vyan2000
Honorary Members-
Posts
113 -
Joined
-
Last visited
Reputation
0 Neutral-
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi screen317, I will install all the program you suggested on this laptop, Thanks a lot for the help, which is very very professional. Y -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Now the computer has updated all the items that you suggested. And everything seems alright now, Thanks a lot for your help, Y -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi, This is the log from Security check. And now the computer seems alright. Thanks for the help, Y Results of screen317's Security Check version 0.99.18 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: ESET Online Scanner v3 Symantec Endpoint Protection Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 26 Flash Player Out of Date! Adobe Flash Player 10.1.53.64 Mozilla Firefox (3.6.18) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log```````````` -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
During the first run of ESST, there are two adware found. But unfortunately, I click the uninstallation button of ESST, and the log for the first time is lost. This is the log from second run of eset : Thanks a lot, Y ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500) # OnlineScanner.ocx=1.0.0.6528 # api_version=3.0.2 # EOSSerial=7e3fbdd3a005c94481ce0f966c648a9b # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-08-12 11:39:46 # local_time=2011-08-12 07:39:46 ) # country="People's Republic of China" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=99697 # found=0 # cleaned=0 # scan_time=1407 -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi, This is the systemlook log. Thanks, Y SystemLook 30.07.11 by jpshortstuff Log created at 10:54 on 12/08/2011 by vyan2000 Administrator - Elevation successful ========== filefind ========== Searching for "winlogon.exe" C:\WINDOWS\system32\winlogon.exe --a---- 493056 bytes [00:00 09/05/2008] [00:00 09/05/2008] 440EDA2420CFA1B3B2AB4725FC33825D -= EOF =- -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi, This is the log regarding to winlogon.exe And its zip file is also attached. Thanks, Y 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: winlogon.exe Submission date: 2011-08-12 14:28:44 (UTC) Current status: queued queued (#331) analysing finished Result: 0/ 43 (0.0%) winlogon.zip -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Sorry for the late reply. These two days are really tough. I will post the log within today. Thanks a lot for the help, Cheers, Y -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
This is the new DDS.txt, Thanks a lot for the help, Y . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26 Run by vyan2000 at 14:12:11 on 2011-08-08 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.447 [GMT -4:00] . AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\FileZilla_Server\FileZilla Server.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\conime.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/intl/en/ mStart Page = hxxp://www.shendu.com/ BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) dPolicies-explorer: NoSMHelp = 1 (0x1) dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) dPolicies-explorer: NoResolveTrack = 1 (0x1) IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab TCP: DhcpNameServer = 128.59.62.10 128.59.59.70 TCP: Interfaces\{0FF73FAB-1D19-4ED1-A638-CBE6283A4DA9} : DhcpNameServer = 128.59.62.10 128.59.59.70 TCP: Interfaces\{D1F22BD3-1CB8-49BD-A074-E4AF70F82B02} : DhcpNameServer = 128.59.59.70 128.59.62.10 Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\vyan2000.pc-200807031513\application data\mozilla\firefox\profiles\awkphk6d.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll FF - plugin: c:\program files\mympc\rpplugins\nppl3260.dll FF - plugin: c:\program files\mympc\rpplugins\npqtplugin.dll FF - plugin: c:\program files\mympc\rpplugins\nprpjplug.dll FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} . ============= SERVICES / DRIVERS =============== . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-29 2234296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-4 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110808.003\NAVENG.SYS [2011-8-8 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110808.003\NAVEX15.SYS [2011-8-8 1576312] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . =============== File Associations =============== . txtfile=c:\windows\notepad.exe %1 . =============== Created Last 30 ================ . 2011-08-08 17:56:12 -------- d-sha-r- C:\cmdcons 2011-08-08 17:54:53 98816 ----a-w- c:\windows\sed.exe 2011-08-08 17:54:53 518144 ----a-w- c:\windows\SWREG.exe 2011-08-08 17:54:53 256000 ----a-w- c:\windows\PEV.exe 2011-08-08 17:54:53 208896 ----a-w- c:\windows\MBR.exe 2011-07-30 01:16:52 -------- d-----w- c:\program files\VS Revo Group 2011-07-16 03:43:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43:41 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:43:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:01:39 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-06 11:35:19 1858560 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 14:12:21.14 =============== -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi, thanks a lot for the help, This is the log from combofix: Y ComboFix 11-08-07.03 - vyan2000 -08-08 星期一 13:57:26.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.553 [GMT -4:00] 执行位置: c:\documents and settings\vyan2000.PC-200807031513\桌面\ComboFix.exe AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} * 成功创造新还原点 . . ((((((((((((((((((((((((((((((((((((((( 被删除的档案 ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\vyan2000.PC-200807031513\桌面\Setup.exe c:\windows\system32\Cache c:\windows\system32\msconfig.exe . . ((((((((((((((((((((((((( 2011-07-08 至 2011-08-08 的新的档案 ))))))))))))))))))))))))))))))) . . 2011-07-30 01:16 . 2011-07-30 01:16 -------- d-----w- c:\program files\VS Revo Group 2011-07-29 23:53 . 2011-07-29 23:53 -------- d-----w- c:\program files\Common Files\Java 2011-07-16 03:43 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43 . 2011-07-16 03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:43 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:01 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys . . . (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-06 11:35 . 2008-04-14 12:00 1858560 ----a-w- c:\windows\system32\win32k.sys . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( 重要登入点 )))))))))))))))))))))))))))))))))))))))))))))))))) . . *注意* 空白与合法缺省登录将不会被显示 REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-09 131072] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-04-29 115560] "Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2010-06-25 1214520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2011-04-25 124928] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804] Ime File REG_SZ GOOGLEPINYIN2.IME . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804] IME File REG_SZ winabc.ime . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] 2008-04-04 12:25 277960 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] 2008-07-30 10:04 942080 ----a-w- c:\program files\FileZilla_Server\FileZilla Server Interface.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\Program Files\\WinSCP3\\WinSCP3.exe"= "c:\\Program Files\\FileZilla_Server\\FileZilla server.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21:TCP"= 21:TCP:ftp "14147:TCP"= 14147:TCP:127.0.0.l "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 5:20 308248] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-7-27 4:07 717296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-8-4 17:23 105592] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 3:51 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . ‘计划任务’ 文件夹 里的内容 . 2011-08-08 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-20 02:18] . . ------- 而外的扫描 ------- . uStart Page = hxxp://www.google.com/intl/en/ mStart Page = hxxp://www.shendu.com/ IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe TCP: DhcpNameServer = 128.59.59.70 128.59.62.10 DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab FF - ProfilePath - c:\documents and settings\vyan2000.PC-200807031513\Application Data\Mozilla\Firefox\Profiles\awkphk6d.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} . . ------- 文件类型 ------- . txtfile=c:\windows\notepad.exe %1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-Symantec Antvirus MSConfigStartUp-AdVantage - c:\program files\AdVantage\AdVantage.exe MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe MSConfigStartUp-PPLiveVA - c:\program files\PPLiveVA\PPLiveVA.exe AddRemove-Adobe AIR - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe AddRemove-HijackThis - G:\HijackThis.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-08 14:00 Windows 5.1.2600 Service Pack 3 NTFS . 扫描被隐藏的进程 。。。 . 扫描被隐藏的启动组 。。。 . 扫描被隐藏的文件 。。。 . 扫描完成 被隐藏的档案: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current] @="c:\\Program Files\\NetMeeting\\Blip.wav" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\I*n*t*e*r*n*e*t* * gthV\Errors] "Columns"="" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\I*n*t*e*r*n*e*t* * gthV\Filters] "Columns"="" . [HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\~伅媜忲N\Q*Q*魐璬] "Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7e,00, 00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,32,\ . [HKEY_LOCAL_MACHINE\software\Classes\*\shell\(u"*皨婲,g"*Sb*_\command] @="notepad.exe %1" . [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID] @="{809B6661-94C4-49E6-B6EC-3F0F862215AA}" . [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer] @="BDATuner.组件.1" . 完成时间: 2011-08-08 14:01:09 ComboFix-quarantined-files.txt 2011-08-08 18:01 . Pre-Run: 4,323,536,896 可用字节 Post-Run: 4,424,343,552 可用字节 . WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 7CBBA9C0246AF25BEC89961C795038B9 -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
This is the DDS.txt. Thanks a lot, Y . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26 Run by Administrator at 23:23:21 on 2011-08-04 Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.998.297 [GMT -4:00] . AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\FileZilla_Server\FileZilla Server.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\conime.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.columbia.edu/ mStart Page = hxxp://www.shendu.com/ mWinlogon: SfcDisable=-99 (0xffffff9d) BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) dPolicies-explorer: NoSMHelp = 1 (0x1) dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) dPolicies-explorer: NoResolveTrack = 1 (0x1) IE: 使用迅雷下载 - c:\program files\thunder network\thunder\program\geturl.htm IE: 使用迅雷下载全部链接 - c:\program files\thunder network\thunder\program\getallurl.htm IE: {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\thunder network\thunder\Thunder.exe DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{0FF73FAB-1D19-4ED1-A638-CBE6283A4DA9} : DhcpNameServer = 192.168.1.1 Notify: igfxcui - igfxdev.dll IFEO: wupdmgr.exe - ntsd-- . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2rstdgij.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.columbia.edu/ FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll FF - plugin: c:\program files\mympc\rpplugins\nppl3260.dll FF - plugin: c:\program files\mympc\rpplugins\npqtplugin.dll FF - plugin: c:\program files\mympc\rpplugins\nprpjplug.dll FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-29 2234296] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-4 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110804.002\NAVENG.SYS [2011-8-4 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110804.002\NAVEX15.SYS [2011-8-4 1576312] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 23888] S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?] . =============== File Associations =============== . chm.file="hh.exe" %1 txtfile=c:\windows\notepad.exe %1 . =============== Created Last 30 ================ . 2011-08-05 02:56:32 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes 2011-07-30 01:16:52 -------- d-----w- c:\program files\VS Revo Group 2011-07-16 03:43:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-16 03:43:41 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-16 03:43:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-16 03:01:39 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-06 11:35:19 1858560 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 23:23:45.34 =============== -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Yes, you are right. I forget my password. And I recalled it. The first time I tried MBM, it cannot finish the quick scan. Then I tried it again in safemode, and it found 4 infections. Please see the log below, and I will post the other log soon, Thanks a lot, Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7380 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-8-4 23:03:05 mbam-log-2011-08-04 (23-03-05).txt Scan type: Quick scan Objects scanned: 176927 Time elapsed: 5 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AA42713-5C1E-48E2-B432-D8BF420DD31D} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AdVantage (Adware.Vomba) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi screen317, Thanks a lot for the help. I guess I will continue to use this computer for a while and then do a full reinstall when I get a chance. So could you help me to clean it? BTW, I have a question about getting into my administrator account. As I reported in the last reply: +++++++++++++++++++ There are three account on this computer. Two of them have administrator privilege and are named as A and B. The third one is the default Administrator account. But, I cannot login the Administrator account anymore.(Or possibly I forget the password, and this is very unlikely.) +++++++++++++++++++ Is this possible related to the backdoor or the fact that there are two many accounts with administrator privilege in XP. Many thanks, Y -
Very nice guy with very strong techiqucal skills.
Thanks a lot for your help. It is a great work.
-
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
One more log. Thanks, Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 21:08:30 mbam-log-2011-07-29 (21-08-30).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 295925 Time elapsed: 19 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\advantage\advantage.exe (Adware.Advantage) -> Quarantined and deleted successfully. d:\RECYCLER\s-1-5-21-1614895754-1935655697-1417001333-1005\Dd1\QQPet\qqpetdazzle.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. d:\RECYCLER\s-1-5-21-1614895754-1935655697-1417001333-1005\Dd2\QQGame.exe (Trojan.VirTool) -> Quarantined and deleted successfully. -
Malwarebytes never finishs the quick scan
vyan2000 replied to vyan2000's topic in Resolved Malware Removal Logs
Hi, Screen317, I just noticed your response. I apologize for the very late reply... In the full scan mode the Malwarebytes can finish the quick scan. At the end, there are two logs. I am now trying a full scan. Currently, the symantec endpoint says: File system auto-protection is malfunctioning. And the symantec liveupdate failed with an internal error. There are three account on this computer. Two of them have administrator privilege and are name A and B. The third one is the default Administrator account. But, I cannot login the Administrator account anymore.(Or possibly I forget the password, and this is very unlikely.) Thanks a lot for your help. Y Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 20:07:10 mbam-log-2011-07-29 (20-07-10).txt Scan type: Quick scan Objects scanned: 29932 Time elapsed: 1 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 12 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} (Spyware.AdaEbook) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\QQQTV网络电视.MyNSHandler (Spyware.AdaEbook) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{87CA3845-37FE-414C-81CF-E08A7D0F6779} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{802F530B-A8F6-4631-AE49-6BACAAC6373E} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.XDownloadManager.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.XDownloadManager (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.ThunderIEHelper.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\XunLeiBHO.ThunderIEHelper (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{889D2FEB-5411-4565-8998-1DD2C5261283} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\thunder network\Thunder\ComDlls\xunleibho_now.dll (Trojan.BHO) -> Quarantined and deleted successfull +++++++++++++++++++++++++++++++++++ Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7323 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 2011-7-29 20:28:53 mbam-log-2011-07-29 (20-28-53).txt Scan type: Quick scan Objects scanned: 194163 Time elapsed: 9 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA} (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TR.TRFactory.1 (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TR.TRFactory (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E} (Adware.WhenU) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151} (Adware.WhenU) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Guest\「开始」菜单\程序\启动\腾讯QQ.lnk (Malware.Trace) -> Quarantined and deleted successfully. c:\program files\advantage\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\memedia_ff.dll (Adware.AdVantage) -> Quarantined and deleted successfully. c:\program files\advantage\TR.dll (Adware.WhenU) -> Quarantined and deleted suc