Solved essential services do not load at startup

About 145 subkeys. The counting was tedious. I may have missed a few.

 

Sorry about that .... an estimation of over 100 would have been a sufficient answer. I was just making sure you had more than a 'few' entries there.

Please replace the file services.exe in both system32 and the dllcache from the i386 folder. A restart will be required for effect.

 

The copy of services.exe from the i386 folder to the dllcache folder had no problem. But copying to the system32 folder was not allowed because the services.exe file in that folder was in use. However renaming it to services.old was allowed, and then I could do the copy. Restarting resulted in no change. The services window sstill did not have a RPC entry.

 

You seem to be able to transfer files, so lets try this.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool.
• At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of log.txt here in your next reply.

 

When I hit the "continue" button after selecting 3 months, I get an error message:

AutoIt Error

Line -1:

Error: Incorrect number of parameters in function call.

After I press the OK button on this window, RSIT ends without executing.

PS: I failed to notice that the disclaimer mentioned RSIT will try to download HijackThis. I don't have HijackThis on my computer. Is there some way I can get HijackThis?

 

Ackkk! Lets try another. Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt


I may ask for the Attach.txt log later, so keep it handy.

 

Here are the contents of DDS.txt

DDS (Version 1.0) - NTFSx86
Run by Owner at 12:36:33.29 on 12/11/2008 Thu
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.highstream.net/members/
uWindow Title = -
mWindow Title = -
uInternet Settings,ProxyOverride = local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio 10\uvPL.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe "
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IMSCMig] c:\progra~1\common~1\micros~1\ime\imsc40a\IMSCMIG.EXE /Preload
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\tencent\qq\QQ.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\tencent\qq\QQ.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-11 11:46 108,544 a------- c:\windows\system32\services.exe
2008-12-11 10:12 14,336 a------- c:\windows\system32\svchost.exe
2008-12-11 08:53 858,624 ac------ c:\windows\system32\dllcache\tapi3.dll
2008-12-11 08:52 180,360 ac------ c:\windows\system32\dllcache\ntmtlfax.sys
2008-12-11 08:51 848,384 ac------ c:\windows\system32\dllcache\ir41_32.ax
2008-12-11 08:50 110,592 ac------ c:\windows\system32\dllcache\bthprops.cpl
2008-11-24 21:22 331,776 ac------ c:\windows\system32\dllcache\msadce.dll
2008-11-23 08:14 456,576 ac------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-22 22:18 1,104,896 ac------ c:\windows\system32\dllcache\msxml3.dll
2008-11-18 16:44 <DIR> --d----- c:\program files\数独博士

==================== Find3M ====================

2008-11-10 17:05 772,188 a------- c:\windows\GPInstall.exe
2008-10-24 19:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 19:09 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 20:12 1,846,400 a------- c:\windows\system32\win32k.sys
2007-11-04 07:47 968 a------- c:\program files\INSTALL.LOG
2007-10-04 20:04 284 a------- c:\docume~1\owner\applic~1\ViewerApp.dat
2002-08-08 23:40 153,088 a------- c:\program files\UNWISE.EXE

============= FINISH: 12:37:02.84 ===============

 

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

The ComboFix guide states that I need to create a Windows Recovery Console and ComboFix will install it while connected to the internet. Since my machine's internet connections are dead, do I have to create the Windows Recovery Console? If not, will ComboFix still do its job while not connected the internet?

The public computer is closing. I will get back to you tomorrow.

Thanks for your help.

 

It will run fine. Just skip the recovery console download when prompted.

 

Here is the log from ComboFix

ComboFix 08-12-09.03 - Owner 2008-12-11 20:03:36.1 - NTFSx86
执行位置: c:\downloads\windowsbbs\ComboFix.exe

Note - This computer does not have Recovery Console installed ！！
.
ADS - WINDOWS: deleted 1767133 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Deleted files )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\lingtu
c:\program files\lingtu\51ditu\bin\Analysis.ini
c:\program files\lingtu\51ditu\DATA\maps\beijing\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\beijing\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\beijing\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\beijing\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\beijing\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\chengdu\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\chengdu\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\chengdu\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\chengdu\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\chengdu\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\hangzhou\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\hangzhou\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\hangzhou\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\hangzhou\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\hangzhou\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\MaErKangXian\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\MaErKangXian\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\MaErKangXian\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\MaErKangXian\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\MaErKangXian\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\ningbo\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\ningbo\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\ningbo\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\ningbo\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\ningbo\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\quanguo\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\quanguo\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\quanguo\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\quanguo\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\quanguo\SysTable.ini
c:\program files\lingtu\51ditu\DATA\maps\shanghai\Database.ini
c:\program files\lingtu\51ditu\DATA\maps\shanghai\SysBlock.ini
c:\program files\lingtu\51ditu\DATA\maps\shanghai\SysBlockLob.ini
c:\program files\lingtu\51ditu\DATA\maps\shanghai\SysField.ini
c:\program files\lingtu\51ditu\DATA\maps\shanghai\SysTable.ini
c:\program files\lingtu\51ditu\DATA\template\Messager\Historys\2007_10_09_11_36_56.ini
c:\program files\lingtu\灵图UU\uu.exe
c:\program files\lingtu\灵图UU\uu.ini
c:\program files\lingtu\灵图UU\uu_update.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\syscy.dll
c:\windows\system32\VFP6RCHS.DLL
F:\autorun.inf

.
((((((((((((((((((((((((( 2008-11-11 to 2008-12-11 New Files )))))))))))))))))))))))))))))))
.

2008-12-11 11:46 . 2008-04-14 05:42 108,544 --a------ c:\windows\system32\services.exe
2008-12-11 10:12 . 2008-04-14 05:42 14,336 --a------ c:\windows\system32\svchost.exe
2008-12-11 08:53 . 2008-04-14 05:51 20,056,462 --a--c--- c:\windows\system32\dllcache\sp3.cab
2008-12-11 08:52 . 2007-04-03 00:09 11,053,008 --a--c--- c:\windows\system32\dllcache\msncli.exe
2008-12-11 08:51 . 2008-04-13 21:09 2,775,842 --a--c--- c:\windows\system32\dllcache\cimwin32.mof
2008-12-11 08:50 . 2008-04-14 05:41 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll
2008-11-24 21:22 . 2008-04-14 05:42 331,776 --a--c--- c:\windows\system32\dllcache\msadce.dll
2008-11-23 08:14 . 2008-04-14 00:47 456,576 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-22 22:18 . 2008-04-14 05:42 1,104,896 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-18 16:44 . 2008-11-18 20:19 <DIR> d-------- c:\program files\数独博士

.
(((((((((((((((((((((((((((((((((((((((( Files modified in last 3 months ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 08:42 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-11-23 00:10 --------- d-----w c:\program files\McAfee
2008-11-22 14:14 --------- d-----w c:\program files\Common Files\McAfee
2008-11-10 09:06 --------- d-----w c:\program files\电子成语词典
2008-11-10 09:05 772,188 ----a-w c:\windows\GPInstall.exe
2008-11-10 08:29 --------- d-----w c:\program files\Revo Uninstaller
2008-11-10 07:38 --------- d-----w c:\program files\Nero 8
2008-11-10 07:38 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 07:38 --------- d-----w c:\documents and settings\Owner\Application Data\Nero
2008-11-07 00:01 --------- d-----w c:\program files\eMule
2008-11-07 00:00 --------- d-----w c:\program files\Realtek Sound Manager
2008-11-07 00:00 --------- d-----w c:\program files\AvRack
2008-11-06 23:59 --------- d-----w c:\program files\NewTech Infosystems
2008-11-06 23:59 --------- d-----w c:\program files\Netscape
2008-11-06 23:59 --------- d-----w c:\program files\china_emap2008
2008-11-06 12:50 --------- d-----w c:\program files\Foxit Software
2008-11-06 12:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008bin
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008
2008-11-05 13:31 --------- d-----w c:\documents and settings\Owner\Application Data\Ulead Systems
2008-11-05 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-05 13:03 --------- d-----w c:\program files\Ulead Systems
2008-11-05 09:33 --------- d-----w c:\program files\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\Owner\Application Data\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kingsoft
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-10-18 11:50 --------- d-----w c:\program files\Common Files\InterVideo
2008-10-18 11:49 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2007-10-04 12:04 284 ----a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2002-08-08 15:40 153,088 ----a-w c:\program files\UNWISE.EXE
.

------- Sigcheck -------

2004-08-04 20:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe

2005-03-03 02:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 23:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 23:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 20:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-03 02:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\dllcache\user32.dll

2004-08-04 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\dllcache\ws2_32.dll

2005-05-03 04:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-10-21 11:38 661504 af785c4947676a7fc1673fdc5c8d0b5b c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-04 11:58 663552 c0845ecbf4f9164e618ee381b79c9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-06-23 19:25 664576 64ce26db72810b30f7855ea51e1df836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 16:31 664576 d207370287cf769aebebf03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-08 01:40 823296 b8f4db39ca7353752f245379d285c80e c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-06-27 22:40 824320 d6ed5e042c5207553e7f5e842918137f c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 18:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-08-26 17:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2004-08-04 20:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB883939$\wininet.dll
2005-05-03 04:52 657920 1a078af3f85d10ba56444c23b3a18e74 c:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-21 11:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 c:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-04 11:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 c:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 19:02 658944 2b4db890936430c71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 16:39 658944 621af3f6174a3f60677f5230e28bcc07 c:\windows\ie7\wininet.dll
2006-11-08 13:03 818688 92995334f993e6e49c25c6d02ec04401 c:\windows\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8 c:\windows\ie7updates\KB931768-IE7\wininet.dll
2007-03-08 01:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 c:\windows\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 22:34 823808 8068cbb58fe60cc95aeb2cff70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 18:04 824832 774435e499d8e9643ec961a6103c361f c:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-08-26 15:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\system32\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\system32\dllcache\wininet.dll

2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-14 01:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 20:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-26 03:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-13 10:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\system32\dllcache\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\system32\drivers\tcpip.sys

2004-08-04 20:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\dllcache\winlogon.exe

2004-08-04 20:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-04 20:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\dllcache\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 07:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-20 00:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 17:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 15:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 20:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 08:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 20:55 2057600 1d659bfb788ed2ba45075624b748d249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 17:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 17:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-02 09:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-20 00:51 2182016 cef243f6defd20be4adde26c7ecacb54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 16:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 20:00 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 08:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 22:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 18:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 18:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\system32\dllcache\explorer.exe

2004-08-04 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\dllcache\services.exe

2004-08-04 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\dllcache\lsass.exe

2004-08-04 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\dllcache\ctfmon.exe

2005-06-11 08:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 20:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 20:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\dllcache\userinit.exe

2004-08-04 20:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS11 Preload "= "c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-20 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-20 688218]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-05-19 155648]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-18 196608]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-16 385024]
"IMSCMig "= "c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-02 17248]
"EOUApp "= "c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-16 356352]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan "= "SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-07-23 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-16 02:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg21.dll
"VIDC.PIM1 "= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a01-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a03-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - f:\prayayav3\prayayav3\prayayav3.exe
\Shell\shell01\command - f:\prayayav3\prayayav3\prayayav3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1a9fd64-5fe8-11db-9bb6-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]
C:\WINDOWS:fwcagent.exe
.
"˜Scheduled Tasks’ folder contents

2007-10-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2007-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UVS10 Preload - c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe


.
------- 而外的扫描 -------
.
uStart Page = about:blank
mWindow Title = -
uInternet Settings,ProxyOverride = local
IE: 上传到QQ网络硬盘 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ彩信发送该图片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9xvx9re7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava131_07.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJPI141_02.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npoji600.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 20:06:42
Windows 5.1.2600 Service Pack 3 NTFS

Scanning hidden processes。。。 ...

Scaning hidden startup groups。。。

Scanning hidden files。。。

Scanning completed
Hidden Files: 0

**************************************************************************
.
--------------------- 运行进程下的 dynamic link libraries ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Time completed: 2008-12-11 20:08:29
ComboFix-quarantined-files.txt 2008-12-11 12:08:11

Pre-Run: 12,355,493,888 bytes free
Post-Run: 12,729,192,448 bytes free

348 --- E O F --- 2008-11-24 13:24:45

 

Is there any change in behavior?

 

There is no detectable change in the computer's behavior.

 

You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

• Plug in your USB flash drive.
• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a03-73bf-11dc-9ccc-0012f0853aff}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.




This procedure is documented on the Microsoft.com website for resetting registry and system file permissions, as well as default security descriptors. While it might not fix the problem, it should do no harm either.

Download and install SubInACL from Microsoft.

Close out all other programs and open windows.

Highlight and copy the contents of the code box below.

Code:

cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_LOCAL_MACHINE\Software /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_LOCAL_MACHINE\System /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CLASSES_ROOT /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
It will take a while for the commands to process, so please be patient.
The command window should close on it's own when finished.
Reboot for the changes to take effect.


My next step would be to run the System File Checker. Click Start>Run and type sfc /scannow then hit Enter. You may be prompted to insert the XP cd, so you'll need to have it handy.

 

I finished the flash_disinfector part of your instructions. My computer lost the ability to drag icons on the desktop. Is there some other way to execute the rest of your instructions?
I tried to install subinacl.msi but got a message saying " The Windows Installer Service could not be accessed ... ".

 

The ComboFix log shows that you did not save ComboFix to the desktop as instructed, but instead saved it to c:\downloads\windowsbbs\ComboFix.exe

Provided it is still in that location, save the CFScript file to the same folder.
Now, click Start>Run and type the following command.

c:\downloads\windowsbbs\ComboFix.exe /cfscript.txt

Be sure to leave a space between ComboFix.exe and the /cfscript switch. ComboFix should run as expected.

 

Do you have Winrar, or another program to extract self-extracting exes to a folder?

 

I have a program called winace that can extract compressed files.

All files downloaded in this thread are transferred to my computer via the flash drive. My windows explorer does not allow me to drag, copy, paste files. I have to use the command prompt to copy files from the flash drive to my computer. I don't know how to copy to my desktop, so all files are copied to the downloads\windowsbbs folder. The context (right click) menu in windows explorer lets me send a files's short-cut (but not the file itself) to desktop. That is why the log shows that the combofix is executed from my downloads\windowsbbs folder Here is the log from Combofix.exe /CFScript.txt.

ComboFix 08-12-09.03 - Owner 2008-12-12 11:59:29.2 - NTFSx86
执行位置: c:\downloads\windowsbbs\ComboFix.exe
Command switches used :: /cfscript.txt

Note - This computer does not have Recovery Console installed ！！
.

((((((((((((((((((((((((( 2008-11-12 to 2008-12-12 new files )))))))))))))))))))))))))))))))
.

2008-12-11 11:46 . 2008-04-14 05:42 108,544 --a------ c:\windows\system32\services.exe
2008-12-11 10:12 . 2008-04-14 05:42 14,336 --a------ c:\windows\system32\svchost.exe
2008-12-11 08:53 . 2008-04-14 05:51 20,056,462 --a--c--- c:\windows\system32\dllcache\sp3.cab
2008-12-11 08:52 . 2007-04-03 00:09 11,053,008 --a--c--- c:\windows\system32\dllcache\msncli.exe
2008-12-11 08:51 . 2008-04-13 21:09 2,775,842 --a--c--- c:\windows\system32\dllcache\cimwin32.mof
2008-12-11 08:50 . 2008-04-14 05:41 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll
2008-11-24 21:22 . 2008-04-14 05:42 331,776 --a--c--- c:\windows\system32\dllcache\msadce.dll
2008-11-23 08:14 . 2008-04-14 00:47 456,576 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-22 22:18 . 2008-04-14 05:42 1,104,896 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-18 16:44 . 2008-11-18 20:19 <DIR> d-------- c:\program files\数独博士

.
(((((((((((((((((((((((((((((((((((((((( Files modified in last 3 months ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 08:42 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-11-23 00:10 --------- d-----w c:\program files\McAfee
2008-11-22 14:14 --------- d-----w c:\program files\Common Files\McAfee
2008-11-10 09:06 --------- d-----w c:\program files\电子成语词典
2008-11-10 09:05 772,188 ----a-w c:\windows\GPInstall.exe
2008-11-10 08:29 --------- d-----w c:\program files\Revo Uninstaller
2008-11-10 07:38 --------- d-----w c:\program files\Nero 8
2008-11-10 07:38 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 07:38 --------- d-----w c:\documents and settings\Owner\Application Data\Nero
2008-11-07 00:01 --------- d-----w c:\program files\eMule
2008-11-07 00:00 --------- d-----w c:\program files\Realtek Sound Manager
2008-11-07 00:00 --------- d-----w c:\program files\AvRack
2008-11-06 23:59 --------- d-----w c:\program files\NewTech Infosystems
2008-11-06 23:59 --------- d-----w c:\program files\Netscape
2008-11-06 23:59 --------- d-----w c:\program files\china_emap2008
2008-11-06 12:50 --------- d-----w c:\program files\Foxit Software
2008-11-06 12:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008bin
2008-11-06 08:14 --------- d-----w c:\program files\中国电子地图2008
2008-11-05 13:31 --------- d-----w c:\documents and settings\Owner\Application Data\Ulead Systems
2008-11-05 13:31 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-05 13:03 --------- d-----w c:\program files\Ulead Systems
2008-11-05 09:33 --------- d-----w c:\program files\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\Owner\Application Data\Kingsoft
2008-11-05 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kingsoft
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-10-18 11:50 --------- d-----w c:\program files\Common Files\InterVideo
2008-10-18 11:49 --------- d-----w c:\documents and settings\All Users\Application Data\InterVideo
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2007-10-04 12:04 284 ----a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2002-08-08 15:40 153,088 ----a-w c:\program files\UNWISE.EXE
.

------- Sigcheck -------

2004-08-04 20:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe
2008-04-14 05:42 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\dllcache\svchost.exe

2005-03-03 02:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 23:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 23:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 20:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-03 02:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll
2008-04-14 05:42 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\dllcache\user32.dll

2004-08-04 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll
2008-04-14 05:42 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\dllcache\ws2_32.dll

2005-05-03 04:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-10-21 11:38 661504 af785c4947676a7fc1673fdc5c8d0b5b c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-04 11:58 663552 c0845ecbf4f9164e618ee381b79c9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-06-23 19:25 664576 64ce26db72810b30f7855ea51e1df836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 16:31 664576 d207370287cf769aebebf03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-08 01:40 823296 b8f4db39ca7353752f245379d285c80e c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-06-27 22:40 824320 d6ed5e042c5207553e7f5e842918137f c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 18:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-12-07 10:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 21:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-08-26 17:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2004-08-04 20:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB883939$\wininet.dll
2005-05-03 04:52 657920 1a078af3f85d10ba56444c23b3a18e74 c:\windows\$NtUninstallKB905915$\wininet.dll
2005-10-21 11:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 c:\windows\$NtUninstallKB912812$\wininet.dll
2006-03-04 11:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 c:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 19:02 658944 2b4db890936430c71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 16:39 658944 621af3f6174a3f60677f5230e28bcc07 c:\windows\ie7\wininet.dll
2006-11-08 13:03 818688 92995334f993e6e49c25c6d02ec04401 c:\windows\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 09:27 822784 be43d00d802c92f01c8cc952c6f483f8 c:\windows\ie7updates\KB931768-IE7\wininet.dll
2007-03-08 01:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 c:\windows\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 22:34 823808 8068cbb58fe60cc95aeb2cff70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 18:04 824832 774435e499d8e9643ec961a6103c361f c:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 10:21 824832 806d274c9a6c3aaea5eae8e4af841e04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 21:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-08-26 15:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\system32\wininet.dll
2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\system32\dllcache\wininet.dll

2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-14 01:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 20:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-26 03:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-13 10:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 19:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\system32\dllcache\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\system32\drivers\tcpip.sys

2004-08-04 20:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe
2008-04-14 05:42 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\dllcache\winlogon.exe

2004-08-04 20:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2008-04-14 00:50 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-04 20:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\dllcache\ip6fw.sys
2008-04-14 00:23 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 07:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-20 00:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 17:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 15:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 16:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 20:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 08:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 20:55 2057600 1d659bfb788ed2ba45075624b748d249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 17:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 17:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\system32\ntkrnlpa.exe
2008-04-14 00:01 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-02 09:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-20 00:51 2182016 cef243f6defd20be4adde26c7ecacb54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 17:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 16:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 17:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 20:00 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 08:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 22:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 18:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 18:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\system32\ntoskrnl.exe
2008-04-14 00:57 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 19:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 18:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\system32\dllcache\explorer.exe

2004-08-04 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe
2008-04-14 05:42 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\dllcache\services.exe

2004-08-04 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe
2008-04-14 05:42 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\dllcache\lsass.exe

2004-08-04 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe
2008-04-14 05:42 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\dllcache\ctfmon.exe

2005-06-11 08:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 20:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe
2008-04-14 05:42 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 20:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\dllcache\userinit.exe

2004-08-04 20:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll
2008-04-14 05:42 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UVS11 Preload "= "c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-20 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-20 688218]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-05-19 155648]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-18 196608]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-16 385024]
"IMSCMig "= "c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-02 17248]
"EOUApp "= "c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-16 356352]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan "= "SOUNDMAN.EXE" [2005-05-17 c:\windows\SOUNDMAN.EXE]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-07-23 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-16 02:27 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg21.dll
"VIDC.PIM1 "= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a01-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59fd6a03-73bf-11dc-9ccc-0012f0853aff}]
\Shell\AutoRun\command - f:\prayayav3\prayayav3\prayayav3.exe
\Shell\shell01\command - f:\prayayav3\prayayav3\prayayav3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1a9fd64-5fe8-11db-9bb6-0012f0853aff}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FBD561C7-3FD5-2B0E-2DD8-5F3F1C46D6E6}]
C:\WINDOWS:fwcagent.exe
.
‘计划任务’ 文件夹 里的内容

2007-10-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2007-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
mWindow Title = -
uInternet Settings,ProxyOverride = local
IE: 上传到QQ网络硬盘 - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 添加到QQ自定义面板 - c:\program files\Tencent\QQ\AddPanel.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: 用QQ彩信发送该图片 - c:\program files\Tencent\QQ\SendMMS.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9xvx9re7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF -: plugin - c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava131_07.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJPI141_02.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npoji600.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 12:02:12
Windows 5.1.2600 Service Pack 3 NTFS

Scanning hidden processes。。。 ...

Scanning hidden startup groups。。。

Scanning hidden files。。。

Scanning completed
Hidden Files: 0

**************************************************************************
.
--------------------- 运行进程下的dynamic link libraries ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Time completed: 2008-12-12 12:03:56
ComboFix-quarantined-files.txt 2008-12-12 04:03:46
ComboFix2.txt 2008-12-11 12:08:30

Pre-Run: 12,738,281,472 bytes free
Post-Run: 12,727,488,512 bytes free

297 --- E O F --- 2008-11-24 13:24:45

 

You can download a self extracting file that contains subinacl.exe here (right side and down a little)
Extract it to it's own folder. Edit the reset.bat file replacing it's contents with the contents of the code box below.

Code:

subinacl /subkeyreg HKEY_LOCAL_MACHINE\Software /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_LOCAL_MACHINE\System /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CLASSES_ROOT /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
cls
exit

Now just run reset.bat and reboot when it completes.

 

The sfc turned up nothing abnormal. I completed all steps of your instructions. What do I do next?