How to remove TR/Autorun.a.2 - Free Antivirus Forum

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

How to remove TR/Autorun.a.2

BullGuard Antivirus Forum > Virus Removal > Removal Tools > How to remove TR/Autorun.a.2

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/22/2011 4:22 AM (GMT +3)

good morning

I would like to ask someone who can help me remove the viruses in my computer.

Yesterday the windows system of my computer was corrupted.
I ask someone to repair it. He was able to recover all my files but its all in hidden format.
I used avira 2012. the viruses found was TR/aUTORUN.A.2, TR/Drop.Agent.evmr.1, TR/Crypt.ULPM.Gen, TR/Agent.syp , TR/Crypt.CFI.Gen.

Please help me. all my files is very important to me

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/22/2011 5:43 AM (GMT +3)

Hello,

It is not uncommon for infections to change all sort of settings, including hiding your files.

You did not tell us your operating system, so I will give you a more general procedure:

1. Right-click on your task-bar (the Windows bar that has the Start button and opened programs and Windows clock) and select open Task Manager.
2. Go to File > New Task (Run).
3. Type cmd.exe and press Enter on your keyboard.
4. In the black Command Prompt window type:

C:\> attrib -s -h /s /d *.*

Repeat the procedure for D,G,H drives (Replace C in the above command), if necessary (if your other drives were affected as well).

Andreea-Luciana Ostache
Senior Support Technician EN
support@bullguard.com
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 12

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/22/2011 8:01 AM (GMT +3)

hi mam andrea.

I follow your advice

this is the result

C:\Documents and Settings\Administrator>cd c
The system cannot find the path specified.

C:\Documents and Settings\Administrator>cd c:\

C:\>attrib-s-h/s/d *.*
'attrib-s-h' is not recognized as an internal or external command,
operable program or batch file.

C:\>attrib -s -h /s /d *.*
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
Shim.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll

Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
Access denied - C:\Qoobox\BackEnv
Access denied - C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.EXE-39EAFB02.pf
Access denied - C:\WINDOWS\Prefetch\AVCENTER.EXE-1A970FA0.pf
Access denied - C:\WINDOWS\Prefetch\AVCONFIG.EXE-1ECA67AD.pf
Access denied - C:\WINDOWS\Prefetch\AVGNT.EXE-200FEF40.pf
Access denied - C:\WINDOWS\Prefetch\AVNOTIFY.EXE-05ED5FD8.pf
Access denied - C:\WINDOWS\Prefetch\AVSCAN.EXE-07FC469C.pf
Access denied - C:\WINDOWS\Prefetch\AVWSC.EXE-0283F9DD.pf
Access denied - C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Access denied - C:\WINDOWS\Prefetch\CONIME.EXE-13EEEA1A.pf
Access denied - C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf
Access denied - C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf
Access denied - C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLECRASHHANDLER.EXE-26322309.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATE.EXE-1E123D86.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATE.EXE-384C7AA5.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATESETUP.EXE-02ABC626.pf
Access denied - C:\WINDOWS\Prefetch\GRPCONV.EXE-111CD845.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
Access denied - C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf
Access denied - C:\WINDOWS\Prefetch\INVOICING.EXE-0A71B216.pf
Access denied - C:\WINDOWS\Prefetch\Layout.ini
Access denied - C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
Access denied - C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
Access denied - C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
Access denied - C:\WINDOWS\Prefetch\PING.EXE-31216D26.pf
Access denied - C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf
Access denied - C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-26C2C861.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf
Access denied - C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf
Access denied - C:\WINDOWS\Prefetch\SCHED.EXE-030F29E1.pf
Access denied - C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Access denied - C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf
Access denied - C:\WINDOWS\Prefetch\UPDATE.EXE-2577D203.pf
Access denied - C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
Access denied - C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Access denied - C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf
Access denied - C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf
Access denied - C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx
Unable to change attribute - C:\pagefile.sys

C:\>
C:\>

I run the combofix here is the log:

ComboFix 11-11-21.01 - Administrator 2/2011 Tue   9:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2038.1443 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( 2011-10-22 至 2011-11-22 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-11-22 02:36 . 2011-11-22 02:36 -------- d--h--w- c:\windows\system32\x64
2011-11-22 02:36 . 2008-07-01 02:47 920088 ---ha-w- c:\windows\system32\igxpun.exe
2011-11-22 02:36 . 2011-11-22 02:36 -------- dc-h--w- c:\windows\system32\DRVSTORE
2011-11-22 02:36 . 2006-11-10 01:25 319456 ---ha-w- c:\windows\system32\difxapi.dll
2011-11-22 02:35 . 2001-12-28 19:55 24035 ---ha-r- c:\windows\system32\drivers\eaps2kbd.sys
2011-11-22 02:35 . 2001-09-05 03:25 40960 ---ha-r- c:\windows\LoadDll.dll
2011-11-22 02:35 . 2000-03-13 20:16 18841 ---ha-r- c:\windows\system32\FltrCoi.dll
2011-11-22 02:35 . 1999-10-29 20:35 24348 ---ha-r- c:\windows\system32\drivers\EAWDMFD.SYS
2011-11-22 02:35 . 2011-11-22 02:35 -------- d--h--w- c:\windows\system32\RTCOM
2011-11-22 02:35 . 2008-04-14 08:17 25856 ---ha-w- c:\windows\system32\drivers\usbprint.sys
2011-11-22 02:35 . 2008-07-01 03:27 108800 ---ha-w- c:\windows\system32\drivers\Rtenicxp.sys
2011-11-22 02:35 . 2008-07-21 16:14 9728 ---ha-w- c:\windows\system32\RtNicProp32.dll
2011-11-22 00:49 . 2011-11-22 00:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\AskToolbar
2011-11-22 00:29 . 2011-11-22 00:29 -------- d--h--w- c:\documents and settings\Administrator\ChikkaV5
2011-11-22 00:29 . 2011-11-22 00:29 -------- d-----w- C:\logs
2011-11-22 00:29 . 2011-11-22 00:29 -------- d--h--w- c:\program files\Chikka Messenger
2011-11-22 00:28 . 2011-11-22 00:28 -------- d--h--w- c:\program files\IPMsg
2011-11-21 23:43 . 2011-11-22 00:54 -------- d--h--w- c:\windows\system32\NtmsData
2011-11-21 23:43 . 2011-11-21 23:43 -------- d-sha-w- c:\windows\Repair
2011-11-21 13:04 . 2011-11-21 13:04 -------- d--h--w- c:\program files\Ask.com
2011-11-21 13:04 . 2011-11-22 01:34 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2011-11-21 13:03 . 2011-11-22 01:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Avira
2011-11-21 11:54 . 2011-11-21 11:54 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-11-21 11:46 . 2011-11-21 11:46 4032 ---ha-w- c:\windows\system32\drivers\hostnt.sys
2011-11-21 11:46 . 2011-11-21 11:46 29056 ---ha-w- c:\windows\system32\drivers\gsmhwdm.sys
2011-11-21 11:46 . 2011-11-21 11:46 27696 ---ha-w- c:\windows\system32\drivers\mhdrv.sys
2011-11-21 11:46 . 2011-11-21 11:46 26060 ---ha-w- c:\windows\system32\drivers\rcmhdog.sys
2011-11-21 11:46 . 2011-11-21 11:46 25904 ---ha-w- c:\windows\system32\drivers\rcusbwdm.sys
2011-11-21 11:42 . 2011-11-21 11:42 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 11:42 . 2011-11-21 11:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\McAfee
2011-11-21 11:39 . 2011-11-21 11:39 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-21 11:35 . 2011-11-21 11:35 -------- d--h--w- c:\program files\Avira
2011-11-21 11:33 . 2011-11-21 11:40 -------- d-----w- C:\account
2011-11-21 11:32 . 2011-11-21 11:32 -------- d--h--w- c:\program files\Common Files\Adobe
2011-11-21 11:28 . 2009-02-27 16:23 450560 ---ha-w- c:\windows\system32\GDS32.DLL
2011-11-21 11:28 . 2009-02-27 07:34 462848 ---ha-w- c:\windows\system32\Firebird2Control.cpl
2011-11-21 11:28 . 2011-11-21 11:28 -------- d--h--w- c:\program files\Firebird
2011-11-21 11:26 . 2011-11-21 11:26 69632 ---ha-w- c:\windows\system32\MY3L_EX.DLL
2011-11-21 11:26 . 2011-11-21 11:26 53248 ---ha-w- c:\windows\system32\NT_DLL2.DLL
2011-11-21 11:26 . 2011-11-21 11:26 135168 ---ha-w- c:\windows\system32\YutianEx.DLL
2011-11-21 11:26 . 2005-09-05 14:33 413696 ---ha-w- c:\windows\system32\SetUp_Pro.dll
2011-11-21 11:14 . 2006-10-26 11:56 33104 ---ha-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-11-21 11:14 . 2006-10-26 11:56 32592 ---ha-w- c:\windows\system32\msonpmon.dll
2011-11-21 11:14 . 2011-11-21 11:14 -------- d--h--w- c:\program files\Microsoft Works
2011-11-21 11:14 . 2011-11-21 11:14 -------- d--h--w- c:\program files\MSBuild
2011-11-21 11:12 . 2011-11-21 11:14 -------- d--h--w- c:\windows\SHELLNEW
2011-11-21 11:12 . 2011-11-21 11:12 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:12 -------- d-----r- C:\MSOCache
2011-11-21 11:11 . 2008-04-13 16:15 26368 -c-ha-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-21 10:39 . 2011-11-21 10:39 -------- d--h--w- c:\documents and settings\Administrator\Bluebirds
2011-11-21 10:39 . 2011-11-21 10:39 -------- d--h--w- c:\windows\system32\Lang
2011-11-21 10:38 . 2011-11-21 10:38 -------- d--h--w- c:\windows\system32\oobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-09-08 06:55 1515688 ---ha-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-09-08 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-09-08 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bluebirds"="c:\documents and settings\Administrator\Bluebirds\BlueBirds.exe" [2009-04-29 270336]
"ChikkaV5"="c:\program files\Chikka Messenger\Chikka v.5\ChikkaLauncher.exe" [2010-09-27 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-09-08 888488]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2011-11-22 210432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IPMsg\\ipmsg.exe"=
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [8/30/2008 12:31 PM 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [8/30/2008 12:31 PM 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [8/30/2008 12:32 PM 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [8/30/2008 12:32 PM 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [8/30/2008 12:31 PM 45056]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [11/21/2011 7:28 PM 81920]
R2 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [11/21/2011 7:46 PM 4032]
R2 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [11/21/2011 7:46 PM 27696]
R2 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [11/21/2011 7:46 PM 26060]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [11/21/2011 7:28 PM 2732032]
R4 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys --> c:\windows\system32\DRIVERS\avkmgr.sys [?]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [8/30/2008 12:31 PM 9809]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HTTPFILTER
*NewlyCreated* - NTMSSVC
*NewlyCreated* - SWPRV
*NewlyCreated* - VSS
*Deregistered* - avipbb
*Deregistered* - ssmdrv
.
‘计划任务’ 文件夹里的内容
.
2011-11-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-09-08 06:55]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=APN10023&gct=hp
uInternet Connection Wizard,ShellNext = hxxp://www.firebirdsql.org//afterinstall
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.5.2 124.106.6.2
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obpr90mx.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 09:35
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程。。。
.
扫描被隐藏的启动组。。。
.
扫描被隐藏的文件。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
完成时间: 2011-11-22 09:36:25
ComboFix-quarantined-files.txt 2011-11-22 01:36
ComboFix2.txt 2011-11-22 01:26
.
Pre-Run: 126,831,697,920 bytes free
Post-Run: 126,814,416,896 bytes free
.
- - End Of File - - 9708CDC16C41FF2B46CA58B339D99374

I hope you can help me restore my file in its original format

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/24/2011 4:11 AM (GMT +3)

The only thing I can see that is out of place on your computer is the Ask Toolbar.
Run the AutoClean's Ask toolbar removal tool, which I have attached to my message.

Also, run the showhidden bat I have attached.

After this, reboot your computer and let us know what happens.

File Attachment :
ASK Remover.zip 270KB (application/zip)

This file has been downloaded 255 time(s).

File Attachment :
ShowHidden.bat 0KB (application/octet-stream)

This file has been downloaded 197 time(s).

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/25/2011 5:59 AM (GMT +3)

mam andrea

why every time I opened my computer the error will appear again . "windows -delayed write faile" failed to save all the components for the the file\\system 32\\0003efb the files corrupted or unreadable this error may caused by abs hardware problem.

and my computer went black and all my files were hidden again. To recover them I run the combofix.exe and follow ur instruction attrib -s -h /s /d *.*

and then I will run the avira 2012 the trojan viruses found .

everyday I have to do this process.

can you please help me to remove this viruses.

thanx

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/25/2011 6:19 AM (GMT +3)

mam andrea here is the latest log:

C:\Documents and Settings\Administrator>c:

C:\Documents and Settings\Administrator>c:\
'c:\' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Administrator>cd c:\

C:\>attrib -s -h /s /d *.*
Access denied - C:\Documents and Settings\Administrator\Recent
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
Shim.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll

Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
Access denied - C:\Qoobox\BackEnv
Access denied - C:\WINDOWS\Prefetch\ACCOUNT.EXE-11EB9945.pf
Access denied - C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf
Access denied - C:\WINDOWS\Prefetch\AGENT.EXE-10B4BAEA.pf
Access denied - C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf
Access denied - C:\WINDOWS\Prefetch\ASKPARTNERCOBRANDINGTOOL.EXE-2476779B.pf
Access denied - C:\WINDOWS\Prefetch\ASPELL.EXE-2320D1FB.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.EXE-39EAFB02.pf
Access denied - C:\WINDOWS\Prefetch\AU_.EXE-05904C56.pf
Access denied - C:\WINDOWS\Prefetch\AVCENTER.EXE-1A970FA0.pf
Access denied - C:\WINDOWS\Prefetch\AVCONFIG.EXE-1ECA67AD.pf
Access denied - C:\WINDOWS\Prefetch\AVNOTIFY.EXE-05ED5FD8.pf
Access denied - C:\WINDOWS\Prefetch\AVSCAN.EXE-07FC469C.pf
Access denied - C:\WINDOWS\Prefetch\AVSHADOW.EXE-0F67375E.pf
Access denied - C:\WINDOWS\Prefetch\AVWEBGRD.EXE-03786D52.pf
Access denied - C:\WINDOWS\Prefetch\AVWSC.EXE-0283F9DD.pf
Access denied - C:\WINDOWS\Prefetch\CHCP.COM-18156052.pf
Access denied - C:\WINDOWS\Prefetch\CHIKKALAUNCHER.EXE-32AB4B6C.pf
Access denied - C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Access denied - C:\WINDOWS\Prefetch\CNET2_CTM_V5_SETUP_EXE.EXE-1E5C5A7C.pf
Access denied - C:\WINDOWS\Prefetch\COMBOFIX.EXE-3A3A8115.pf
Access denied - C:\WINDOWS\Prefetch\CONIME.EXE-13EEEA1A.pf
Access denied - C:\WINDOWS\Prefetch\CORELDRW.EXE-005E337E.pf
Access denied - C:\WINDOWS\Prefetch\CORELPP.EXE-07D31502.pf
Access denied - C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf
Access denied - C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf
Access denied - C:\WINDOWS\Prefetch\CTM_V5_SETUP.EXE-3A9AADCF.pf
Access denied - C:\WINDOWS\Prefetch\DELIVERY.EXE-10265B56.pf
Access denied - C:\WINDOWS\Prefetch\DIGSBY-APP.EXE-1BD802E9.pf
Access denied - C:\WINDOWS\Prefetch\DIGSBY.EXE-2DEEEA8A.pf
Access denied - C:\WINDOWS\Prefetch\DLLHOST.EXE-39029BA9.pf
Access denied - C:\WINDOWS\Prefetch\DLLHOST.EXE-5353C76C.pf
Access denied - C:\WINDOWS\Prefetch\EXCEL.EXE-34CB65E9.pf
Access denied - C:\WINDOWS\Prefetch\FACT.EXE-19B17E1A.pf
Access denied - C:\WINDOWS\Prefetch\FBSERVER.EXE-2E404650.pf
Access denied - C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf
Access denied - C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLECRASHHANDLER.EXE-26322309.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLETOOLBARMANAGER_DC5D2AFB-06B7570B.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATE.EXE-1E123D86.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATEONDEMAND.EXE-01935369.pf
Access denied - C:\WINDOWS\Prefetch\GREP.3XE-0FD7DFD4.pf
Access denied - C:\WINDOWS\Prefetch\GSAR.3XE-1971B17C.pf
Access denied - C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf
Access denied - C:\WINDOWS\Prefetch\HIDEC.3XE-111262DC.pf
Access denied - C:\WINDOWS\Prefetch\HPGS2WND.EXE-06AC8C27.pf
Access denied - C:\WINDOWS\Prefetch\HPGS2WNF.EXE-0E86C34B.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-0A31FE70.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-12915967.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-12BBAE74.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
Access denied - C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf
Access denied - C:\WINDOWS\Prefetch\INVOICING.EXE-0A71B216.pf
Access denied - C:\WINDOWS\Prefetch\IPMGUI.EXE-1C3915CE.pf
Access denied - C:\WINDOWS\Prefetch\IPMSG.EXE-26141277.pf
Access denied - C:\WINDOWS\Prefetch\Layout.ini
Access denied - C:\WINDOWS\Prefetch\MSDTC.EXE-0E6E4AF7.pf
Access denied - C:\WINDOWS\Prefetch\MSFEEDSSYNC.EXE-25E13438.pf
Access denied - C:\WINDOWS\Prefetch\MSI45.TMP-0E98C5F8.pf
Access denied - C:\WINDOWS\Prefetch\MSI47.TMP-3500408D.pf
Access denied - C:\WINDOWS\Prefetch\MSI48.TMP-19FE9D25.pf
Access denied - C:\WINDOWS\Prefetch\MSI49.TMP-1FCCF11B.pf
Access denied - C:\WINDOWS\Prefetch\MSI4A.TMP-35004CAD.pf
Access denied - C:\WINDOWS\Prefetch\MSI4B.TMP-04CB4193.pf
Access denied - C:\WINDOWS\Prefetch\MSI4C.TMP-0E98D218.pf
Access denied - C:\WINDOWS\Prefetch\MSI4F.TMP-15FF6CB6.pf
Access denied - C:\WINDOWS\Prefetch\MSI5B.TMP-10B41F49.pf
Access denied - C:\WINDOWS\Prefetch\MSI5C.TMP-02AFF462.pf
Access denied - C:\WINDOWS\Prefetch\MSI73.TMP-2FAEE582.pf
Access denied - C:\WINDOWS\Prefetch\MSI75.TMP-09476AED.pf
Access denied - C:\WINDOWS\Prefetch\MSI76.TMP-30842353.pf
Access denied - C:\WINDOWS\Prefetch\MSI77.TMP-1E7ABA5F.pf
Access denied - C:\WINDOWS\Prefetch\MSI78.TMP-1B50D3E1.pf
Access denied - C:\WINDOWS\Prefetch\MSI79.TMP-33AE09D1.pf
Access denied - C:\WINDOWS\Prefetch\MSI7A.TMP-004F2459.pf
Access denied - C:\WINDOWS\Prefetch\MSI7B.TMP-1314EF52.pf
Access denied - C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
Access denied - C:\WINDOWS\Prefetch\NEW3FB.TMP.EXE-02E39414.pf
Access denied - C:\WINDOWS\Prefetch\NIRCMD.3XE-117BB35D.pf
Access denied - C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
Access denied - C:\WINDOWS\Prefetch\NS6.TMP-153A5A21.pf
Access denied - C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
Access denied - C:\WINDOWS\Prefetch\PEV.3XE-358EBDB6.pf
Access denied - C:\WINDOWS\Prefetch\PING.EXE-31216D26.pf
Access denied - C:\WINDOWS\Prefetch\PRECACHE.EXE-0AB3F201.pf
Access denied - C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf
Access denied - C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf
Access denied - C:\WINDOWS\Prefetch\RSMSINK.EXE-032F2BAB.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-14E41E50.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-15144D4A.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-15B8A6F0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-19C2AA6F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-1A483723.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-24B17D44.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-319AA02C.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-36695641.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3721CDE2.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3CF0A7AE.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-40E591AE.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-44756CE7.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-49AED242.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-4BA2B636.pf
Access denied - C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf
Access denied - C:\WINDOWS\Prefetch\SAUPDATE.EXE-01D42FCF.pf
Access denied - C:\WINDOWS\Prefetch\SED.3XE-370DAEC3.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-0155F10D.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-11946E0E.pf
Access denied - C:\WINDOWS\Prefetch\SETUP.EXE-2ABC6928.pf
Access denied - C:\WINDOWS\Prefetch\SKYPE.EXE-30AE1A60.pf
Access denied - C:\WINDOWS\Prefetch\SKYPESETUP.EXE-1FE206A3.pf
Access denied - C:\WINDOWS\Prefetch\SKYPESETUPFULL.EXE-2CCEC28D.pf
Access denied - C:\WINDOWS\Prefetch\SSMYST.SCR-1CCCF0DC.pf
Access denied - C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Access denied - C:\WINDOWS\Prefetch\SWREG.3XE-20CC4D60.pf
Access denied - C:\WINDOWS\Prefetch\SWXCACLS.3XE-392ED218.pf
Access denied - C:\WINDOWS\Prefetch\TASKSCHEDULER.EXE-1D575949.pf
Access denied - C:\WINDOWS\Prefetch\UNINSTALL.EXE-295CFE08.pf
Access denied - C:\WINDOWS\Prefetch\UPDATE.EXE-2577D203.pf
Access denied - C:\WINDOWS\Prefetch\UPDATETASK.EXE-154F922C.pf
Access denied - C:\WINDOWS\Prefetch\UPDRGUI.EXE-027FAE5A.pf
Access denied - C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
Access denied - C:\WINDOWS\Prefetch\VSSVC.EXE-0F74375A.pf
Access denied - C:\WINDOWS\Prefetch\WINWORD.EXE-07381162.pf
Access denied - C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Access denied - C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf
Access denied - C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf
Access denied - C:\WINDOWS\Prefetch\YT KEY DRIVER.EXE-0894418D.pf
Access denied - C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx
Unable to change attribute - C:\pagefile.sys

C:\>

combo fix log:

ComboFix 11-11-24.01 - Administrator 5/2011 Fri 11:09:41.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2038.1326 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( 2011-10-25 至 2011-11-25 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-11-24 09:18 . 2011-11-25 02:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2011-11-24 09:18 . 2011-11-24 09:18 -------- d-----r- c:\program files\Skype
2011-11-24 09:18 . 2011-11-24 09:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\Skype
2011-11-23 06:23 . 2011-11-23 06:23 -------- d-----w- c:\documents and settings\Administrator\ChikkaV5
2011-11-23 06:10 . 2011-11-23 06:13 -------- d-----w- C:\UniScan
2011-11-23 06:10 . 2008-04-13 16:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-23 06:10 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-23 06:07 . 2011-11-23 06:07 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-11-23 06:07 . 2011-11-23 06:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web 上载文件夹
2011-11-23 06:06 . 2011-11-23 06:06 -------- d--h--w- c:\program files\Common Files\Hewlett-Packard
2011-11-23 06:06 . 2011-11-23 06:07 -------- d-----w- c:\program files\Hewlett-Packard
2011-11-22 06:29 . 2011-11-22 06:29 -------- d-----w- c:\program files\calicomtech
2011-11-22 06:28 . 2011-11-22 06:28 -------- d-----w- c:\windows\Downloaded Installations
2011-11-22 06:27 . 2011-11-22 07:41 9216 ----a-w- c:\windows\system32\IOCTLVDD.DLL
2011-11-22 05:24 . 2011-11-22 05:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-11-22 05:10 . 2011-11-22 05:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2011-11-22 05:10 . 2011-09-18 00:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-22 05:10 . 2011-09-15 15:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-11-22 05:10 . 2011-11-22 05:10 -------- d-----w- c:\program files\Avira
2011-11-22 05:09 . 2011-11-22 05:09 -------- d-----w- c:\windows\system32\LogFiles
2011-11-22 04:52 . 2011-11-22 04:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-22 04:52 . 2011-11-22 04:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-22 04:52 . 2011-11-22 04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-22 04:52 . 2011-08-31 09:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-22 04:44 . 2011-11-22 04:44 -------- d-----w- c:\program files\InstallShield Installation Information
2011-11-22 04:44 . 2011-11-22 04:44 -------- d--h--w- c:\program files\Common Files\Corel
2011-11-22 04:43 . 2011-11-22 04:43 -------- d-----w- c:\program files\Corel
2011-11-22 04:42 . 2011-11-22 04:44 -------- d--h--w- c:\program files\Common Files\InstallShield
2011-11-22 04:34 . 2011-11-25 02:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Digsby
2011-11-22 04:34 . 2011-11-22 10:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Digsby
2011-11-22 04:34 . 2011-11-22 10:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2011-11-22 04:32 . 2011-11-22 04:32 -------- d-----w- c:\program files\Digsby
2011-11-22 04:18 . 2011-09-15 15:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-22 03:29 . 2011-11-22 03:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-11-22 02:42 . 2011-11-22 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-11-22 02:41 . 2011-11-22 02:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-22 02:40 . 2011-11-22 02:40 -------- d--h--w- c:\documents and settings\NetworkService\IETldCache
2011-11-22 02:39 . 2011-11-22 02:39 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2011-11-22 02:37 . 2009-01-07 10:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-11-22 02:36 . 2011-11-22 02:37 -------- dc----w- c:\windows\ie8
2011-11-22 02:36 . 2011-11-22 02:36 -------- d-----w- c:\windows\system32\x64
2011-11-22 02:36 . 2008-07-01 02:47 920088 ----a-w- c:\windows\system32\igxpun.exe
2011-11-22 02:36 . 2011-11-22 02:36 -------- dc----w- c:\windows\system32\DRVSTORE
2011-11-22 02:36 . 2006-11-10 01:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-11-22 02:36 . 2011-11-22 02:37 -------- d-----w- c:\windows\msdownld.tmp
2011-11-22 02:35 . 2001-12-28 19:55 24035 ----a-r- c:\windows\system32\drivers\eaps2kbd.sys
2011-11-22 02:35 . 2001-09-05 03:25 40960 ----a-r- c:\windows\LoadDll.dll
2011-11-22 02:35 . 2000-03-13 20:16 18841 ----a-r- c:\windows\system32\FltrCoi.dll
2011-11-22 02:35 . 1999-10-29 20:35 24348 ----a-r- c:\windows\system32\drivers\EAWDMFD.SYS
2011-11-22 02:35 . 2011-11-22 02:35 -------- d-----w- c:\windows\system32\RTCOM
2011-11-22 02:35 . 2008-04-14 08:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-11-22 02:35 . 2008-07-01 03:27 108800 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2011-11-22 02:35 . 2008-07-21 16:14 9728 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-11-22 02:30 . 2011-11-22 02:30 -------- d-----w- c:\documents and settings\Administrator\UserData
2011-11-22 02:29 . 2011-11-22 02:29 -------- d--h--w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 03:31 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 02:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 02:24 -------- d-----w- c:\program files\Google
2011-11-22 02:02 . 2011-11-22 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2011-11-22 02:01 . 2011-11-22 02:01 -------- d-----w- c:\program files\Easy Media Player
2011-11-22 01:52 . 2011-11-22 01:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\SweetIM
2011-11-22 01:52 . 2011-11-22 01:52 -------- d-----w- c:\program files\SweetIM
2011-11-22 00:49 . 2011-11-22 00:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\AskToolbar
2011-11-22 00:29 . 2011-11-22 00:29 -------- d-----w- C:\logs
2011-11-22 00:29 . 2011-11-23 06:23 -------- d-----w- c:\program files\Chikka Messenger
2011-11-22 00:28 . 2011-11-22 00:28 -------- d-----w- c:\program files\IPMsg
2011-11-21 23:43 . 2011-11-25 01:48 -------- d-----w- c:\windows\system32\NtmsData
2011-11-21 23:43 . 2011-11-21 23:43 -------- d---a-w- c:\windows\Repair
2011-11-21 13:04 . 2011-11-24 03:04 -------- d-----w- c:\program files\Ask.com
2011-11-21 13:04 . 2011-11-25 03:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2011-11-21 13:03 . 2011-11-22 05:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\Avira
2011-11-21 11:54 . 2011-11-23 01:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-11-21 11:46 . 2011-11-22 07:41 4032 ----a-w- c:\windows\system32\drivers\hostnt.sys
2011-11-21 11:46 . 2011-11-22 07:41 29056 ----a-w- c:\windows\system32\drivers\gsmhwdm.sys
2011-11-21 11:46 . 2011-11-22 07:41 27696 ----a-w- c:\windows\system32\drivers\mhdrv.sys
2011-11-21 11:46 . 2011-11-22 07:41 26060 ----a-w- c:\windows\system32\drivers\rcmhdog.sys
2011-11-21 11:46 . 2011-11-22 07:41 25904 ----a-w- c:\windows\system32\drivers\rcusbwdm.sys
2011-11-21 11:42 . 2011-11-21 11:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 11:42 . 2011-11-21 11:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\McAfee
2011-11-21 11:39 . 2011-11-21 11:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-21 11:33 . 2011-11-21 11:40 -------- d-----w- C:\account
2011-11-21 11:32 . 2011-11-21 11:32 -------- d--h--w- c:\program files\Common Files\Adobe
2011-11-21 11:28 . 2009-02-27 16:23 450560 ----a-w- c:\windows\system32\GDS32.DLL
2011-11-21 11:28 . 2009-02-27 07:34 462848 ----a-w- c:\windows\system32\Firebird2Control.cpl
2011-11-21 11:28 . 2011-11-21 11:28 -------- d-----w- c:\program files\Firebird
2011-11-21 11:26 . 2011-11-21 11:26 69632 ----a-w- c:\windows\system32\MY3L_EX.DLL
2011-11-21 11:26 . 2011-11-21 11:26 53248 ----a-w- c:\windows\system32\NT_DLL2.DLL
2011-11-21 11:26 . 2011-11-21 11:26 135168 ----a-w- c:\windows\system32\YutianEx.DLL
2011-11-21 11:26 . 2005-09-05 14:33 413696 ----a-w- c:\windows\system32\SetUp_Pro.dll
2011-11-21 11:14 . 2006-10-26 11:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-11-21 11:14 . 2006-10-26 11:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-11-21 11:14 . 2011-11-21 11:14 -------- d-----w- c:\program files\Microsoft Works
2011-11-21 11:14 . 2011-11-21 11:14 -------- d-----w- c:\program files\MSBuild
2011-11-21 11:12 . 2011-11-21 11:14 -------- d-----w- c:\windows\SHELLNEW
2011-11-21 11:12 . 2011-11-21 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:12 -------- d-----r- C:\MSOCache
2011-11-21 11:11 . 2008-04-13 16:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-21 10:39 . 2011-11-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Bluebirds
2011-11-21 10:39 . 2011-11-21 10:39 -------- d-----w- c:\windows\system32\Lang
2011-11-21 10:38 . 2011-11-21 10:38 -------- d-----w- c:\windows\system32\oobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-11-23_01.49.28   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-23 06:07 . 2011-11-23 06:10 45056              c:\windows\Installer\{6F7ECD56-E224-4263-9B7E-158E5CECC43B}\_486AD40031E5_4A05_BAE5_67FC693FE0EF.exe
+ 2011-11-23 06:07 . 2011-11-23 06:07 4150              c:\windows\Installer\{B376402D-58EA-45EA-BD50-DD924EB67A70}\hpmd.exe
+ 2003-04-16 11:31 . 2003-04-16 11:31 258048              c:\windows\system32\hpsjvset.dll
+ 2003-04-15 16:31 . 2003-04-15 16:31 274432              c:\windows\system32\hpgwiamd.dll
+ 2003-04-15 16:33 . 2003-04-15 16:33 401408              c:\windows\system32\hpgt2436.dll
+ 2011-11-24 09:18 . 2011-11-24 09:18 371272              c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
- 2011-11-21 13:04 . 2011-11-21 13:04 102400              c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2011-11-21 13:04 . 2011-11-24 03:04 102400              c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2011-11-24 03:04 . 2011-11-24 03:04 2144768              c:\windows\Installer\9d962b.msi
+ 2011-11-24 09:18 . 2011-11-24 09:18 1252864              c:\windows\Installer\1f48519.msi
+ 2011-11-24 09:18 . 2011-11-24 09:18 1527808              c:\windows\Installer\1f48513.msi
+ 2011-11-23 06:07 . 2011-11-23 06:07 4006400              c:\windows\Installer\111b3ea.msi
+ 2011-11-23 06:07 . 2011-11-23 06:07 2932224              c:\windows\Installer\111b3e3.msi
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2011-08-24 130864]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-20 18:18 1515688 ---ha-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-24 10:21 1299248 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-20 1515688]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-20 1515688]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bluebirds"="c:\documents and settings\Administrator\Bluebirds\BlueBirds.exe" [2009-04-29 270336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-09-08 888488]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2011-11-22 210432]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IPMsg\\ipmsg.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [8/30/2008 12:31 PM 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [8/30/2008 12:31 PM 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [8/30/2008 12:32 PM 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [8/30/2008 12:32 PM 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [8/30/2008 12:31 PM 45056]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/22/2011 12:18 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/22/2011 1:10 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [11/22/2011 1:10 PM 463824]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [11/21/2011 7:28 PM 81920]
R2 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [11/21/2011 7:46 PM 4032]
R2 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [11/21/2011 7:46 PM 27696]
R2 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [11/21/2011 7:46 PM 26060]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [11/21/2011 7:28 PM 2732032]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [8/30/2008 12:31 PM 9809]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
.
‘计划任务’ 文件夹里的内容
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2011-11-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-20 18:18]
.
2011-11-25 c:\windows\Tasks\User_Feed_Synchronization-{494232BA-F10B-4C2D-910D-DD06DB7D7733}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 20:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=APN10023&gct=hp
uInternet Connection Wizard,ShellNext = hxxp://www.firebirdsql.org//afterinstall
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 124.106.5.2 124.106.6.2
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obpr90mx.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: SweetIM Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 11:11
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程。。。
.
扫描被隐藏的启动组。。。
.
扫描被隐藏的文件。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-113007714-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,6b,12,05,0e,63,54,48,be,53,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,6b,12,05,0e,63,54,48,be,53,c8,\
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'lsass.exe'(772)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(1016)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
完成时间: 2011-11-25 11:11:52
ComboFix-quarantined-files.txt 2011-11-25 03:11
ComboFix2.txt 2011-11-25 02:22
ComboFix3.txt 2011-11-23 03:01
ComboFix4.txt 2011-11-23 01:59
ComboFix5.txt 2011-11-25 03:09
.
Pre-Run: 125,197,451,264 bytes free
Post-Run: 125,183,225,856 bytes free
.
- - End Of File - - 10D2F0A6B2790DFDB3A3D1A692E0C823

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/25/2011 6:21 AM (GMT +3)

First of all, run the combofix.exe.

Immediately afterwards, turn off "Enable write caching on the disk", by following these steps:

Click Start, and then click My Computer.
Right-click the hard disk, and then click Properties.
Click the Hardware tab.
Click to select the hard disk, and then click Properties.
Click the Policies tab.
Click to clear the Enable write caching on the disk check box, and then click OK.
Click OK to close the Local Disk (C:) Properties dialog box.
Repeat steps 3 through 5 for each hard disk that is installed in your computer.

Then, go to Start > Run > type cmd.exe and press Enter. In the Command prompt window, type sfc /scannow and press Enter. Allow Windows to repair itself.
Note that you may need to insert your Windows CD/Repair disck or select your recovery partition, if prompted by the System File Scan.

Please post your new Combofix log.

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/25/2011 6:54 AM (GMT +3)

mam here is the log of malwarebytes:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8235

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/25/2011 11:48:14 AM
mbam-log-2011-11-25 (11-48-14).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 229369
Time elapsed: 11 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\all users\application data\iglkdek1ecxwgu.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\wftchmssoh.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/25/2011 7:03 AM (GMT +3)

The c:\Qoobox folder is the quarantine of Combofix, so basically the infections have already been quarantined. Just start the computer in Safe Mode and delete the entire folder.

Also, follow the steps I have given you above one more time, afterwards.

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/25/2011 2:45 PM (GMT +3)

mam andrea

I did not run yet the combofix.exe and your suggestion because I dont have a windows cd. I'm afraid I cant install my windows. where can I find windows installer

Please help me

thank you very much

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/25/2011 5:30 PM (GMT +3)

I did not tell you to install your windows, please read my instructions again. If you do not have your CD, then simply click on the cancel button if you are asked for it. The scan will continue but it will skip those files.

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/26/2011 4:48 AM (GMT +3)

mam andrea,

here is my combo fix log today:
ComboFix 11-11-25.02 - Administrator 6/2011 Sat 8:53.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2038.1545 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( 2011-10-26 至 2011-11-26 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-11-24 09:18 . 2011-11-25 08:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2011-11-24 09:18 . 2011-11-24 09:18 -------- d-----r- c:\program files\Skype
2011-11-24 09:18 . 2011-11-24 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-11-23 06:23 . 2011-11-23 06:23 -------- d-----w- c:\documents and settings\Administrator\ChikkaV5
2011-11-23 06:10 . 2011-11-23 06:13 -------- d-----w- C:\UniScan
2011-11-23 06:10 . 2008-04-13 16:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-23 06:10 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-23 06:07 . 2011-11-23 06:07 82380 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2011-11-23 06:07 . 2011-11-23 06:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web 上载文件夹
2011-11-23 06:06 . 2011-11-23 06:06 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-11-23 06:06 . 2011-11-23 06:07 -------- d-----w- c:\program files\Hewlett-Packard
2011-11-22 06:29 . 2011-11-22 06:29 -------- d-----w- c:\program files\calicomtech
2011-11-22 06:28 . 2011-11-22 06:28 -------- d-----w- c:\windows\Downloaded Installations
2011-11-22 06:27 . 2011-11-22 07:41 9216 ----a-w- c:\windows\system32\IOCTLVDD.DLL
2011-11-22 05:24 . 2011-11-22 05:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2011-11-22 05:10 . 2011-11-22 05:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2011-11-22 05:10 . 2011-09-18 00:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-22 05:10 . 2011-09-15 15:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-11-22 05:10 . 2011-11-22 05:10 -------- d-----w- c:\program files\Avira
2011-11-22 05:09 . 2011-11-22 05:09 -------- d-----w- c:\windows\system32\LogFiles
2011-11-22 04:52 . 2011-11-22 04:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-11-22 04:52 . 2011-11-22 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-22 04:52 . 2011-11-25 03:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-22 04:52 . 2011-08-31 09:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-22 04:44 . 2011-11-22 04:44 -------- d-----w- c:\program files\InstallShield Installation Information
2011-11-22 04:44 . 2011-11-22 04:44 -------- d-----w- c:\program files\Common Files\Corel
2011-11-22 04:43 . 2011-11-22 04:43 -------- d-----w- c:\program files\Corel
2011-11-22 04:42 . 2011-11-22 04:44 -------- d-----w- c:\program files\Common Files\InstallShield
2011-11-22 04:34 . 2011-11-26 00:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Digsby
2011-11-22 04:34 . 2011-11-22 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2011-11-22 04:34 . 2011-11-22 10:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2011-11-22 04:32 . 2011-11-22 04:32 -------- d-----w- c:\program files\Digsby
2011-11-22 04:18 . 2011-09-15 15:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-22 03:29 . 2011-11-22 03:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-11-22 02:42 . 2011-11-22 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-11-22 02:41 . 2011-11-22 02:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-22 02:40 . 2011-11-22 02:40 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-11-22 02:39 . 2011-11-22 02:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-22 02:37 . 2009-01-07 10:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-11-22 02:36 . 2011-11-22 02:37 -------- dc----w- c:\windows\ie8
2011-11-22 02:36 . 2011-11-22 02:36 -------- d-----w- c:\windows\system32\x64
2011-11-22 02:36 . 2008-07-01 02:47 920088 ----a-w- c:\windows\system32\igxpun.exe
2011-11-22 02:36 . 2011-11-22 02:36 -------- dc----w- c:\windows\system32\DRVSTORE
2011-11-22 02:36 . 2006-11-10 01:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-11-22 02:36 . 2011-11-22 02:37 -------- d-----w- c:\windows\msdownld.tmp
2011-11-22 02:35 . 2001-12-28 19:55 24035 ----a-r- c:\windows\system32\drivers\eaps2kbd.sys
2011-11-22 02:35 . 2001-09-05 03:25 40960 ----a-r- c:\windows\LoadDll.dll
2011-11-22 02:35 . 2000-03-13 20:16 18841 ----a-r- c:\windows\system32\FltrCoi.dll
2011-11-22 02:35 . 1999-10-29 20:35 24348 ----a-r- c:\windows\system32\drivers\EAWDMFD.SYS
2011-11-22 02:35 . 2011-11-22 02:35 -------- d-----w- c:\windows\system32\RTCOM
2011-11-22 02:35 . 2008-04-14 08:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-11-22 02:35 . 2008-07-01 03:27 108800 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2011-11-22 02:35 . 2008-07-21 16:14 9728 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-11-22 02:30 . 2011-11-22 02:30 -------- d-----w- c:\documents and settings\Administrator\UserData
2011-11-22 02:29 . 2011-11-22 02:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 02:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-11-22 02:24 . 2011-11-22 02:24 -------- d-----w- c:\program files\Google
2011-11-22 02:02 . 2011-11-22 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2011-11-22 02:01 . 2011-11-22 02:01 -------- d-----w- c:\program files\Easy Media Player
2011-11-22 01:52 . 2011-11-22 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2011-11-22 01:52 . 2011-11-22 01:52 -------- d-----w- c:\program files\SweetIM
2011-11-22 00:49 . 2011-11-22 00:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\AskToolbar
2011-11-22 00:29 . 2011-11-22 00:29 -------- d-----w- C:\logs
2011-11-22 00:29 . 2011-11-23 06:23 -------- d-----w- c:\program files\Chikka Messenger
2011-11-22 00:28 . 2011-11-22 00:28 -------- d-----w- c:\program files\IPMsg
2011-11-21 23:43 . 2011-11-25 11:00 -------- d-----w- c:\windows\system32\NtmsData
2011-11-21 23:43 . 2011-11-21 23:43 -------- d---a-w- c:\windows\Repair
2011-11-21 13:04 . 2011-11-24 03:04 -------- d-----w- c:\program files\Ask.com
2011-11-21 13:04 . 2011-11-26 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2011-11-21 13:03 . 2011-11-22 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-11-21 11:54 . 2011-11-23 01:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-11-21 11:46 . 2011-11-22 07:41 4032 ----a-w- c:\windows\system32\drivers\hostnt.sys
2011-11-21 11:46 . 2011-11-22 07:41 29056 ----a-w- c:\windows\system32\drivers\gsmhwdm.sys
2011-11-21 11:46 . 2011-11-22 07:41 27696 ----a-w- c:\windows\system32\drivers\mhdrv.sys
2011-11-21 11:46 . 2011-11-22 07:41 26060 ----a-w- c:\windows\system32\drivers\rcmhdog.sys
2011-11-21 11:46 . 2011-11-22 07:41 25904 ----a-w- c:\windows\system32\drivers\rcusbwdm.sys
2011-11-21 11:42 . 2011-11-21 11:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 11:42 . 2011-11-21 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-11-21 11:39 . 2011-11-21 11:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-11-21 11:33 . 2011-11-21 11:40 -------- d-----w- C:\account
2011-11-21 11:32 . 2011-11-21 11:32 -------- d-----w- c:\program files\Common Files\Adobe
2011-11-21 11:28 . 2009-02-27 16:23 450560 ----a-w- c:\windows\system32\GDS32.DLL
2011-11-21 11:28 . 2009-02-27 07:34 462848 ----a-w- c:\windows\system32\Firebird2Control.cpl
2011-11-21 11:28 . 2011-11-21 11:28 -------- d-----w- c:\program files\Firebird
2011-11-21 11:26 . 2011-11-21 11:26 69632 ----a-w- c:\windows\system32\MY3L_EX.DLL
2011-11-21 11:26 . 2011-11-21 11:26 53248 ----a-w- c:\windows\system32\NT_DLL2.DLL
2011-11-21 11:26 . 2011-11-21 11:26 135168 ----a-w- c:\windows\system32\YutianEx.DLL
2011-11-21 11:26 . 2005-09-05 14:33 413696 ----a-w- c:\windows\system32\SetUp_Pro.dll
2011-11-21 11:14 . 2006-10-26 11:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-11-21 11:14 . 2006-10-26 11:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-11-21 11:14 . 2011-11-21 11:14 -------- d-----w- c:\program files\Microsoft Works
2011-11-21 11:14 . 2011-11-21 11:14 -------- d-----w- c:\program files\MSBuild
2011-11-21 11:12 . 2011-11-21 11:14 -------- d-----w- c:\windows\SHELLNEW
2011-11-21 11:12 . 2011-11-21 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-11-21 11:12 . 2011-11-21 11:12 -------- d-----r- C:\MSOCache
2011-11-21 11:11 . 2008-04-13 16:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-21 10:39 . 2011-11-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Bluebirds
2011-11-21 10:39 . 2011-11-21 10:39 -------- d-----w- c:\windows\system32\Lang
2011-11-21 10:38 . 2011-11-21 10:38 -------- d-----w- c:\windows\system32\oobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot_2011-11-23_01.49.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-23 06:07 . 2011-11-23 06:10 45056 c:\windows\Installer\{6F7ECD56-E224-4263-9B7E-158E5CECC43B}\_486AD40031E5_4A05_BAE5_67FC693FE0EF.exe
+ 2011-11-23 06:07 . 2011-11-23 06:07 4150 c:\windows\Installer\{B376402D-58EA-45EA-BD50-DD924EB67A70}\hpmd.exe
+ 2003-04-16 11:31 . 2003-04-16 11:31 258048 c:\windows\system32\hpsjvset.dll
+ 2003-04-15 16:31 . 2003-04-15 16:31 274432 c:\windows\system32\hpgwiamd.dll
+ 2003-04-15 16:33 . 2003-04-15 16:33 401408 c:\windows\system32\hpgt2436.dll
+ 2011-11-24 09:18 . 2011-11-24 09:18 371272 c:\windows\Installer\{AA59DDE4-B672-4621-A016-4C248204957A}\SkypeIcon.exe
- 2011-11-21 13:04 . 2011-11-21 13:04 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2011-11-21 13:04 . 2011-11-24 03:04 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2011-11-24 03:04 . 2011-11-24 03:04 2144768 c:\windows\Installer\9d962b.msi
+ 2011-11-24 09:18 . 2011-11-24 09:18 1252864 c:\windows\Installer\1f48519.msi
+ 2011-11-24 09:18 . 2011-11-24 09:18 1527808 c:\windows\Installer\1f48513.msi
+ 2011-11-23 06:07 . 2011-11-23 06:07 4006400 c:\windows\Installer\111b3ea.msi
+ 2011-11-23 06:07 . 2011-11-23 06:07 2932224 c:\windows\Installer\111b3e3.msi
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2011-08-24 130864]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-20 18:18 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-24 10:21 1299248 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-20 1515688]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-20 1515688]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bluebirds"="c:\documents and settings\Administrator\Bluebirds\BlueBirds.exe" [2009-04-29 270336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-09-08 888488]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2011-11-22 210432]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IPMsg\\ipmsg.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [8/30/2008 12:31 PM 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [8/30/2008 12:31 PM 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [8/30/2008 12:32 PM 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [8/30/2008 12:32 PM 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [8/30/2008 12:31 PM 45056]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/22/2011 12:18 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/22/2011 1:10 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [11/22/2011 1:10 PM 463824]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [11/21/2011 7:28 PM 81920]
R2 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [11/21/2011 7:46 PM 4032]
R2 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [11/21/2011 7:46 PM 27696]
R2 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [11/21/2011 7:46 PM 26060]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [11/21/2011 7:28 PM 2732032]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [8/30/2008 12:31 PM 9809]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
‘计划任务’ 文件夹里的内容
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2011-11-25 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-20 18:18]
.
2011-11-26 c:\windows\Tasks\User_Feed_Synchronization-{494232BA-F10B-4C2D-910D-DD06DB7D7733}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 20:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=APN10023&gct=hp
uInternet Connection Wizard,ShellNext = hxxp://www.firebirdsql.org//afterinstall
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 124.106.5.2 124.106.6.2
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obpr90mx.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: SweetIM Toolbar for Firefox: {EEE6C361-6118-11DC-9C72-001320C79847} - %profile%\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-26 09:21
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程。。。
.
扫描被隐藏的启动组。。。
.
扫描被隐藏的文件。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-113007714-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,6b,12,05,0e,63,54,48,be,53,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,6b,12,05,0e,63,54,48,be,53,c8,\
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'lsass.exe'(784)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(504)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\progra~1\MICROS~2\Office12\GRA8E1~1.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
完成时间: 2011-11-26 09:36:34
ComboFix-quarantined-files.txt 2011-11-26 01:36
ComboFix2.txt 2011-11-25 03:11
ComboFix3.txt 2011-11-25 02:22
ComboFix4.txt 2011-11-23 03:01
ComboFix5.txt 2011-11-25 11:16
.
Pre-Run: 125,210,734,592 bytes free
Post-Run: 125,200,375,808 bytes free
.
- - End Of File - - F8236B709CC305C98AC3482D9DCD0731

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/26/2011 5:04 AM (GMT +3)

mam I followed your instruction but I'ts asking windows xp professional service pack 3 cd.
so I cancelled it

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/26/2011 5:43 AM (GMT +3)

What about the turning off of "Enable write caching on the disk". Did you disable this?

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/26/2011 5:46 AM (GMT +3)

yes mam andrea, I turn off "Enable write caching on the disk"

I run hijack this here is the log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:43:05 AM, on 11/26/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Documents and Settings\Administrator\Bluebirds\BlueBirds.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [bluebirds] C:\Documents and Settings\Administrator\Bluebirds\BlueBirds.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Search the Web - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 8185 bytes

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/26/2011 6:31 AM (GMT +3)

Run Hijackthis and place a checkmark by these entries:

C:\Program Files\Ask.com\Updater\Updater.exe
C:\Documents and Settings\Administrator\Bluebirds\BlueBirds.exe
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [bluebirds] C:\Documents and Settings\Administrator\Bluebirds\BlueBirds.exe
O8 - Extra context menu item: Search the Web - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

Press the fix button at the end and reboot the computer.
Also, make sure your antivirus is updated and run a new scan with it.

Then, delete the following folders:

C:\Program Files\Ask.com\
C:\Program Files\SweetIM\
C:\Documents and Settings\Administrator\Bluebirds
c:\documents and settings\All Users\Application Data\SweetIM
c:\documents and settings\Administrator\Application Data\AskToolbar
c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
c:\documents and settings\Administrator\Local Settings\Application Data\Temp

Post Edited (Andreea-Luciana Ostache) : 26-11-2011 03:42:23 GMT

shannemark
New Member

Date Joined Sep 2011
Total Posts : 29

Posted 11/26/2011 8:11 AM (GMT +3)

I follow your instructions.

I run the hijack and fix those files you gave then I run avira 2012. there is 4 hidden object found. it ask me to restart my computer.

there is a desktop note pad pop out:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Andreea-Luciana Ostache
Forum Moderator

Date Joined Aug 2010
Total Posts : 373

Posted 11/26/2011 10:17 PM (GMT +3)

The problem you are dealing with now is fixable.

See Microsoft: support.microsoft.com/kb/330132

Forum Information

Currently it is Thursday, May 23, 2013 3:05 AM (GMT +3)
There are a total of 59,524 posts in 13,140 threads.
In the last 3 days there were 1 new threads and 7 reply posts. View Active Threads