Jump to content

vyan2000

Honorary Members
  • Posts

    113
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi screen317, I will install all the program you suggested on this laptop, Thanks a lot for the help, which is very very professional. Y
  2. Now the computer has updated all the items that you suggested. And everything seems alright now, Thanks a lot for your help, Y
  3. Hi, This is the log from Security check. And now the computer seems alright. Thanks for the help, Y Results of screen317's Security Check version 0.99.18 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: ESET Online Scanner v3 Symantec Endpoint Protection Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 26 Flash Player Out of Date! Adobe Flash Player 10.1.53.64 Mozilla Firefox (3.6.18) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log````````````
  4. During the first run of ESST, there are two adware found. But unfortunately, I click the uninstallation button of ESST, and the log for the first time is lost. This is the log from second run of eset : Thanks a lot, Y ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=7e3fbdd3a005c94481ce0f966c648a9b # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-08-12 11:39:46 # local_time=2011-08-12 07:39:46 ) # country="People's Republic of China" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=99697 # found=0 # cleaned=0 # scan_time=1407
  5. Hi, This is the systemlook log. Thanks, Y SystemLook 30.07.11 by jpshortstuff Log created at 10:54 on 12/08/2011 by vyan2000 Administrator - Elevation successful ========== filefind ========== Searching for "winlogon.exe" C:\WINDOWS\system32\winlogon.exe --a---- 493056 bytes [00:00 09/05/2008] [00:00 09/05/2008] 440EDA2420CFA1B3B2AB4725FC33825D -= EOF =-
  6. Hi, This is the log regarding to winlogon.exe And its zip file is also attached. Thanks, Y 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: winlogon.exe Submission date: 2011-08-12 14:28:44 (UTC) Current status: queued queued (#331) analysing finished Result: 0/ 43 (0.0%) winlogon.zip
  7. Sorry for the late reply. These two days are really tough. I will post the log within today. Thanks a lot for the help, Cheers, Y
  8. This is the new DDS.txt, Thanks a lot for the help, Y . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26 Run by vyan2000 at 14:12:11 on 2011-08-08 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.447 [GMT -4:00] . AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\FileZilla_Server\FileZilla Server.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\conime.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/intl/en/ mStart Page = hxxp://www.shendu.com/ BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) dPolicies-explorer: NoSMHelp = 1 (0x1) dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) dPolicies-explorer: NoResolveTrack = 1 (0x1) IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab TCP: DhcpNameServer = 128.59.62.10 128.59.59.70 TCP: Interfaces\{0FF73FAB-1D19-4ED1-A638-CBE6283A4DA9} : DhcpNameServer = 128.59.62.10 128.59.59.70 TCP: Interfaces\{D1F22BD3-1CB8-49BD-A074-E4AF70F82B02} : DhcpNameServer = 128.59.59.70 128.59.62.10 Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\vyan2000.pc-200807031513\application data\mozilla\firefox\profiles\awkphk6d.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll FF - plugin: c:\program files\mympc\rpplugins\nppl3260.dll FF - plugin: c:\program files\mympc\rpplugins\npqtplugin.dll FF - plugin: c:\program files\mympc\rpplugins\nprpjplug.dll FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} . ============= SERVICES / DRIVERS =============== . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-29 2234296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-4 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110808.003\NAVENG.SYS [2011-8-8 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110808.003\NAVEX15.SYS [2011-8-8 1576312] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . =============== File Associations =============== . txtfile=c:\windows\notepad.exe %1 . =============== Created Last 30 ================ . 2011-08-08 17:56:12 -------- d-sha-r- C:\cmdcons 2011-08-08 17:54:53 98816 ----a-w- c:\windows\sed.exe 2011-08-08 17:54:53 518144 ----a-w- c:\windows\SWREG.exe 2011-08-08 17:54:53 256000 ----a-w- c:\windows\PEV.exe 2011-08-08 17:54:53 208896 ----a-w- c:\windows\MBR.exe 2011-07-30 01:16:52 -------- d-----w- c:\program files\VS Revo Group 2011-07-16 03:43:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43:41 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:43:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:01:39 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-06 11:35:19 1858560 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 14:12:21.14 ===============
  9. Hi, thanks a lot for the help, This is the log from combofix: Y ComboFix 11-08-07.03 - vyan2000 -08-08 星期一 13:57:26.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.553 [GMT -4:00] 执行位置: c:\documents and settings\vyan2000.PC-200807031513\桌面\ComboFix.exe AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} * 成功创造新还原点 . . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\vyan2000.PC-200807031513\桌面\Setup.exe c:\windows\system32\Cache c:\windows\system32\msconfig.exe . . ((((((((((((((((((((((((( 2011-07-08 至 2011-08-08 的新的档案 ))))))))))))))))))))))))))))))) . . 2011-07-30 01:16 . 2011-07-30 01:16 -------- d-----w- c:\program files\VS Revo Group 2011-07-29 23:53 . 2011-07-29 23:53 -------- d-----w- c:\program files\Common Files\Java 2011-07-16 03:43 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43 . 2011-07-16 03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:43 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:01 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys . . . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-06 11:35 . 2008-04-14 12:00 1858560 ----a-w- c:\windows\system32\win32k.sys . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . *注意* 空白与合法缺省登录将不会被显示 REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-09 131072] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-04-29 115560] "Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2010-06-25 1214520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2011-04-25 124928] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804] Ime File REG_SZ GOOGLEPINYIN2.IME . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804] IME File REG_SZ winabc.ime . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] 2008-04-04 12:25 277960 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] 2008-07-30 10:04 942080 ----a-w- c:\program files\FileZilla_Server\FileZilla Server Interface.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\WinSCP3\\WinSCP3.exe"= "c:\\Program Files\\FileZilla_Server\\FileZilla server.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21:TCP"= 21:TCP:ftp "14147:TCP"= 14147:TCP:127.0.0.l "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 5:20 308248] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-7-27 4:07 717296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-8-4 17:23 105592] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 3:51 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . ‘计划任务’ 文件夹 里的内容 . 2011-08-08 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-20 02:18] . . ------- 而外的扫描 ------- . uStart Page = hxxp://www.google.com/intl/en/ mStart Page = hxxp://www.shendu.com/ IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe TCP: DhcpNameServer = 128.59.59.70 128.59.62.10 DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab FF - ProfilePath - c:\documents and settings\vyan2000.PC-200807031513\Application Data\Mozilla\Firefox\Profiles\awkphk6d.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} . . ------- 文件类型 ------- . txtfile=c:\windows\notepad.exe %1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-Symantec Antvirus MSConfigStartUp-AdVantage - c:\program files\AdVantage\AdVantage.exe MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe MSConfigStartUp-PPLiveVA - c:\program files\PPLiveVA\PPLiveVA.exe AddRemove-Adobe AIR - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe AddRemove-HijackThis - G:\HijackThis.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-08 14:00 Windows 5.1.2600 Service Pack 3 NTFS . 扫描被隐藏的进程 。。。 . 扫描被隐藏的启动组 。。。 . 扫描被隐藏的文件 。。。 . 扫描完成 被隐藏的档案: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\I*n*t*e*r*n*e*t* * gthV\Errors] "Columns"="" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\I*n*t*e*r*n*e*t* * gthV\Filters] "Columns"="" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\~伅媜忲N\Q*Q*魐璬] "Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7e,00, 00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,32,\ . [HKEY_LOCAL_MACHINE\software\Classes\*\shell\(u"*皨婲,g"*Sb*_\command] @="notepad.exe %1" . [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID] @="{809B6661-94C4-49E6-B6EC-3F0F862215AA}" . [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer] @="BDATuner.组件.1" . 完成时间: 2011-08-08 14:01:09 ComboFix-quarantined-files.txt 2011-08-08 18:01 . Pre-Run: 4,323,536,896 可用字节 Post-Run: 4,424,343,552 可用字节 . WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 7CBBA9C0246AF25BEC89961C795038B9
  10. This is the DDS.txt. Thanks a lot, Y . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26 Run by Administrator at 23:23:21 on 2011-08-04 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.297 [GMT -4:00] . AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\FileZilla_Server\FileZilla Server.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\conime.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.columbia.edu/ mStart Page = hxxp://www.shendu.com/ mWinlogon: SfcDisable=-99 (0xffffff9d) BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) dPolicies-explorer: NoSMHelp = 1 (0x1) dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) dPolicies-explorer: NoResolveTrack = 1 (0x1) IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{0FF73FAB-1D19-4ED1-A638-CBE6283A4DA9} : DhcpNameServer = 192.168.1.1 Notify: igfxcui - igfxdev.dll IFEO: wupdmgr.exe - ntsd-- . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2rstdgij.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.columbia.edu/ FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll FF - plugin: c:\program files\mympc\rpplugins\nppl3260.dll FF - plugin: c:\program files\mympc\rpplugins\npqtplugin.dll FF - plugin: c:\program files\mympc\rpplugins\nprpjplug.dll FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-29 2234296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-4 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110804.002\NAVENG.SYS [2011-8-4 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110804.002\NAVEX15.SYS [2011-8-4 1576312] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . =============== File Associations =============== . chm.file="hh.exe" %1 txtfile=c:\windows\notepad.exe %1 . =============== Created Last 30 ================ . 2011-08-05 02:56:32 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes 2011-07-30 01:16:52 -------- d-----w- c:\program files\VS Revo Group 2011-07-16 03:43:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43:41 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:43:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:01:39 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-06 11:35:19 1858560 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 23:23:45.34 ===============
  11. Yes, you are right. I forget my password. And I recalled it. The first time I tried MBM, it cannot finish the quick scan. Then I tried it again in safemode, and it found 4 infections. Please see the log below, and I will post the other log soon, Thanks a lot, Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7380 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-8-4 23:03:05 mbam-log-2011-08-04 (23-03-05).txt Scan type: Quick scan Objects scanned: 176927 Time elapsed: 5 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AdVantage (Adware.Vomba) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  12. Hi screen317, Thanks a lot for the help. I guess I will continue to use this computer for a while and then do a full reinstall when I get a chance. So could you help me to clean it? BTW, I have a question about getting into my administrator account. As I reported in the last reply: +++++++++++++++++++ There are three account on this computer. Two of them have administrator privilege and are named as A and B. The third one is the default Administrator account. But, I cannot login the Administrator account anymore.(Or possibly I forget the password, and this is very unlikely.) +++++++++++++++++++ Is this possible related to the backdoor or the fact that there are two many accounts with administrator privilege in XP. Many thanks, Y
  13. Very nice guy with very strong techiqucal skills.

    Thanks a lot for your help. It is a great work.

  14. One more log. Thanks, Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 21:08:30 mbam-log-2011-07-29 (21-08-30).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 295925 Time elapsed: 19 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\advantage\advantage.exe (Adware.Advantage) -> Quarantined and deleted successfully. d:\RECYCLER\s-1-5-21-1614895754-1935655697-1417001333-1005\Dd1\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. d:\RECYCLER\s-1-5-21-1614895754-1935655697-1417001333-1005\Dd2\QQGame.exe (Trojan.VirTool) -> Quarantined and deleted successfully.
  15. Hi, Screen317, I just noticed your response. I apologize for the very late reply... In the full scan mode the Malwarebytes can finish the quick scan. At the end, there are two logs. I am now trying a full scan. Currently, the symantec endpoint says: File system auto-protection is malfunctioning. And the symantec liveupdate failed with an internal error. There are three account on this computer. Two of them have administrator privilege and are name A and B. The third one is the default Administrator account. But, I cannot login the Administrator account anymore.(Or possibly I forget the password, and this is very unlikely.) Thanks a lot for your help. Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 20:07:10 mbam-log-2011-07-29 (20-07-10).txt Scan type: Quick scan Objects scanned: 29932 Time elapsed: 1 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 12 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} (Spyware.AdaEbook) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\QQQTV网络电视.MyNSHandler (Spyware.AdaEbook) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{802F530B-A8F6-4631-AE49-6BACAAC6373E} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.XDownloadManager.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.XDownloadManager (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.ThunderIEHelper.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.ThunderIEHelper (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\thunder network\Thunder\ComDlls\xunleibho_now.dll (Trojan.BHO) -> Quarantined and deleted successfull +++++++++++++++++++++++++++++++++++ Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 20:28:53 mbam-log-2011-07-29 (20-28-53).txt Scan type: Quick scan Objects scanned: 194163 Time elapsed: 9 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA} (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TR.TRFactory.1 (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TR.TRFactory (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E} (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151} (Adware.WhenU) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Guest\「开始」菜单\程序\启动\腾讯QQ.lnk (Malware.Trace) -> Quarantined and deleted successfully. c:\program files\advantage\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\memedia_ff.dll (Adware.AdVantage) -> Quarantined and deleted successfully. c:\program files\advantage\TR.dll (Adware.WhenU) -> Quarantined and deleted suc
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.