.exe and userint.exe scans were marked as suspicious by two engines, but in each case one was heuristic reading.
Normally, Dr.Web would also get triggered by Virut, but it doesn't show anything.
All other final scans don't show anything suspicious.

Delete notepad.exe from both locations:
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
I'm attaching zipped notepad.exe from my XP installation.
Unzip it and place the file into C:\WINDOWS\system32

Look in C:\WINDOWS\system32 folder, if taskmgr.exe is there.

shopjennie · 2009/11/02

Hi,

When I deleted and copied your notepad.exe into the folders, the computer gave me this pop-up message.

Note: translated by me.

"The required files of normal function in Windows has been replaced by unknown version. In order to continue system stability, Windows must be replaced by the original copy of the files.

Insert your Windows XP Professional Service Pack 3. "

What should I do?

Also, taskmgr.exe is not in C:\WINDOWS\system32, or anywhere on the computer.

Log in or Sign up

Solved cannot use ctrl+alt+del

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

Share This Page

Log in or Sign up

Solved cannot use ctrl+alt+del

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

broni Moderator Malware Analyst

shopjennie Inactive Thread Starter

Share This Page

Useful Searches