Jump to content

windows xp infected with "windows repair"


Recommended Posts

Hi, Everyone,

My Windows XP get infected with a virus called Windows Repair, after I clicked

a weblink.

It started with a Java logo. Then I thought something was not abnormal

and unplugged my internet connection. But it was too late. I started the

Malwarebytes to do a quick scan. And the scan hanged due to the infection.

And my computer starts to have the sympotons described here:

http://forums.malwarebytes.org/index.php?showtopic=79287

The virus requested me to do a restart, but I dare not. And finally,

it restarted my computer itself. And now, I am in the linux(this

machine has linux installed)and waiting for help.

Thanks a lot in advance,

Yan

Link to post
Share on other sites

  • Replies 126
  • Created
  • Last Reply

Top Posters In This Topic

Hello vyan2000 and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please do the following:
  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your Desktop.

-------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • TDSSKiller log
  • DDS log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Hi D-FRED-BROWN ,

Thanks a lot for the help.

I have to say hi fast:

Here is the log:

2011/07/17 00:45:32.0656 3264 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56

2011/07/17 00:45:33.0562 3264 ================================================================================

2011/07/17 00:45:33.0562 3264 SystemInfo:

2011/07/17 00:45:33.0562 3264

2011/07/17 00:45:33.0562 3264 OS Version: 5.1.2600 ServicePack: 3.0

2011/07/17 00:45:33.0562 3264 Product type: Workstation

2011/07/17 00:45:33.0562 3264 ComputerName: PC-200811110239

2011/07/17 00:45:33.0562 3264 UserName: Administrator

2011/07/17 00:45:33.0562 3264 Windows directory: C:\WINDOWS

2011/07/17 00:45:33.0562 3264 System windows directory: C:\WINDOWS

2011/07/17 00:45:33.0562 3264 Processor architecture: Intel x86

2011/07/17 00:45:33.0562 3264 Number of processors: 2

2011/07/17 00:45:33.0562 3264 Page size: 0x1000

2011/07/17 00:45:33.0562 3264 Boot type: Normal boot

2011/07/17 00:45:33.0562 3264 ================================================================================

2011/07/17 00:45:36.0468 3264 Initialize success

2011/07/17 00:45:44.0312 3280 ================================================================================

2011/07/17 00:45:44.0312 3280 Scan started

2011/07/17 00:45:44.0312 3280 Mode: Manual;

2011/07/17 00:45:44.0312 3280 ================================================================================

2011/07/17 00:45:46.0140 3280 ACPI (60053c170357eedace8d88e9d87e993e) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/07/17 00:45:46.0515 3280 ACPIEC (28046b6867800b3f12c652ce2c9ea340) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/07/17 00:45:46.0640 3280 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/07/17 00:45:46.0875 3280 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/07/17 00:45:47.0171 3280 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/07/17 00:45:47.0718 3280 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys

2011/07/17 00:45:48.0593 3280 AmdK8 (1b0806a92432bf6e9def9fbf0494f67d) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/07/17 00:45:49.0843 3280 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/07/17 00:45:50.0218 3280 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/07/17 00:45:51.0015 3280 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys

2011/07/17 00:45:51.0406 3280 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/07/17 00:45:51.0953 3280 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/07/17 00:45:52.0562 3280 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/07/17 00:45:53.0609 3280 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/07/17 00:45:54.0187 3280 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/07/17 00:45:54.0609 3280 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/07/17 00:45:55.0609 3280 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/07/17 00:45:56.0765 3280 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/07/17 00:45:58.0421 3280 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/07/17 00:45:58.0921 3280 dmboot (99b33c26d6fbb7b06cd1e8a7ff729ce0) C:\WINDOWS\system32\drivers\dmboot.sys

2011/07/17 00:45:59.0750 3280 dmio (5e87fcad72a24ad869aafd3c6a4dca45) C:\WINDOWS\system32\drivers\dmio.sys

2011/07/17 00:46:00.0234 3280 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/07/17 00:46:00.0734 3280 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/07/17 00:46:01.0703 3280 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/07/17 00:46:01.0953 3280 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/07/17 00:46:02.0156 3280 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/07/17 00:46:02.0640 3280 es1371 (a55dd7d8ced5d2624a9ee2dda7be0319) C:\WINDOWS\system32\drivers\es1371mp.sys

2011/07/17 00:46:03.0578 3280 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/07/17 00:46:03.0968 3280 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/07/17 00:46:04.0328 3280 Fips (80a4f4c75683bfbfa359f6c8c51230a4) C:\WINDOWS\system32\drivers\Fips.sys

2011/07/17 00:46:04.0656 3280 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/07/17 00:46:05.0062 3280 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/07/17 00:46:05.0796 3280 FsVga (ab4983120e4e4527ae9ffe4177ecd6e7) C:\WINDOWS\system32\DRIVERS\fsvga.sys

2011/07/17 00:46:06.0187 3280 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/07/17 00:46:06.0531 3280 Ftdisk (38375a4d9582a08c14c928cc099b8836) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/07/17 00:46:06.0984 3280 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2011/07/17 00:46:07.0375 3280 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/07/17 00:46:07.0812 3280 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/07/17 00:46:08.0437 3280 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/07/17 00:46:09.0265 3280 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/07/17 00:46:10.0078 3280 i8042prt (1694f6666dbee4d5bec6a5919eeb4d86) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/07/17 00:46:10.0640 3280 iaStor7 (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iastor7.sys

2011/07/17 00:46:11.0187 3280 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/07/17 00:46:12.0828 3280 IntcAzAudAddService (5707cec38db61b96079e6a14b4702446) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/07/17 00:46:15.0437 3280 IntelIde (c8435e37cc6c13e25bd361b5d806d3c7) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/07/17 00:46:15.0906 3280 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/07/17 00:46:16.0375 3280 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/07/17 00:46:16.0859 3280 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/07/17 00:46:17.0296 3280 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/07/17 00:46:17.0875 3280 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/07/17 00:46:18.0375 3280 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/07/17 00:46:18.0843 3280 isapnp (cb353452590cc3faeeef86de334d5f49) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/07/17 00:46:19.0218 3280 Kbdclass (5b4d15cd20869778ebf282db0fc08a29) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/07/17 00:46:19.0671 3280 kbdhid (7ac6d7729e83ab83165003609deeed3e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/07/17 00:46:20.0015 3280 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/07/17 00:46:20.0765 3280 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/07/17 00:46:21.0562 3280 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys

2011/07/17 00:46:21.0984 3280 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/07/17 00:46:22.0406 3280 Modem (ba656ef98ce4049638794e390d78ef36) C:\WINDOWS\system32\drivers\Modem.sys

2011/07/17 00:46:23.0015 3280 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys

2011/07/17 00:46:23.0671 3280 Mouclass (35ac8fd90e70f2e54cb4bfb21b4e1bf1) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/07/17 00:46:23.0968 3280 mouhid (692910b446d0b751b2462f3624c7b1a7) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/07/17 00:46:24.0328 3280 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/07/17 00:46:25.0031 3280 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/07/17 00:46:25.0703 3280 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/07/17 00:46:26.0562 3280 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/07/17 00:46:26.0968 3280 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/07/17 00:46:27.0328 3280 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/07/17 00:46:27.0718 3280 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/07/17 00:46:28.0125 3280 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/07/17 00:46:28.0625 3280 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/07/17 00:46:29.0093 3280 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110715.019\NAVENG.SYS

2011/07/17 00:46:29.0609 3280 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110715.019\NAVEX15.SYS

2011/07/17 00:46:30.0203 3280 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/07/17 00:46:30.0687 3280 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/07/17 00:46:31.0109 3280 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/07/17 00:46:31.0515 3280 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/07/17 00:46:32.0109 3280 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/07/17 00:46:32.0656 3280 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/07/17 00:46:33.0125 3280 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/07/17 00:46:33.0812 3280 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/07/17 00:46:34.0375 3280 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/07/17 00:46:35.0296 3280 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/07/17 00:46:37.0500 3280 nv (8e72e452b9cc1e455d19e3c9fa964d37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/07/17 00:46:41.0437 3280 NVENETFD (0258d664f93b4b01ddd621b8c084f322) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2011/07/17 00:46:41.0875 3280 nvnetbus (56ec9207906435ef1bf02f5c68e3ffec) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2011/07/17 00:46:42.0359 3280 nvrd32 (b71bfbc2fe958a6da1e31357e03ad545) C:\WINDOWS\system32\DRIVERS\nvrd32.sys

2011/07/17 00:46:43.0156 3280 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/07/17 00:46:43.0609 3280 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/07/17 00:46:44.0031 3280 Parport (42580fdf84b2d08c3366819f80714274) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/07/17 00:46:44.0500 3280 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/07/17 00:46:45.0015 3280 ParVdm (4f3fc4954972da46284641091deee02e) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/07/17 00:46:45.0500 3280 PCI (28eca79bcd3883dc6cb0ac2b20fdb2f0) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/07/17 00:46:46.0296 3280 PCIIde (a4d41f0279f405d6f5c19465aad82834) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/07/17 00:46:46.0687 3280 Pcmcia (c635d49dd4db6bb9e1e0d0f3e67dae0e) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/07/17 00:46:47.0203 3280 PCnet (7bc8027d56fab153a987c56ae9835664) C:\WINDOWS\system32\DRIVERS\pcntpci5.sys

2011/07/17 00:46:49.0375 3280 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/07/17 00:46:49.0718 3280 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/07/17 00:46:50.0140 3280 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/07/17 00:46:52.0078 3280 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/07/17 00:46:52.0406 3280 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/07/17 00:46:52.0734 3280 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/07/17 00:46:53.0093 3280 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/07/17 00:46:53.0390 3280 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/07/17 00:46:53.0765 3280 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/07/17 00:46:54.0140 3280 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/07/17 00:46:54.0515 3280 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/07/17 00:46:54.0843 3280 redbook (14615ebaf029cd0a7af97d10fbd900cd) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/07/17 00:46:55.0234 3280 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/07/17 00:46:55.0625 3280 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/07/17 00:46:55.0968 3280 Serial (81fa8e4f77964b6a606670b87c331c2e) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/07/17 00:46:56.0296 3280 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/07/17 00:46:56.0640 3280 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

2011/07/17 00:46:57.0515 3280 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/07/17 00:46:57.0984 3280 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/07/17 00:46:58.0328 3280 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys

2011/07/17 00:46:58.0328 3280 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b

2011/07/17 00:46:58.0343 3280 sptd - detected LockedFile.Multi.Generic (1)

2011/07/17 00:46:58.0656 3280 Sr (d06200275fb3040cd030f7510e810a10) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/07/17 00:46:59.0109 3280 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2011/07/17 00:46:59.0703 3280 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2011/07/17 00:47:00.0156 3280 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2011/07/17 00:47:00.0531 3280 Srv (4f8a43adef66f135564085a9dca96a26) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/07/17 00:47:01.0046 3280 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/07/17 00:47:01.0375 3280 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/07/17 00:47:02.0312 3280 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/07/17 00:47:02.0765 3280 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/07/17 00:47:03.0218 3280 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/07/17 00:47:04.0218 3280 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/07/17 00:47:04.0421 3280 Tcpip (030dc4d48cc2b894fee2f390d8e66ad5) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/07/17 00:47:04.0625 3280 Tcpip6 (aa7a55536096d646dc7ab0ac5641e9e8) C:\WINDOWS\system32\DRIVERS\tcpip6.sys

2011/07/17 00:47:04.0828 3280 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/07/17 00:47:04.0984 3280 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/07/17 00:47:05.0156 3280 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/07/17 00:47:05.0484 3280 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

2011/07/17 00:47:05.0531 3280 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/07/17 00:47:05.0609 3280 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/07/17 00:47:05.0781 3280 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/07/17 00:47:05.0937 3280 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/07/17 00:47:06.0093 3280 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/07/17 00:47:06.0250 3280 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/07/17 00:47:06.0406 3280 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/07/17 00:47:06.0578 3280 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/07/17 00:47:06.0718 3280 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/07/17 00:47:06.0906 3280 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/07/17 00:47:06.0953 3280 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/07/17 00:47:07.0015 3280 viamraid (3a82a61e312addb3be8f1fe3481842b1) C:\WINDOWS\system32\DRIVERS\viamraid.sys

2011/07/17 00:47:07.0078 3280 VolSnap (0cc9c065291b175cf6771d7edcd1b980) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/07/17 00:47:07.0140 3280 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/07/17 00:47:07.0234 3280 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/07/17 00:47:07.0359 3280 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys

2011/07/17 00:47:07.0406 3280 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/07/17 00:47:07.0468 3280 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0

2011/07/17 00:47:07.0468 3280 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)

2011/07/17 00:47:07.0484 3280 Boot (0x1200) (6c84db77d56d05412ef0a27ef3c16596) \Device\Harddisk0\DR0\Partition0

2011/07/17 00:47:07.0531 3280 Boot (0x1200) (28a34e047ffd892b2af05743011260f1) \Device\Harddisk0\DR0\Partition1

2011/07/17 00:47:07.0531 3280 ================================================================================

2011/07/17 00:47:07.0531 3280 Scan finished

2011/07/17 00:47:07.0531 3280 ================================================================================

2011/07/17 00:47:07.0546 3272 Detected object count: 2

2011/07/17 00:47:07.0546 3272 Actual detected object count: 2

2011/07/17 00:47:31.0890 3272 LockedFile.Multi.Generic(sptd) - User select action: Skip

2011/07/17 00:47:38.0500 3272 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot

2011/07/17 00:47:38.0500 3272 \Device\Harddisk0\DR0 - ok

2011/07/17 00:47:38.0500 3272 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure

2011/07/17 00:48:01.0531 3260 Deinitialize success

Hello vyan2000 and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt

how the PC is running now?

Link to post
Share on other sites

After the TDSSKiller scan, and reboot:

All my desktop background is black and all the short cuts are gone.

All the files in c:/ are changed to hiden and invisible by default.

All the icons in start menue are missing.

And all the "system Repair" message is back with the syspomtons as before.

Sorry for having to type fast, the virus is back.

I will do the DDS scan as you suggested.

Thanks a lot, D-FRED-BROWN,

Yan

how the PC is running now?

Link to post
Share on other sites

Ok, the DDS finished, but without any log file popoing up...

Should I contine the "Security Check"?

Many thanks for the help, :)

Yan

-------------

Please do the following:

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your Desktop.

-------------

Link to post
Share on other sites

Please select the Add Reply button instead of the Reply button- it makes it easier for me to read that way ;)

Go ahead and run Security Check and post its log.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Once in Safe Mode, please try to run DDS. If you're successful, please post the log that it creates :)

Link to post
Share on other sites

The Security Check has the log as following:

``````````End of Log````````````

During the check, there is some information like:

Find is not internal and external command......

Regarding the dds, when I runned it in safe mode, there

is still no log poping up. This seems a hard virus...

Thanks a lot for your time,

Yan

Please select the Add Reply button instead of the Reply button- it makes it easier for me to read that way ;)

Go ahead and run Security Check and post its log.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Once in Safe Mode, please try to run DDS. If you're successful, please post the log that it creates :)

Link to post
Share on other sites

Hi, please select the post-10-126012383895.gif button from now on when posting (instead of Reply). It makes it easier for me to read that way. :)

That's not an entire Security Check log- please re-run it and post the full log this time. Don't worry about DDS ;)

Link to post
Share on other sites

Ehm, Strang... I did use the "Add reply" button in the last replay, as shown in this snapshot.

But seems like this button is different as yours. Any hint on this? :rolleyes:

The security check log I posted is complete. And it has only one line as I posted

before. Perhaps it was interruptted by something? I did try it multiple times.

I am very happy to try it again, if you think I should. :)

Many Thanks,

Yan

Hi, please select the post-10-126012383895.gif button from now on when posting (instead of Reply). It makes it easier for me to read that way. :)

That's not an entire Security Check log- please re-run it and post the full log this time. Don't worry about DDS ;)

Link to post
Share on other sites

The security check log I posted is complete. And it has only one line as I posted

before. Perhaps it was interruptted by something? I did try it multiple times.

Okay, let's move on to ComboFix ;)

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

Once you have saved it, do NOT run it yet.

----------

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Once in Safe Mode, please locate ComboFix.exe on your Desktop:

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

Link to post
Share on other sites

Before the log, here is something to report.

When I was using the combfix in the safe mode,

combfix told me that symantec Endpoint is not disabled.

But there was no way to disable the symantec Endpoint, since

it did not show in the task panel and the task manager is disabled

by the virus. Moreover, there was no way to quit the combfix...

I am not sure, whether I should retreat to the recovery point, disable

the symantec and re-run the combfix? If needed, I am very happy to

do so.

Here is the log. And now it seems that the computer is back to normal. But I am

not sure is there any backdoor leat behind? Or should I do a re-install?

Again, thanks a lot for the help.

Yan

ComboFix 11-07-17.03 - Administrator -07-17 星期日 14:13:53.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.958.677 [GMT -4:00]

执行位置: D:\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\「开始」菜单\程序\System Repair

c:\documents and settings\Administrator\「开始」菜单\程序\System Repair\System Repair.lnk

c:\documents and settings\Administrator\「开始」菜单\程序\System Repair\Uninstall System Repair.lnk

c:\documents and settings\Administrator\0.3553338938706222.exe

c:\documents and settings\Administrator\0.3615687229714907.exe

c:\documents and settings\Administrator\0.9516591034247679.exe

c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk

c:\documents and settings\Administrator\Favorites\谷歌Google搜索.url

c:\documents and settings\Administrator\Favorites\网址导航.url

c:\documents and settings\Administrator\桌面\System Repair.lnk

c:\documents and settings\All Users\Application Data\hSVtcInUytJDh.exe

c:\documents and settings\All Users\Application Data\P1kAlMiG2Kb7Fz.exe

c:\documents and settings\All Users\Application Data\Tiger Install

c:\documents and settings\All Users\Application Data\Tiger Install\{A62C4F3A-CDA6-4EA1-AEAA-8A24EC854A03}

c:\documents and settings\All Users\Application Data\Tiger Install\{A62C4F3A-CDA6-4EA1-AEAA-8A24EC854A03}.Dat

c:\windows\IsUn0804.exe

c:\windows\system32\admshare.dat

c:\windows\system32\msconfig.exe

c:\windows\system32\VBBHo.dll

c:\windows\system32\vbbho.tlb

c:\windows\system32\YingInstall

c:\windows\system32\YingInstall\804.ini

c:\windows\Ying-UnInstall.exe

.

.

((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_IEPROTECTOR

-------\Legacy_XLDOCTOR_SERVICES

-------\Service_IEProtector

-------\Service_XLDoctor Services

.

.

((((((((((((((((((((((((( 2011-06-17 至 2011-07-17 的新的档案 )))))))))))))))))))))))))))))))

.

.

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\wbem\snmp

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\xircom

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\oobe

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\program files\microsoft frontpage

2011-06-26 04:38 . 2011-06-26 06:19 -------- d--h--w- c:\documents and settings\Administrator\Application Data\SPlayer

2011-06-24 14:03 . 2011-06-24 14:03 2106216 ---ha-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-06-24 14:03 . 2011-06-24 14:03 1998168 ---ha-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-10 13:47 . 2011-06-13 02:14 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 13:11 . 2010-11-01 01:52 39984 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2010-11-01 01:52 22712 ---ha-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:03 . 2011-05-13 22:04 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-11-24 16:08 . 2009-02-21 01:25 253952 ---ha-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll

2008-09-23 09:39 . 2008-11-11 09:54 36864 ---ha-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2010-09-15 15:04 . 2008-11-11 09:54 79664 ---ha-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白与合法缺省登录将不会被显示

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-05 115560]

"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-04-14 96256]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]

Ime File REG_SZ GOOGLEPINYIN2.IME

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804]

IME File REG_SZ winabc.ime

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^启动飞速土豆.lnk]

path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\启动飞速土豆.lnk

backup=c:\windows\pss\启动飞速土豆.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ---ha-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ---ha-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ---ha-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ---ha-w- c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-08-08 12:11 490952 ---ha-w- c:\program files\DAEMON_Tools_Lite\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Pinyin 2 Autoupdater]

2010-03-07 00:50 1193456 ---ha-w- c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-26 22:37 136176 ---hatw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 ---ha-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\FlvDetector.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveSupport.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveQuery.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"7554:TCP"= 7554:TCP:BitComet 7554 TCP

"7554:UDP"= 7554:UDP:BitComet 7554 UDP

.

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]

S0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2007-09-29 308248]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-11-11 717296]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-09 105592]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

*NewlyCreated* - WUAUSERV

.

‘计划任务’ 文件夹 里的内容

.

2011-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

2011-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

.

------- 而外的扫描 -------

.

uStart Page = hxxp://www.baidu.com/index.php?tn=iefix_dg&ch=11

uInternet Settings,ProxyOverride = <local>

IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\BHO\geturl.htm

IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm

IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: 将链接目标转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: 将链接目标追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: 转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: 追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

Trusted Zone: kuaiche.com\software

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8lmqm6iw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 4

.

.

------- 文件类型 -------

.

txtfile=c:\windows\notepad.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{BB6FB655-B052-4119-9C62-7DD261408AC1} - (no file)

HKCU-Run-hSVtcInUytJDh - c:\documents and settings\All Users\Application Data\hSVtcInUytJDh.exe

SafeBoot-Symantec Antvirus

MSConfigStartUp-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\flashget3.exe

AddRemove-HijackThis - E:\HijackThis.exe

AddRemove-PROPLUS - c:\program files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe

AddRemove-{A62C4F3A-CDA6-4EA1-AEAA-8A24EC854A03} - c:\program files\Microsoft Office\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-17 14:26

Windows 5.1.2600 Service Pack 3 NTFS

.

扫描被隐藏的进程 。。。

.

扫描被隐藏的启动组 。。。

.

扫描被隐藏的文件 。。。

.

扫描完成

被隐藏的档案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

"VidOutput"=dword:00000001

"AudOutput"=dword:00000001

"VidPreview"=dword:00000001

"AudPreview"=dword:00000001

"FileFormat"=dword:00000000

"FileName"=".avi"

"SepAudio"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

"RtspHandler"=dword:00000001

"RtspFileExtFirst"=dword:00000001

"Windows Media file"="wmv wmp wm asf \\0"

"Windows Media Audio file"="wma \\0"

"Video file"="avi \\0"

"Audio file"="wav \\0"

"MPEG Media file"="mpg mpeg mpe m1v m2v mpv2 mp2v dat ts tp tpr pva pss \\0"

"MPEG Audio file"="mpa mp2 m1a m2a \\0"

"DVD file"="vob ifo \\0"

"DVD Audio file"="ac3 dts \\0"

"MP3 Format Sound"="mp3 \\0"

"MIDI file"="mid midi rmi \\0"

"Indeo Video file"="ivf \\0"

"AIFF Format Sound"="aif aifc aiff \\0"

"AU Format Sound"="au snd \\0"

"Ogg Media file"="ogm \\0"

"Ogg Vorbis Audio file"="ogg \\0"

"CD Audio Track"="cda \\0"

"FLIC file"="fli flc flic \\0"

"DVD2AVI Project file"="d2v \\0"

"MPEG4 file"="mp4 m4v m4b hdmov 3gp 3gpp \\0"

"MPEG4 Audio file"="m4a aac \\0"

"Matroska Media file"="mkv \\0"

"Matroska Audio file"="mka \\0"

"Smacker/Bink Media file"="smk bik \\0"

"ratdvd file"="ratdvd \\0"

"RoQ Media file"="roq \\0"

"Real Media file"="rm ram rpm rmm rnx \\1"

"Real Audio file"="ra \\1"

"Real Script file"="rt rp smi smil \\1"

"Dirac Video file"="drc \\0"

"DirectShow Media file"="dsm dsv dsa dss \\0"

"Musepack file"="mpc \\0"

"Flash Video file"="flv \\0"

"Shockwave Flash file"="swf \\3"

"Quicktime file"="mov qt amr 3g2 3gp2 \\2"

"Image file"="jpeg jpg bmp gif pic png dib tiff tif \\0"

"Playlist file"="asx m3u pls wvx wax wmx mpcpl \\0"

"Other"="divx vp6 rmvb amv \\0"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

"SrcFilters"=dword:fff30bbf

"TraFilters"=dword:fffff21c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

"LastUsedPage"=dword:00000000

"HideCaptionMenu"=dword:00000000

"ControlState"=dword:00000013

"DefaultVideoFrame"=dword:00000004

"KeepAspectRatio"=dword:00000001

"CompMonDeskARDiff"=dword:00000000

"Volume"=dword:0000001f

"Balance"=dword:00000000

"Mute"=dword:00000000

"LoopNum"=dword:00000001

"Loop"=dword:00000000

"Rewind"=dword:00000000

"Zoom"=dword:00000001

"AllowMultipleInstances"=dword:00000000

"TitleBarTextStyle"=dword:00000001

"TitleBarTextTitle"=dword:00000000

"OnTop"=dword:00000000

"TrayIcon"=dword:00000000

"AutoZoom"=dword:00000001

"FullScreenCtrls"=dword:00000001

"FullScreenCtrlsTimeOut"=dword:00000000

"FullscreenRes"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

"ExitFullscreenAtTheEnd"=dword:00000001

"RememberWindowPos"=dword:00000000

"RememberWindowSize"=dword:00000000

"SnapToDesktopEdges"=dword:00000000

"LastWindowRect"=hex:35,02,00,00,10,01,00,00,8b,03,00,00,55,02,00,00

"LastWindowType"=dword:00000000

"AspectRatioX"=dword:00000000

"AspectRatioY"=dword:00000000

"KeepHistory"=dword:00000000

"DSVidRen"=dword:00000006

"RMVidRen"=dword:00000000

"QTVidRen"=dword:00000000

"APSurfaceUsage"=dword:00000001

"VMRSyncFix"=dword:00000000

"DX9Resizer"=dword:00000001

"VMR9MixerMode"=dword:00000001

"VMRMixerYUV"=dword:00000000

"AudioRendererType"=""

"AutoloadAudio"=dword:00000001

"AutoloadSubtitles"=dword:00000000

"EnableWorkerThreadForOpening"=dword:00000001

"ReportFailedPins"=dword:00000001

"DVDPath"=""

"UseDVDPath"=dword:00000000

"MenuLang"=dword:00000804

"AudioLang"=dword:00000804

"SubtitlesLang"=dword:00000804

"AutoSpeakerConf"=dword:00000001

"SPDefaultStyle"="20,20,20,20,2,0,2.000000,3.000000,0xffffff,0x00ffff,0x000000,0x000000,0x00,0x00,0x00,0x80,1,Arial,18.000000,100.000000,100.000000,0.000000,700,0,0,0,0,0.000000,0.000000,0.000000,2"

"SPOverridePlacement"=dword:00000000

"SPHorPos"=dword:00000032

"SPVerPos"=dword:0000005a

"SPCSize"=dword:00000003

"SPCMaxRes"=dword:00000002

"SPCPow2Tex"=dword:00000001

"EnableSubtitles"=dword:00000001

"EnableAudioSwitcher"=dword:00000001

"EnableAudioTimeShift"=dword:00000000

"AudioTimeShift"=dword:00000000

"DownSampleTo441"=dword:00000000

"CustomChannelMapping"=dword:00000000

"SpeakerToChannelMapping"=hex:01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

"AudioNormalize"=dword:00000000

"AudioNormalizeRecover"=dword:00000001

"AudioBoost"=dword:00000001

"Shaders List"=""

"IntRealMedia"=dword:00000000

"RealMediaFPS"=dword:41c80000

"UseWinLirc"=dword:00000000

"WinLircAddr"="127.0.0.1:8765"

"UseUICE"=dword:00000000

"UICEAddr"="127.0.0.1:1234"

"DisableXPToolbars"=dword:00000000

"UseWMASFReader"=dword:00000000

"JumpDistS"=dword:000003e8

"JumpDistM"=dword:00001388

"JumpDistL"=dword:00004e20

"FreeWindowResizing"=dword:00000001

"NotifyMSN2"=dword:00000000

"NotifyGTSdll"=dword:00000000

"LogoFile"=""

"LogoID2"=dword:000000d5

"LogoExt"=dword:00000000

"HideCDROMsSubMenu"=dword:00000000

"Priority"=dword:00000020

"LaunchFullScreen"=dword:00000000

"EnableWebServer"=dword:00000000

"WebServerPort"=dword:0000350b

"WebServerPrintDebugIfo"=dword:00000000

"WebServerUseCompression"=dword:00000001

"WebServerLocalhostOnly"=dword:00000001

"WebRoot"="*./webroot"

"WebDefIndex"="index.html;index.php"

"WebServerCGI"=""

"SnapShotPath"="c:\\Documents and Settings\\Administrator\\My Documents\\My Pictures"

"SnapShotExt"=".bmp"

"ThumbRows"=dword:00000004

"ThumbCols"=dword:00000004

"ThumbWidth"=dword:00000400

"HideAviSplitterWarning"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

"Preset0"="Scale to 16:9 TV,0.500,0.500,1.000,1.333"

"Preset1"="Zoom To Widescreen,0.500,0.500,1.333,1.333"

"Preset2"="Zoom To Ultra-Widescreen,0.500,0.500,1.763,1.763"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

"Initialized"=dword:00000001

"Combine"=""

"0"="sharpen complex|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n\\n#define dx (p1[0]) \\n#define dy (p1[1]) \\n\\nfloat4 main( float2 tex : TEXCOORD0 ) : COLOR \\n{ \\n float4 ori; \\n float4 flou; \\n float4 cori; \\n float4 final; \\n\\n ori = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n flou = (c1+c3+c6+c8 + 2*(c2+c4+c5+c7)+ 4*ori)*0.0625; \\n\\n cori = 2*ori - flou; \\n\\n float delta1; \\n float delta2; \\n float value; \\n\\n delta1 = (c3 + 2*c5 + c8)-(c1 + 2*c4 + c6); \\n delta2 = (c6 + 2*c7 + c8)-(c1 + 2*c2 + c3); \\n\\n value = sqrt( mul(delta1,delta1) + mul(delta2,delta2) ) ; \\n\\n if( value >.3 ) \\n { \\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n final = ori*2 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * 0.125 ; \\n return final; \\n } \\n else \\n { \\n return cori; \\n } \\n}"

"1"="16-235 -> 0-255|ps_2_0|sampler s0 : register(s0);\\n\\n#define Const_1 (16.0/255.0)\\n#define Const_2 (255.0/219.0)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n return( ( tex2D( s0, tex ) - Const_1 ) * Const_2 );\\n}\\n"

"2"="emboss|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 1/width;\\n\\tfloat dy = 1/height;\\n\\t\\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy));\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\tfloat4 c9 = tex2D(s0, tex + float2(dx,dy));\\n\\t\\n\\tfloat4 c0 = (-c1-c2-c4+c6+c8+c9);\\n\\tc0 = (c0.r+c0.g+c0.b)/3 + 0.5;\\n\\t\\n\\treturn c0;\\n}\\n"

"3"="spotlight|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tfloat3 lightsrc = float3(sin(clock*PI/1.5)/2+0.5,cos(clock*PI)/2+0.5,1);\\n\\tfloat3 light = normalize(lightsrc - float3(tex.x,tex.y,0));\\n\\tc0 *= pow(dot(light, float3(0,0,1)), 50);\\n\\t\\n\\treturn c0;\\n}\\n"

"4"="deinterlace (blend)|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\t\\n\\tfloat2 h = float2(0, 1/height);\\n\\tfloat4 c1 = tex2D(s0, tex-h);\\n\\tfloat4 c2 = tex2D(s0, tex+h);\\n\\tc0 = (c0*2+c1+c2)/4;\\n\\t\\n\\treturn c0;\\n}"

"5"="invert|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = float4(1, 1, 1, 1) - tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}\\n"

"6"="procamp|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nstatic float4x4 r2y =\\n{\\n\\t0.299, 0.587, 0.114, 0,\\n\\t-0.147, -0.289, 0.437, 0,\\n\\t0.615, -0.515, -0.100, 0,\\n\\t0, 0, 0, 0\\n};\\n\\nstatic float4x4 y2r =\\n{\\n\\t1.0, 0.0, 1.140, 0, \\n\\t1.0, -0.394, -0.581, 0,\\n\\t1.0, 2.028, 0.0, 0, \\n\\t0, 0, 0, 0\\n};\\n\\n#define ymin (16.0/255)\\n#define ymax (235.0/255)\\n\\n// Brightness: -1.0 to 1.0, default 0.0\\n// Contrast: 0.0 to 10.0, default 1.0\\n// Hue: -180.0 to +180.0, default 0.0\\n// Saturation: 0.0 to 10.0, default 1.0\\n\\n#define Brightness 0.0\\n#define Contrast 1.0\\n#define Hue 0.0\\n#define Saturation 1.0\\n\\n// tv -> pc scale\\n// #define Brightness (-ymin)\\n// #define Contrast (1.0/(ymax-ymin))\\n\\nstatic float2x2 HueMatrix =\\n{\\n\\tcos(Hue * PI / 180), sin(Hue * PI / 180),\\n\\t-sin(Hue * PI / 180), cos(Hue * PI / 180)\\n};\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tc0 = mul(r2y, c0);\\n\\tc0.r = Contrast * (c0.r - ymin) + ymin + Brightness;\\n\\tc0.gb = mul(HueMatrix, c0.gb) * Saturation;\\n\\tc0 = mul(y2r, c0);\\n\\treturn c0; \\n}\\n"

"7"="contour|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 4/width;\\n\\tfloat dy = 4/height;\\n\\t\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\t\\n\\tfloat4 c0 = (-c2-c4+c5*4-c6-c8);\\n\\tif(length(c0) < 1.0) c0 = float4(0,0,0,0);\\n\\telse c0 = float4(1,1,1,0);\\n\\t\\n\\treturn c0;\\n}\\n"

"8"="letterbox|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tfloat2 ar = float2(16, 9);\\n\\tfloat h = (1 - width/height * ar.y/ar.x) / 2;\\n\\t\\n\\tif(tex.y >= h && tex.y <= 1-h)\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}"

"9"="nightvision|ps_2_0|sampler s0 : register(s0);\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c = dot(tex2D(s0, tex), float4(0.2, 0.6, 0.1, 0.1));\\n\\treturn float4(0,c,0,0);\\n}\\n"

"10"="wave|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// don't look at this for too long, you'll get dizzy :)\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\ttex.x += sin(tex.x+clock/0.3)/20;\\n\\ttex.y += sin(tex.x+clock/0.3)/20;\\n\\t\\n\\tif(tex.x >= 0 && tex.x <= 1 && tex.y >= 0 && tex.y <= 1)\\n\\t{\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"11"="sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n \\n#define effect_width (1.6) \\n#define val0 (2.0) \\n#define val1 (-0.125) \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n \\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n\\tfloat dx = effect_width/width; \\n\\tfloat dy = effect_width/height; \\n \\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy)) * val1; \\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy)) * val1; \\n\\tfloat4 c3 = tex2D(s0, tex + float2(-dx,0)) * val1; \\n\\tfloat4 c4 = tex2D(s0, tex + float2(dx,0)) * val1; \\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,dy)) * val1; \\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,dy)) * val1; \\n\\tfloat4 c7 = tex2D(s0, tex + float2(-dx,+dy)) * val1; \\n\\tfloat4 c8 = tex2D(s0, tex + float2(+dx,-dy)) * val1; \\n\\tfloat4 c9 = tex2D(s0, tex) * val0; \\n\\t\\n\\tfloat4 c0 = (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 +c9); \\n\\t\\n\\treturn c0; \\n}"

"12"="sphere|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// - this is a very simple raytracer, one sphere only\\n\\t// - no reflection or refraction, yet (my ati 9800 has a 64 + 32 instruction limit...)\\n\\t\\n\\tfloat3 pl = float3(3,-3,-4); // light pos\\n\\tfloat4 cl = 0.4; // light color\\n\\t\\n\\tfloat3 pc = float3(0,0,-1); // cam pos\\n\\tfloat3 ps = float3(0,0,0.5); // sphere pos\\n\\tfloat r = 0.65; // sphere radius\\n\\t\\n\\tfloat3 pd = normalize(float3(tex.x-0.5, tex.y-0.5, 0) - pc);\\n\\t\\n\\tfloat A = 1;\\n\\tfloat B = 2*dot(pd, pc - ps);\\n\\tfloat C = dot(pc - ps, pc - ps) - r*r;\\n\\tfloat D = B*B - 4*A*C;\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tif(D >= 0)\\n\\t{\\n\\t\\t// t2 is the smaller, obviously...\\n\\t\\t// float t1 = (-B + sqrt(D)) / (2*A);\\n\\t\\t// float t2 = (-B - sqrt(D)) / (2*A);\\n\\t\\t// float t = min(t1, t2); \\n\\t\\t\\n\\t\\tfloat t = (-B - sqrt(D)) / (2*A);\\n\\t\\t\\n\\t\\t// intersection data\\n\\t\\tfloat3 p = pc + pd*t;\\n\\t\\tfloat3 n = normalize(p - ps);\\n\\t\\tfloat3 l = normalize(pl - p);\\n\\t\\t\\n\\t\\t// mapping the image onto the sphere\\n\\t\\ttex = acos(-n)/PI; \\n\\t\\t\\n\\t\\t// rotate it\\n\\t\\ttex.x = frac(tex.x + frac(clock/10));\\n\\t\\t\\n\\t\\t// diffuse + specular\\n\\t\\tc0 = tex2D(s0, tex) * dot(n, l) + cl * pow(max(dot(l, reflect(pd, n)), 0), 50);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"13"="grayscale|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c0 = dot(tex2D(s0, tex), float4(0.299, 0.587, 0.114, 0));\\n\\t\\n\\treturn c0;\\n}\\n"

"14"="edge sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n#define counter (p0[2]) \\n#define clock (p0[3]) \\n#define one_over_width (p1[0]) \\n#define one_over_height (p1[1]) \\n\\n#define PI acos(-1) \\n\\n#define NbPixel 1 \\n\\n#define Edge_threshold 0.2 \\n\\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n float dx = NbPixel/width; \\n float dy = NbPixel/height; \\n float4 Res = 0; \\n\\n float4 c0 = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n float4 delta1 = (c6+c4+c1-c3-c5-c8); \\n float4 delta2 = (c4+c1+c2-c5-c8-c7); \\n float4 delta3 = (c1+c2+c3-c8-c7-c6); \\n float4 delta4 = (c2+c3+c5-c7-c6-c4); \\n\\n float value = length(abs(delta1) + abs(delta2) + abs(delta3) + abs(delta4))/6; \\n\\n if(value > Edge_threshold ) \\n { \\n Res = c0 * Sharpen_val0 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * Sharpen_val1 ; \\n return Res; \\n } \\n else \\n return c0; \\n}"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

"Visible"=dword:00000000

"DockState"=dword:0000e81c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

"sizeHorzCX"=dword:000000bf

"sizeHorzCY"=dword:000001b2

"sizeVertCX"=dword:000000bf

"sizeVertCY"=dword:000001b2

"sizeFloatCX"=dword:000000bf

"sizeFloatCY"=dword:000001b2

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

"Visible"=dword:00000000

"DockState"=dword:0000e81e

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:00000064

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:00000064

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:00000064

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

"sizeHorzCX"=dword:00000129

"sizeHorzCY"=dword:0000006b

"sizeVertCX"=dword:00000129

"sizeVertCY"=dword:0000006b

"sizeFloatCX"=dword:00000129

"sizeFloatCY"=dword:0000006b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:000000c8

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:000000c8

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:000000c8

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

"Order"=hex:08,00,00,00,02,00,00,00,10,02,00,00,01,00,00,00,04,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications\q_髼螛磃.*l*n*k*\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\桌面\\影音风暴.lnk\" %1"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

@="BDATuner.组件.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\7uu臺麐.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

"ApplicationName"="Google Chrome 浏览器"

"ApplicationIcon"="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

"ApplicationDescription"="Google Chrome 浏览器是一款可高速运行网页和应用程序的网络浏览器。它快捷、稳定且易于使用。Google Chrome 浏览器内置的恶意软件和网上诱骗防护功能可让您更加安全地浏览网页。"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

".xhtml"="ChromeHTML"

".xht"="ChromeHTML"

".shtml"="ChromeHTML"

".html"="ChromeHTML"

".htm"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

"StartMenuInternet"="Google Chrome 浏览器"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

"https"="ChromeHTML"

"http"="ChromeHTML"

"ftp"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

@="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

"IconsVisible"=dword:00000001

"ShowIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"

"HideIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"

"ReinstallCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""

.

--------------------- 运行进程下的动态链接库 ---------------------

.

- - - - - - - > 'explorer.exe'(2396)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP3\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ 其他运行进程 ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\conime.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\locator.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\cscript.exe

.

**************************************************************************

.

完成时间: 2011-07-17 14:38:58 - 电脑已重新启动

ComboFix-quarantined-files.txt 2011-07-17 18:38

.

Pre-Run: 8,049,627,136 可用字节

Post-Run: 8,061,267,968 可用字节

.

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 43224150AED811E21D074CF02879ED7E

Link to post
Share on other sites

I am not sure, whether I should retreat to the recovery point, disable

the symantec and re-run the combfix? If needed, I am very happy to

do so.

Although it didn't directly interfere with ComboFix, it would still be a good idea to uninstall it for now (I'll let you know when its safest to reinstall it).

Please download and run the Norton Removal Tool from here: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

--------

You have ComboFix running from a location other than the Desktop.

Please delete the following file (in bold):

D:\ComboFix.exe

Then, download and run new copy of ComboFix to your Desktop. Please include the newly-created C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Ok, I will clean up the Symentac thing. Now I have no access to that

computer.

Regarding runing the combfix from D:/, I had no choice, since my desktop

was totally dark at that time and prevent me see any files on desktop.

More update will follow soon,

Thanks a lot,

Yan

Link to post
Share on other sites

Try running this for cleaning up your Desktop ;)

Please download and run the following file: http://download.bleepingcomputer.com/grinler/beta/unhide.exe

Let me know if that restores your missing Start Menu and Desktop shortcuts.

Please note that if you have recently delted your temporary files, you will be unable to restore these missing shortcuts.

Link to post
Share on other sites

Ok, the symantec is removed...

Please see the log below, thanks a lot for

the help,

Yan

ComboFix 11-07-17.03 - Administrator -07-17 星期日 21:43:36.2.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.958.653 [GMT -4:00]

执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\WinRAR\rarext.dll

.

.

((((((((((((((((((((((((( 2011-06-18 至 2011-07-18 的新的档案 )))))))))))))))))))))))))))))))

.

.

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\wbem\snmp

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\xircom

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\oobe

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\program files\microsoft frontpage

2011-06-26 04:38 . 2011-06-26 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\SPlayer

2011-06-24 14:03 . 2011-06-24 14:03 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-06-24 14:03 . 2011-06-24 14:03 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-17 23:43 . 2010-11-01 02:58 1430 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-07-10 13:47 . 2011-06-13 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 13:11 . 2010-11-01 01:52 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2010-11-01 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:03 . 2011-05-13 22:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-11-24 16:08 . 2009-02-21 01:25 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll

2008-09-23 09:39 . 2008-11-11 09:54 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2010-09-15 15:04 . 2008-11-11 09:54 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-07-17_18.24.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-04-14 12:00 . 2011-07-17 23:43 58642 c:\windows\system32\prfc0804.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 49990 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 49990 c:\windows\system32\perfc009.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 198948 c:\windows\system32\prfh0804.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 334406 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 334406 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白与合法缺省登录将不会被显示

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-04-14 96256]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]

Ime File REG_SZ GOOGLEPINYIN2.IME

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804]

IME File REG_SZ winabc.ime

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^启动飞速土豆.lnk]

path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\启动飞速土豆.lnk

backup=c:\windows\pss\启动飞速土豆.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON_Tools_Lite\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Pinyin 2 Autoupdater]

2010-03-07 00:50 1193456 ----a-w- c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-26 22:37 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\FlvDetector.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveSupport.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveQuery.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"7554:TCP"= 7554:TCP:BitComet 7554 TCP

"7554:UDP"= 7554:UDP:BitComet 7554 UDP

.

R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 5:20 308248]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-11 5:16 717296]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-2 0:42 1691480]

.

‘计划任务’ 文件夹 里的内容

.

2011-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

.

------- 而外的扫描 -------

.

uStart Page = hxxp://www.baidu.com/index.php?tn=iefix_dg&ch=11

uInternet Settings,ProxyOverride = <local>

IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\BHO\geturl.htm

IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm

IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: 将链接目标转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: 将链接目标追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: 转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: 追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

Trusted Zone: kuaiche.com\software

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8lmqm6iw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 4

.

.

------- 文件类型 -------

.

txtfile=c:\windows\notepad.exe %1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-17 21:47

Windows 5.1.2600 Service Pack 3 NTFS

.

扫描被隐藏的进程 。。。

.

扫描被隐藏的启动组 。。。

.

扫描被隐藏的文件 。。。

.

扫描完成

被隐藏的档案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

"VidOutput"=dword:00000001

"AudOutput"=dword:00000001

"VidPreview"=dword:00000001

"AudPreview"=dword:00000001

"FileFormat"=dword:00000000

"FileName"=".avi"

"SepAudio"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

"RtspHandler"=dword:00000001

"RtspFileExtFirst"=dword:00000001

"Windows Media file"="wmv wmp wm asf \\0"

"Windows Media Audio file"="wma \\0"

"Video file"="avi \\0"

"Audio file"="wav \\0"

"MPEG Media file"="mpg mpeg mpe m1v m2v mpv2 mp2v dat ts tp tpr pva pss \\0"

"MPEG Audio file"="mpa mp2 m1a m2a \\0"

"DVD file"="vob ifo \\0"

"DVD Audio file"="ac3 dts \\0"

"MP3 Format Sound"="mp3 \\0"

"MIDI file"="mid midi rmi \\0"

"Indeo Video file"="ivf \\0"

"AIFF Format Sound"="aif aifc aiff \\0"

"AU Format Sound"="au snd \\0"

"Ogg Media file"="ogm \\0"

"Ogg Vorbis Audio file"="ogg \\0"

"CD Audio Track"="cda \\0"

"FLIC file"="fli flc flic \\0"

"DVD2AVI Project file"="d2v \\0"

"MPEG4 file"="mp4 m4v m4b hdmov 3gp 3gpp \\0"

"MPEG4 Audio file"="m4a aac \\0"

"Matroska Media file"="mkv \\0"

"Matroska Audio file"="mka \\0"

"Smacker/Bink Media file"="smk bik \\0"

"ratdvd file"="ratdvd \\0"

"RoQ Media file"="roq \\0"

"Real Media file"="rm ram rpm rmm rnx \\1"

"Real Audio file"="ra \\1"

"Real Script file"="rt rp smi smil \\1"

"Dirac Video file"="drc \\0"

"DirectShow Media file"="dsm dsv dsa dss \\0"

"Musepack file"="mpc \\0"

"Flash Video file"="flv \\0"

"Shockwave Flash file"="swf \\3"

"Quicktime file"="mov qt amr 3g2 3gp2 \\2"

"Image file"="jpeg jpg bmp gif pic png dib tiff tif \\0"

"Playlist file"="asx m3u pls wvx wax wmx mpcpl \\0"

"Other"="divx vp6 rmvb amv \\0"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

"SrcFilters"=dword:fff30bbf

"TraFilters"=dword:fffff21c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

"LastUsedPage"=dword:00000000

"HideCaptionMenu"=dword:00000000

"ControlState"=dword:00000013

"DefaultVideoFrame"=dword:00000004

"KeepAspectRatio"=dword:00000001

"CompMonDeskARDiff"=dword:00000000

"Volume"=dword:0000001f

"Balance"=dword:00000000

"Mute"=dword:00000000

"LoopNum"=dword:00000001

"Loop"=dword:00000000

"Rewind"=dword:00000000

"Zoom"=dword:00000001

"AllowMultipleInstances"=dword:00000000

"TitleBarTextStyle"=dword:00000001

"TitleBarTextTitle"=dword:00000000

"OnTop"=dword:00000000

"TrayIcon"=dword:00000000

"AutoZoom"=dword:00000001

"FullScreenCtrls"=dword:00000001

"FullScreenCtrlsTimeOut"=dword:00000000

"FullscreenRes"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

"ExitFullscreenAtTheEnd"=dword:00000001

"RememberWindowPos"=dword:00000000

"RememberWindowSize"=dword:00000000

"SnapToDesktopEdges"=dword:00000000

"LastWindowRect"=hex:35,02,00,00,10,01,00,00,8b,03,00,00,55,02,00,00

"LastWindowType"=dword:00000000

"AspectRatioX"=dword:00000000

"AspectRatioY"=dword:00000000

"KeepHistory"=dword:00000000

"DSVidRen"=dword:00000006

"RMVidRen"=dword:00000000

"QTVidRen"=dword:00000000

"APSurfaceUsage"=dword:00000001

"VMRSyncFix"=dword:00000000

"DX9Resizer"=dword:00000001

"VMR9MixerMode"=dword:00000001

"VMRMixerYUV"=dword:00000000

"AudioRendererType"=""

"AutoloadAudio"=dword:00000001

"AutoloadSubtitles"=dword:00000000

"EnableWorkerThreadForOpening"=dword:00000001

"ReportFailedPins"=dword:00000001

"DVDPath"=""

"UseDVDPath"=dword:00000000

"MenuLang"=dword:00000804

"AudioLang"=dword:00000804

"SubtitlesLang"=dword:00000804

"AutoSpeakerConf"=dword:00000001

"SPDefaultStyle"="20,20,20,20,2,0,2.000000,3.000000,0xffffff,0x00ffff,0x000000,0x000000,0x00,0x00,0x00,0x80,1,Arial,18.000000,100.000000,100.000000,0.000000,700,0,0,0,0,0.000000,0.000000,0.000000,2"

"SPOverridePlacement"=dword:00000000

"SPHorPos"=dword:00000032

"SPVerPos"=dword:0000005a

"SPCSize"=dword:00000003

"SPCMaxRes"=dword:00000002

"SPCPow2Tex"=dword:00000001

"EnableSubtitles"=dword:00000001

"EnableAudioSwitcher"=dword:00000001

"EnableAudioTimeShift"=dword:00000000

"AudioTimeShift"=dword:00000000

"DownSampleTo441"=dword:00000000

"CustomChannelMapping"=dword:00000000

"SpeakerToChannelMapping"=hex:01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

"AudioNormalize"=dword:00000000

"AudioNormalizeRecover"=dword:00000001

"AudioBoost"=dword:00000001

"Shaders List"=""

"IntRealMedia"=dword:00000000

"RealMediaFPS"=dword:41c80000

"UseWinLirc"=dword:00000000

"WinLircAddr"="127.0.0.1:8765"

"UseUICE"=dword:00000000

"UICEAddr"="127.0.0.1:1234"

"DisableXPToolbars"=dword:00000000

"UseWMASFReader"=dword:00000000

"JumpDistS"=dword:000003e8

"JumpDistM"=dword:00001388

"JumpDistL"=dword:00004e20

"FreeWindowResizing"=dword:00000001

"NotifyMSN2"=dword:00000000

"NotifyGTSdll"=dword:00000000

"LogoFile"=""

"LogoID2"=dword:000000d5

"LogoExt"=dword:00000000

"HideCDROMsSubMenu"=dword:00000000

"Priority"=dword:00000020

"LaunchFullScreen"=dword:00000000

"EnableWebServer"=dword:00000000

"WebServerPort"=dword:0000350b

"WebServerPrintDebugIfo"=dword:00000000

"WebServerUseCompression"=dword:00000001

"WebServerLocalhostOnly"=dword:00000001

"WebRoot"="*./webroot"

"WebDefIndex"="index.html;index.php"

"WebServerCGI"=""

"SnapShotPath"="c:\\Documents and Settings\\Administrator\\My Documents\\My Pictures"

"SnapShotExt"=".bmp"

"ThumbRows"=dword:00000004

"ThumbCols"=dword:00000004

"ThumbWidth"=dword:00000400

"HideAviSplitterWarning"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

"Preset0"="Scale to 16:9 TV,0.500,0.500,1.000,1.333"

"Preset1"="Zoom To Widescreen,0.500,0.500,1.333,1.333"

"Preset2"="Zoom To Ultra-Widescreen,0.500,0.500,1.763,1.763"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

"Initialized"=dword:00000001

"Combine"=""

"0"="sharpen complex|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n\\n#define dx (p1[0]) \\n#define dy (p1[1]) \\n\\nfloat4 main( float2 tex : TEXCOORD0 ) : COLOR \\n{ \\n float4 ori; \\n float4 flou; \\n float4 cori; \\n float4 final; \\n\\n ori = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n flou = (c1+c3+c6+c8 + 2*(c2+c4+c5+c7)+ 4*ori)*0.0625; \\n\\n cori = 2*ori - flou; \\n\\n float delta1; \\n float delta2; \\n float value; \\n\\n delta1 = (c3 + 2*c5 + c8)-(c1 + 2*c4 + c6); \\n delta2 = (c6 + 2*c7 + c8)-(c1 + 2*c2 + c3); \\n\\n value = sqrt( mul(delta1,delta1) + mul(delta2,delta2) ) ; \\n\\n if( value >.3 ) \\n { \\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n final = ori*2 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * 0.125 ; \\n return final; \\n } \\n else \\n { \\n return cori; \\n } \\n}"

"1"="16-235 -> 0-255|ps_2_0|sampler s0 : register(s0);\\n\\n#define Const_1 (16.0/255.0)\\n#define Const_2 (255.0/219.0)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n return( ( tex2D( s0, tex ) - Const_1 ) * Const_2 );\\n}\\n"

"2"="emboss|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 1/width;\\n\\tfloat dy = 1/height;\\n\\t\\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy));\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\tfloat4 c9 = tex2D(s0, tex + float2(dx,dy));\\n\\t\\n\\tfloat4 c0 = (-c1-c2-c4+c6+c8+c9);\\n\\tc0 = (c0.r+c0.g+c0.b)/3 + 0.5;\\n\\t\\n\\treturn c0;\\n}\\n"

"3"="spotlight|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tfloat3 lightsrc = float3(sin(clock*PI/1.5)/2+0.5,cos(clock*PI)/2+0.5,1);\\n\\tfloat3 light = normalize(lightsrc - float3(tex.x,tex.y,0));\\n\\tc0 *= pow(dot(light, float3(0,0,1)), 50);\\n\\t\\n\\treturn c0;\\n}\\n"

"4"="deinterlace (blend)|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\t\\n\\tfloat2 h = float2(0, 1/height);\\n\\tfloat4 c1 = tex2D(s0, tex-h);\\n\\tfloat4 c2 = tex2D(s0, tex+h);\\n\\tc0 = (c0*2+c1+c2)/4;\\n\\t\\n\\treturn c0;\\n}"

"5"="invert|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = float4(1, 1, 1, 1) - tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}\\n"

"6"="procamp|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nstatic float4x4 r2y =\\n{\\n\\t0.299, 0.587, 0.114, 0,\\n\\t-0.147, -0.289, 0.437, 0,\\n\\t0.615, -0.515, -0.100, 0,\\n\\t0, 0, 0, 0\\n};\\n\\nstatic float4x4 y2r =\\n{\\n\\t1.0, 0.0, 1.140, 0, \\n\\t1.0, -0.394, -0.581, 0,\\n\\t1.0, 2.028, 0.0, 0, \\n\\t0, 0, 0, 0\\n};\\n\\n#define ymin (16.0/255)\\n#define ymax (235.0/255)\\n\\n// Brightness: -1.0 to 1.0, default 0.0\\n// Contrast: 0.0 to 10.0, default 1.0\\n// Hue: -180.0 to +180.0, default 0.0\\n// Saturation: 0.0 to 10.0, default 1.0\\n\\n#define Brightness 0.0\\n#define Contrast 1.0\\n#define Hue 0.0\\n#define Saturation 1.0\\n\\n// tv -> pc scale\\n// #define Brightness (-ymin)\\n// #define Contrast (1.0/(ymax-ymin))\\n\\nstatic float2x2 HueMatrix =\\n{\\n\\tcos(Hue * PI / 180), sin(Hue * PI / 180),\\n\\t-sin(Hue * PI / 180), cos(Hue * PI / 180)\\n};\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tc0 = mul(r2y, c0);\\n\\tc0.r = Contrast * (c0.r - ymin) + ymin + Brightness;\\n\\tc0.gb = mul(HueMatrix, c0.gb) * Saturation;\\n\\tc0 = mul(y2r, c0);\\n\\treturn c0; \\n}\\n"

"7"="contour|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 4/width;\\n\\tfloat dy = 4/height;\\n\\t\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\t\\n\\tfloat4 c0 = (-c2-c4+c5*4-c6-c8);\\n\\tif(length(c0) < 1.0) c0 = float4(0,0,0,0);\\n\\telse c0 = float4(1,1,1,0);\\n\\t\\n\\treturn c0;\\n}\\n"

"8"="letterbox|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tfloat2 ar = float2(16, 9);\\n\\tfloat h = (1 - width/height * ar.y/ar.x) / 2;\\n\\t\\n\\tif(tex.y >= h && tex.y <= 1-h)\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}"

"9"="nightvision|ps_2_0|sampler s0 : register(s0);\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c = dot(tex2D(s0, tex), float4(0.2, 0.6, 0.1, 0.1));\\n\\treturn float4(0,c,0,0);\\n}\\n"

"10"="wave|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// don't look at this for too long, you'll get dizzy :)\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\ttex.x += sin(tex.x+clock/0.3)/20;\\n\\ttex.y += sin(tex.x+clock/0.3)/20;\\n\\t\\n\\tif(tex.x >= 0 && tex.x <= 1 && tex.y >= 0 && tex.y <= 1)\\n\\t{\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"11"="sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n \\n#define effect_width (1.6) \\n#define val0 (2.0) \\n#define val1 (-0.125) \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n \\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n\\tfloat dx = effect_width/width; \\n\\tfloat dy = effect_width/height; \\n \\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy)) * val1; \\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy)) * val1; \\n\\tfloat4 c3 = tex2D(s0, tex + float2(-dx,0)) * val1; \\n\\tfloat4 c4 = tex2D(s0, tex + float2(dx,0)) * val1; \\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,dy)) * val1; \\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,dy)) * val1; \\n\\tfloat4 c7 = tex2D(s0, tex + float2(-dx,+dy)) * val1; \\n\\tfloat4 c8 = tex2D(s0, tex + float2(+dx,-dy)) * val1; \\n\\tfloat4 c9 = tex2D(s0, tex) * val0; \\n\\t\\n\\tfloat4 c0 = (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 +c9); \\n\\t\\n\\treturn c0; \\n}"

"12"="sphere|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// - this is a very simple raytracer, one sphere only\\n\\t// - no reflection or refraction, yet (my ati 9800 has a 64 + 32 instruction limit...)\\n\\t\\n\\tfloat3 pl = float3(3,-3,-4); // light pos\\n\\tfloat4 cl = 0.4; // light color\\n\\t\\n\\tfloat3 pc = float3(0,0,-1); // cam pos\\n\\tfloat3 ps = float3(0,0,0.5); // sphere pos\\n\\tfloat r = 0.65; // sphere radius\\n\\t\\n\\tfloat3 pd = normalize(float3(tex.x-0.5, tex.y-0.5, 0) - pc);\\n\\t\\n\\tfloat A = 1;\\n\\tfloat B = 2*dot(pd, pc - ps);\\n\\tfloat C = dot(pc - ps, pc - ps) - r*r;\\n\\tfloat D = B*B - 4*A*C;\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tif(D >= 0)\\n\\t{\\n\\t\\t// t2 is the smaller, obviously...\\n\\t\\t// float t1 = (-B + sqrt(D)) / (2*A);\\n\\t\\t// float t2 = (-B - sqrt(D)) / (2*A);\\n\\t\\t// float t = min(t1, t2); \\n\\t\\t\\n\\t\\tfloat t = (-B - sqrt(D)) / (2*A);\\n\\t\\t\\n\\t\\t// intersection data\\n\\t\\tfloat3 p = pc + pd*t;\\n\\t\\tfloat3 n = normalize(p - ps);\\n\\t\\tfloat3 l = normalize(pl - p);\\n\\t\\t\\n\\t\\t// mapping the image onto the sphere\\n\\t\\ttex = acos(-n)/PI; \\n\\t\\t\\n\\t\\t// rotate it\\n\\t\\ttex.x = frac(tex.x + frac(clock/10));\\n\\t\\t\\n\\t\\t// diffuse + specular\\n\\t\\tc0 = tex2D(s0, tex) * dot(n, l) + cl * pow(max(dot(l, reflect(pd, n)), 0), 50);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"13"="grayscale|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c0 = dot(tex2D(s0, tex), float4(0.299, 0.587, 0.114, 0));\\n\\t\\n\\treturn c0;\\n}\\n"

"14"="edge sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n#define counter (p0[2]) \\n#define clock (p0[3]) \\n#define one_over_width (p1[0]) \\n#define one_over_height (p1[1]) \\n\\n#define PI acos(-1) \\n\\n#define NbPixel 1 \\n\\n#define Edge_threshold 0.2 \\n\\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n float dx = NbPixel/width; \\n float dy = NbPixel/height; \\n float4 Res = 0; \\n\\n float4 c0 = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n float4 delta1 = (c6+c4+c1-c3-c5-c8); \\n float4 delta2 = (c4+c1+c2-c5-c8-c7); \\n float4 delta3 = (c1+c2+c3-c8-c7-c6); \\n float4 delta4 = (c2+c3+c5-c7-c6-c4); \\n\\n float value = length(abs(delta1) + abs(delta2) + abs(delta3) + abs(delta4))/6; \\n\\n if(value > Edge_threshold ) \\n { \\n Res = c0 * Sharpen_val0 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * Sharpen_val1 ; \\n return Res; \\n } \\n else \\n return c0; \\n}"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

"Visible"=dword:00000000

"DockState"=dword:0000e81c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

"sizeHorzCX"=dword:000000bf

"sizeHorzCY"=dword:000001b2

"sizeVertCX"=dword:000000bf

"sizeVertCY"=dword:000001b2

"sizeFloatCX"=dword:000000bf

"sizeFloatCY"=dword:000001b2

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

"Visible"=dword:00000000

"DockState"=dword:0000e81e

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:00000064

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:00000064

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:00000064

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

"sizeHorzCX"=dword:00000129

"sizeHorzCY"=dword:0000006b

"sizeVertCX"=dword:00000129

"sizeVertCY"=dword:0000006b

"sizeFloatCX"=dword:00000129

"sizeFloatCY"=dword:0000006b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:000000c8

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:000000c8

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:000000c8

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

"Order"=hex:08,00,00,00,02,00,00,00,10,02,00,00,01,00,00,00,04,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications\q_髼螛磃.*l*n*k*\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\桌面\\影音风暴.lnk\" %1"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

@="BDATuner.组件.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\7uu臺麐.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

"ApplicationName"="Google Chrome 浏览器"

"ApplicationIcon"="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

"ApplicationDescription"="Google Chrome 浏览器是一款可高速运行网页和应用程序的网络浏览器。它快捷、稳定且易于使用。Google Chrome 浏览器内置的恶意软件和网上诱骗防护功能可让您更加安全地浏览网页。"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

".xhtml"="ChromeHTML"

".xht"="ChromeHTML"

".shtml"="ChromeHTML"

".html"="ChromeHTML"

".htm"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

"StartMenuInternet"="Google Chrome 浏览器"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

"https"="ChromeHTML"

"http"="ChromeHTML"

"ftp"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

@="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

"IconsVisible"=dword:00000001

"ShowIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"

"HideIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"

"ReinstallCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""

.

完成时间: 2011-07-17 21:48:27

ComboFix-quarantined-files.txt 2011-07-18 01:48

ComboFix2.txt 2011-07-17 18:38

.

Pre-Run: 8,433,049,600 可用字节

Post-Run: 8,422,916,096 可用字节

.

- - End Of File - - 7E16CFDCDCBE0486EB704AA41FC28003

Link to post
Share on other sites

Looking good ;)

Before we move on, let's run some more scans to see if there's any traces left :):

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

-----------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

I tried to run the ESET online scanner via IE, but after

launching the "start scan", there is white blank page on

the IE scanner window. So, instead, I used fireforx and

downloaded the following application and finished a scan.

The log is in the below. And I am very happy to redo a

scan, if a re-scan with IE will be beneficial.

Thanks a lot for your help,

Yan

-----------------------------

You are trying to launch ESET Online Scanner in a different browser than Internet Explorer. Please agree to the download of ESET Smart Installer - an application which installs and launches ESET Online Scanner in a separate window. At the end of the scan, there will be an option to uninstall ESET Online Scanner and all its components.

To download ESET Smart Installer click the button below.

esetsmartinstaller_enu.exe

After successful installation of ESET Smart Installer is ESET Online Scanner launched in a new window.

---------------------------

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0661e08d2a849b4fb7d46be6936f2e24

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-07-18 05:07:01

# local_time=2011-07-18 01:07:01 )

# country="People's Republic of China"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=138956

# found=9

# cleaned=9

# scan_time=1588

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\11\4550cd8b-3fb318c3 Win32/Adware.XPAntiSpyware.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\60d9c47e-5d6889a5 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\60d9c47e-5e31d115 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Administrator\Favorites\A1个性导航.url Win32/TrojanClicker.Agent.NKD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\0.3553338938706222.exe.vir Win32/TrojanDownloader.Prodatect.BK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\0.3615687229714907.exe.vir Win32/TrojanDownloader.Prodatect.BK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\0.9516591034247679.exe.vir Win32/TrojanDownloader.Prodatect.BK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\hSVtcInUytJDh.exe.vir Win32/TrojanDownloader.Prodatect.BK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz.exe.vir a variant of Win32/Kryptik.QKH trojan (cleaned by deleting - quarantined) 0000000000000000000000000000000

Link to post
Share on other sites

Here is the log for Bitdefender:

Thanks a lot for the help,

Yan

QuickScan Beta 32-bit v0.9.9.96

-------------------------------

Scan date: Mon Jul 18 13:24:10 2011

Machine ID: 28B76F12

No infection found.

-------------------

Processes

---------

Adobe Reader and Acrobat Manager 4080 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Firefox 1920 C:\Program Files\Mozilla Firefox\firefox.exe

Firefox 3468 C:\Program Files\Mozilla Firefox\plugin-container.exe

Java Platform SE 6 U15 1684 C:\Program Files\Java\jre6\bin\jqs.exe

Microsoft® Windows® Operating Syste 584 C:\Program Files\Internet Explorer\iexplore.exe

Microsoft® Windows® Operating Syste 1604 C:\WINDOWS\explorer.exe

Microsoft® Windows® Operating Syste 3836 C:\WINDOWS\explorer.exe

Microsoft® Windows® Operating Syste 832 C:\WINDOWS\system32\services.exe

Microsoft® Windows® Operating Syste 788 C:\WINDOWS\system32\winlogon.exe

Microsoft® Windows® Operating System 1240 C:\WINDOWS\system32\alg.exe

Microsoft® Windows® Operating System 2064 C:\WINDOWS\system32\conime.exe

Microsoft® Windows® Operating System 756 C:\WINDOWS\system32\csrss.exe

Microsoft® Windows® Operating System 504 C:\WINDOWS\system32\ctfmon.exe

Microsoft® Windows® Operating System 1760 C:\WINDOWS\system32\locator.exe

Microsoft® Windows® Operating System 844 C:\WINDOWS\system32\lsass.exe

Microsoft® Windows® Operating System 708 C:\WINDOWS\system32\smss.exe

Microsoft® Windows® Operating System 1564 C:\WINDOWS\system32\spoolsv.exe

Microsoft® Windows® Operating System 348 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1000 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1068 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1180 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1276 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1436 C:\WINDOWS\system32\svchost.exe

Microsoft® Windows® Operating System 1788 C:\WINDOWS\system32\svchost.exe

NVIDIA Driver Helper Service, Version 1 1720 C:\WINDOWS\system32\nvsvc32.exe

Realtek HD Audio Sound Effect Manager 352 C:\WINDOWS\RTHDCPL.EXE

Network activity

----------------

Process iexplore.exe (584) connected on port 80 (HTTP) --> 66.235.142.58

Process iexplore.exe (584) connected on port 80 (HTTP) --> 74.125.226.169

Process firefox.exe (1920) connected on port 80 (HTTP) --> 74.125.226.100

Process svchost.exe (1000) listens on ports: 3389 (Terminal Server)

Process svchost.exe (1068) listens on ports: 135 (RPC)

Process svchost.exe (1436) listens on ports: 2869 (SSDP event notification, UPNP)

Autoruns and critical files

---------------------------

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\BROWSEUI.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\CRYPT32.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\System32\CSCDLL.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\logonui.exe

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\sclgntfy.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\SHELL32.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\stobject.dll

Microsoft® Windows® Operating Syste c:\windows\system32\userinit.exe

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\webcheck.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\WlNotify.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll

NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll

Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE

Windows 正版增值计划 C:\WINDOWS\system32\WgaLogon.dll

(verified) Google 更新 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll

Browser plugins

---------------

Adobe PDF Toolbar for IE C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

Ask.com Toolbar c:\program files\askbardis\bar\bin\askbar.dll

BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll

Foxit Reader Plugin for Mozilla C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

Google Update C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll

Java Deployment Toolkit 6.0.150.3 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

Java Platform SE 6 U15 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

LizardTech DjVu C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\mswsock.dll

Microsoft® Windows® Operating Syste C:\WINDOWS\system32\SHDOCVW.dll

Microsoft® Windows Media Player Firefox C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll

Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll

NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

Thunder DapCtrl Plugin C:\Program Files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(512).dll

Thunder DapCtrl Plugin C:\Program Files\Mozilla Firefox\plugins\npDapCtrlFirefox.dll

TVU Web Player for FireFox C:\WINDOWS\system32\TVUAx\npTVUAx.dll

迅雷7 C:\Program Files\Thunder Network\Thunder\BHO\XunleiBHO7.1.4.2104.dll

(verified) AcroIEHelperShim Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

(verified) Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

Missing files

-------------

File not found: c:\program files\thunder network\thunder\comdlls\tdmediadetector5.9.28.1564.dll

--> HKLM\Software\Classes\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\"(default)"

Scan

----

MD5: b226054bfa3d3a1920f7b95e54f3e87d C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll

MD5: 3c069f0d7f1ce6292e880dd777ecff66 C:\Program Files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.chs

MD5: 510325e830bc5f2a2d93a11924989de0 C:\Program Files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll

MD5: 55e78c6f1413479fcb60172c77e0ba65 C:\Program Files\Adobe\Acrobat 9.0\AcrobatReader\Reader\viewerps.dll

MD5: 3faed1c7b0e37e78c532243edc25baec c:\program files\askbardis\bar\bin\askbar.dll

MD5: f623b253c25aa734fe42564579a85c59 C:\Program Files\Audible\Bin\AudibleExt.dll

MD5: 3bd010e429d50139e91dba487feadb0a C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.CHS

MD5: f2dcb030fbdd320f858871515c18c5d1 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

MD5: 8a5189ddcacafb88a63f3c4bb3442ad2 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.CHS

MD5: bad6bea0de1f69c82bdb74378ce0c20a C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MD5: f76d04f7413b07daa029f6520b64b4e8 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

MD5: 5c766113487508c136d50fc1489b60d8 C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll

MD5: 8e46a7bac823dd82d4fb2a34c3df4c1d C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

MD5: 753a8f339f231d2b857e2ccd51a6e6ca C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

MD5: e3e6c96b0ef4492c3c8fd0deef4e35a1 C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

MD5: 6c2146012bc6838a1e1d3d7237f7443d C:\Program Files\Common Files\System\Ole DB\oledb32.dll

MD5: 375854549efa2d205822fdda1e72955a C:\Program Files\Common Files\System\Ole DB\OLEDB32R.DLL

MD5: ac2263e3431fa9df4e48cd5f1da9a722 C:\Program Files\FileZilla_Server\FileZilla Server.exe

MD5: b2da1eaa638884c9bf1934662081380f C:\Program Files\Internet Explorer\iexplore.exe

MD5: 55e583817a2012fd75f1f8cf87ee760c C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

MD5: 1365bb2a78db638870337422b54ddbac C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

MD5: 63368d3e65aace7d26f69d8b29384243 C:\Program Files\Microsoft Office\Office12\msohevi.dll

MD5: b957b30090889aa4f887277916f76fe7 C:\Program Files\Mozilla Firefox\components\browsercomps.dll

MD5: 6c9cd3ecba6732661c8bbe37a877a2bd C:\Program Files\Mozilla Firefox\firefox.exe

MD5: cc5b1a70daa7a04fe15e6d7c54b55d02 C:\Program Files\Mozilla Firefox\freebl3.dll

MD5: ff4040da11ae0d13a0a7778e6022e728 C:\Program Files\Mozilla Firefox\mozalloc.dll

MD5: 96397535f6e4ca499dd659ce76c50746 C:\Program Files\Mozilla Firefox\MOZCPP19.dll

MD5: 411f23aaf331da8b9f0cfd1cada4b8b5 C:\Program Files\Mozilla Firefox\MOZCRT19.dll

MD5: 1919d815996470088d20a59e992a9695 C:\Program Files\Mozilla Firefox\mozjs.dll

MD5: fcd1d9ccc7096dc2210d3096fbdf92cc C:\Program Files\Mozilla Firefox\mozsqlite3.dll

MD5: c1bf9c9244996aa0607766199d226183 C:\Program Files\Mozilla Firefox\nspr4.dll

MD5: f030ff40b6afb777b9992525800de3ea C:\Program Files\Mozilla Firefox\nss3.dll

MD5: 6689b655ea803be040d95b8ea913249f C:\Program Files\Mozilla Firefox\nssckbi.dll

MD5: 079155b0a7579652dcc2ec7908d9502a C:\Program Files\Mozilla Firefox\nssdbm3.dll

MD5: fb4fc7ee2e516063e25887c2e170d893 C:\Program Files\Mozilla Firefox\nssutil3.dll

MD5: 4dfdfb82c4f60beaf88e3c13c01f124a C:\Program Files\Mozilla Firefox\plc4.dll

MD5: 5bff0a2260ab6bf8d9b829d947c5ef6c C:\Program Files\Mozilla Firefox\plds4.dll

MD5: 4486ad32bb05628967695fca1badd46e C:\Program Files\Mozilla Firefox\plugin-container.exe

MD5: 99f97c9fe748c37528c338a423577fcb C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll

MD5: d50eb7ca5c1a969d6b60a18b573d330f C:\Program Files\Mozilla Firefox\plugins\npDapCtrlFirefox.dll

MD5: 2a30d4b6319a69c82def52cb3672eceb C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

MD5: d2185fe52c05b7ac751d55ad627685a5 C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll

MD5: cb2e646a69d347eb0437ab50785cf3bb C:\Program Files\Mozilla Firefox\smime3.dll

MD5: 363f20b791469048b0878dbdfd60e41b C:\Program Files\Mozilla Firefox\softokn3.dll

MD5: b6a4cb50c2c0d7821a604c64a5058ed1 C:\Program Files\Mozilla Firefox\ssl3.dll

MD5: cd05ba08fd35ec561b82f6d1c905a445 C:\Program Files\Mozilla Firefox\xpcom.dll

MD5: 840e1ad2fdeedf482927d4369fb03dac C:\Program Files\Mozilla Firefox\xul.dll

MD5: cdc3a971fedc70ee140f1b7d274b0ea1 C:\Program Files\Thunder Network\Thunder\BHO\xldb.7.1.4.2104.dll

MD5: 90d58a9a6d46d774f293d895aef91d97 C:\Program Files\Thunder Network\Thunder\BHO\xldp.7.1.4.2104.dll

MD5: a629d129c505249cacbee75a1d153879 C:\Program Files\Thunder Network\Thunder\BHO\XunleiBHO7.1.4.2104.dll

MD5: baf08d6d5abbed726c6d9da2617b5175 C:\WINDOWS\AppPatch\AcAdProc.dll

MD5: 61b26599b62c5469845af7b153737bab C:\WINDOWS\AppPatch\AcGenral.DLL

MD5: 23dc75d158d484177ffe99e23264f89f C:\WINDOWS\Downloaded Program Files\qsax.dll

MD5: 9eb867933136ad37eaf7f2ecb97e3a4d C:\WINDOWS\explorer.exe

MD5: b404ae1cb4bd09e722a90165a357a11a C:\WINDOWS\RTHDCPL.EXE

MD5: 05fd3bda52239d3b728aa96f4dc7191e c:\windows\system32\6to4svc.dll

MD5: df35b280666084874acd77b1cd3daea9 c:\windows\system32\ACTIVEDS.dll

MD5: 6efd436e329ede75f8d606a09feb5d88 C:\WINDOWS\system32\actxprxy.dll

MD5: d65db1c24e27acd169971552c6fc9e2f C:\WINDOWS\system32\AdobePDF.dll

MD5: 498e007a4f07f32bc562ae6948625003 c:\windows\system32\adsldpc.dll

MD5: 7bd1cdee36024752ffced971b95cf9c4 C:\WINDOWS\system32\ADVAPI32.dll

MD5: 19a7ce0d6801f6a9db7db00afaed2ad8 C:\WINDOWS\system32\ADVPACK.DLL

MD5: f031c127d798e1549861317064066287 C:\WINDOWS\system32\alg.exe

MD5: dfd8d8d0ff28f17e42a0f19b40dc3966 C:\WINDOWS\system32\appHelp.dll

MD5: 28b700b7fdc38f343197798e0403c584 C:\WINDOWS\System32\appmgmts.dll

MD5: daf9a0e44128b79125cf9c69ca5254db C:\WINDOWS\system32\ATL.DLL

MD5: 1f1d608abcc34ca2a5369c95b47605f0 C:\WINDOWS\system32\ATL71.DLL

MD5: 0c03a81067bfe60ab076fb866eeb7d44 c:\windows\system32\audiosrv.dll

MD5: 923a1960abe6c0e9f8ef53913f3602f8 C:\WINDOWS\system32\AUTHZ.dll

MD5: 082838b3b7bdad0e0f3bd06edc67d2a1 C:\WINDOWS\system32\basesrv.dll

MD5: 54fc5912d870ea17a228f81075f5c9c5 C:\WINDOWS\system32\BatMeter.dll

MD5: 78526ffc9def0f36b43e0aea1b1ae917 C:\WINDOWS\system32\browselc.dll

MD5: b5030062dc5d227b063b65fef328e36f c:\windows\system32\browser.dll

MD5: 1696bc86a75343c45c32c2428baef4f9 C:\WINDOWS\system32\BROWSEUI.dll

MD5: d5866c96ceadaf21b9cfe5b2e61ddbf9 C:\WINDOWS\system32\Cabinet.dll

MD5: 8d7cd8da37113e19a9d80a52f6e4f1d0 c:\windows\system32\certcli.dll

MD5: a6a4bb9b8ce5422dfac8d8294dc7d2ef C:\WINDOWS\system32\CFGMGR32.dll

MD5: e9140546d5bd2341804bd43cb6839200 C:\WINDOWS\system32\CLBCATQ.DLL

MD5: 1c8773b346a2e789f1729fc1c5ff4e6f C:\WINDOWS\system32\clipsrv.exe

MD5: feb625e10cd98bc8b8198bfc99d7bfe1 C:\WINDOWS\System32\CLUSAPI.dll

MD5: 83ba7e22bf529858a345f483d7e94c16 C:\WINDOWS\system32\cmd.exe

MD5: 43bae2a78de14f25979d09647f4b681d C:\WINDOWS\system32\CNMLM83.DLL

MD5: 67ad3bf6b0b99a946c70ce8d2f1f5a21 C:\WINDOWS\system32\colbact.DLL

MD5: f03851b900c688667e1bf30ab48be3c9 C:\WINDOWS\system32\comctl32.dll

MD5: c7479e84869fd0ad3cc675bc82d359a8 C:\WINDOWS\system32\COMDLG32.DLL

MD5: 15a1eab0d3c9a9c02aa953c642272d2b C:\WINDOWS\system32\COMRes.dll

MD5: c0040c02e2fa45c0c6f78d4cad58e6db C:\WINDOWS\system32\comsvcs.dll

MD5: d613fe3b6dccb7ba114c8d81337108e1 C:\WINDOWS\system32\conime.exe

MD5: 76dcd2add427c4a2ae7d673fe28719d2 C:\WINDOWS\system32\corpol.dll

MD5: a7d3317762ff48a8ea79acf18072df5d c:\windows\system32\credui.dll

MD5: 37b151c5364617bfef0f3e6cd4b4f8ef C:\WINDOWS\system32\CRYPT32.dll

MD5: ac858705985f5bbb1deb1ed9e807d2f2 C:\WINDOWS\system32\cryptdll.dll

MD5: 3a3345f46a0c1efcf7cf3c7011f75270 C:\WINDOWS\system32\cryptnet.dll

MD5: 30f1c6eddba5d5b1da054b07d31843db c:\windows\system32\cryptsvc.dll

MD5: 6e246f511f48768f4767180b5b7538cb C:\WINDOWS\system32\CRYPTUI.dll

MD5: 5367c2839ecc3eede4c26ea4c16c5900 C:\WINDOWS\System32\CSCDLL.dll

MD5: 5e39348149e8f5b0ff1ee0bc1384665e C:\WINDOWS\System32\cscui.dll

MD5: fd6085e81377191340d453fe9c9d3c1e C:\WINDOWS\system32\CSRSRV.dll

MD5: fea5c15e63790770b1e8216a7d64d90d C:\WINDOWS\system32\csrss.exe

MD5: 9339a79fa7d415dc39cf021880af7992 C:\WINDOWS\system32\ctfmon.exe

MD5: 3b3b9c4b31b10fa1c5d0bba0af7e706f C:\WINDOWS\system32\D3DIM700.DLL

MD5: 5b2c15a9290fc653c636aa9b8d56b953 C:\WINDOWS\System32\davclnt.dll

MD5: 1ae00aa0cff68ef7a765fc556fa32bd3 C:\WINDOWS\system32\dbghelp.dll

MD5: 1eacafe95a56dbc2676b45d838f0e728 C:\WINDOWS\system32\DCIMAN32.dll

MD5: 762563a6bd2d188a100caa855e899f4b C:\WINDOWS\system32\DDRAW.dll

MD5: 2368b9bb3193747c86be2f3167e26556 C:\WINDOWS\system32\ddrawex.dll

MD5: 1a93467e7bd9eaad9049488f3b45c0e8 c:\windows\system32\dhcpcsvc.dll

MD5: b568e33952b4fa3806b0da12226a9712 C:\WINDOWS\System32\dimsntfy.dll

MD5: eddfaaa9db2c1f6aa9631b621352ca83 C:\WINDOWS\system32\dllhost.exe

MD5: 65b12edacdcf3c7866615955cb3ab3ef C:\WINDOWS\System32\dmadmin.exe

MD5: d22b022857d2c8618a92837648156752 c:\windows\system32\dmserver.dll

MD5: 32757371ec7810352f326a182d9c11cf C:\WINDOWS\system32\DNSAPI.dll

MD5: 025abcb78f69dd458199745194fb53e2 c:\windows\system32\dnsrslvr.dll

MD5: 2b827a509f34d1162cc48515a923d932 c:\windows\system32\dot3api.dll

MD5: b57ebc7f350deb98ab761760c5faf04b c:\windows\system32\dot3dlg.dll

MD5: 2977b1a2f8273f55ccd0158e1ed6578a C:\WINDOWS\System32\dot3svc.dll

MD5: 60053c170357eedace8d88e9d87e993e C:\WINDOWS\system32\DRIVERS\ACPI.sys

MD5: 28046b6867800b3f12c652ce2c9ea340 C:\WINDOWS\System32\DRIVERS\ACPIEC.sys

MD5: 1b0806a92432bf6e9def9fbf0494f67d C:\WINDOWS\system32\DRIVERS\AmdK8.sys

MD5: 99b33c26d6fbb7b06cd1e8a7ff729ce0 C:\WINDOWS\System32\drivers\dmboot.sys

MD5: 5e87fcad72a24ad869aafd3c6a4dca45 C:\WINDOWS\System32\drivers\dmio.sys

MD5: a55dd7d8ced5d2624a9ee2dda7be0319 C:\WINDOWS\system32\drivers\es1371mp.sys

MD5: ab4983120e4e4527ae9ffe4177ecd6e7 C:\WINDOWS\system32\DRIVERS\fsvga.sys

MD5: 38375a4d9582a08c14c928cc099b8836 C:\WINDOWS\system32\DRIVERS\ftdisk.sys

MD5: 1694f6666dbee4d5bec6a5919eeb4d86 C:\WINDOWS\system32\DRIVERS\i8042prt.sys

MD5: e5a0034847537eaee3c00349d5c34c5f C:\WINDOWS\system32\drivers\iastor7.sys

MD5: c8435e37cc6c13e25bd361b5d806d3c7 C:\WINDOWS\system32\DRIVERS\intelide.sys

MD5: cb353452590cc3faeeef86de334d5f49 C:\WINDOWS\system32\DRIVERS\isapnp.sys

MD5: 5b4d15cd20869778ebf282db0fc08a29 C:\WINDOWS\system32\DRIVERS\kbdclass.sys

MD5: 7ac6d7729e83ab83165003609deeed3e C:\WINDOWS\system32\DRIVERS\kbdhid.sys

MD5: 35ac8fd90e70f2e54cb4bfb21b4e1bf1 C:\WINDOWS\system32\DRIVERS\mouclass.sys

MD5: 692910b446d0b751b2462f3624c7b1a7 C:\WINDOWS\system32\DRIVERS\mouhid.sys

MD5: 8e72e452b9cc1e455d19e3c9fa964d37 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

MD5: 0258d664f93b4b01ddd621b8c084f322 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

MD5: 56ec9207906435ef1bf02f5c68e3ffec C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

MD5: b71bfbc2fe958a6da1e31357e03ad545 C:\WINDOWS\system32\DRIVERS\nvrd32.sys

MD5: 42580fdf84b2d08c3366819f80714274 C:\WINDOWS\system32\DRIVERS\parport.sys

MD5: 28eca79bcd3883dc6cb0ac2b20fdb2f0 C:\WINDOWS\system32\DRIVERS\pci.sys

MD5: a4d41f0279f405d6f5c19465aad82834 C:\WINDOWS\system32\DRIVERS\pciide.sys

MD5: 7bc8027d56fab153a987c56ae9835664 C:\WINDOWS\system32\DRIVERS\pcntpci5.sys

MD5: 14615ebaf029cd0a7af97d10fbd900cd C:\WINDOWS\system32\DRIVERS\redbook.sys

MD5: 5707cec38db61b96079e6a14b4702446 C:\WINDOWS\system32\drivers\RtkHDAud.sys

MD5: 81fa8e4f77964b6a606670b87c331c2e C:\WINDOWS\system32\DRIVERS\serial.sys

MD5: 72cf151fb410e544904dbc7d7f29b796 C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys

MD5: 71e276f6d189413266ea22171806597b C:\WINDOWS\System32\Drivers\sptd.sys

MD5: d06200275fb3040cd030f7510e810a10 C:\WINDOWS\system32\DRIVERS\sr.sys

MD5: 4f8a43adef66f135564085a9dca96a26 C:\WINDOWS\system32\DRIVERS\srv.sys

MD5: 030dc4d48cc2b894fee2f390d8e66ad5 C:\WINDOWS\system32\DRIVERS\tcpip.sys

MD5: aa7a55536096d646dc7ab0ac5641e9e8 C:\WINDOWS\system32\DRIVERS\tcpip6.sys

MD5: 8f861eda21c05857eb8197300a92501c C:\WINDOWS\system32\DRIVERS\tunmp.sys

MD5: 3a82a61e312addb3be8f1fe3481842b1 C:\WINDOWS\system32\DRIVERS\viamraid.sys

MD5: d96385c2ef6822815033e50ea3cd9071 C:\WINDOWS\System32\drprov.dll

MD5: a494c2e22412aa91ea176af45f204a8b C:\WINDOWS\system32\DSOUND.DLL

MD5: 0705796d9d1d5b28b6914fb9c558a269 C:\WINDOWS\system32\DUSER.dll

MD5: 0e7db7e83f92bb2eb0ed4c86394bd047 C:\WINDOWS\system32\dxtmsft.dll

MD5: 0bbbe5562c17a766ee21136d036ea511 C:\WINDOWS\system32\dxtrans.dll

MD5: 70728e8880dd1340e6d142a2f94da2b5 c:\windows\system32\EapolQec.dll

MD5: 6dfd440f04736c7111b95e56c4fe9fd7 c:\windows\system32\eappcfg.dll

MD5: 7c2f1bee126986ad1003df6b45c66bda c:\windows\system32\eappprxy.dll

MD5: b347c2edeacc53a98beafe41835ae1a1 C:\WINDOWS\System32\eapsvc.dll

MD5: de60a74e82358cedbe8c94151f134dc3 c:\windows\system32\es.dll

MD5: da12828c3ddd778276e9812cb6c7d15f c:\windows\system32\ESENT.dll

MD5: ca5aa6be7be071e9a21d9027d729dc2e C:\WINDOWS\system32\eventlog.dll

MD5: d31bd2b8d14e1cf61ee4aa95c5b4964a C:\WINDOWS\System32\expsrv.dll

MD5: 5da35d77aa8a680d6bd245d446a2c924 C:\WINDOWS\system32\feclient.dll

MD5: 2ccdf9fc160e3af611510decc1359516 C:\WINDOWS\system32\GDI32.dll

MD5: 782be9a703f805f1106f1d1ace2dbf4b C:\WINDOWS\System32\h323.tsp

MD5: 2e712c8638ce7e3a1d264f909d54cea9 C:\WINDOWS\system32\HHCTRL.OCX

MD5: aa1879728cde045f92dbc7a83e773ee0 C:\WINDOWS\System32\HID.DLL

MD5: 999c417a16cebbcb38576207c2684e8f C:\WINDOWS\System32\hidphone.tsp

MD5: 9dc050493ee9a2d11acff1f3048d7432 C:\WINDOWS\system32\hnetcfg.dll

MD5: d0ed8527d6b74bf0c029cc044d600dcc C:\WINDOWS\System32\HTTPAPI.dll

MD5: 5ee0ecc5953dcbec8e587be815cb3f2f C:\WINDOWS\system32\iasacct.dll

MD5: 1caae16679c3bd9fd5c08f7f25ca6a3d C:\WINDOWS\System32\iashlpr.dll

MD5: 8ab5f3c528e7966a3f8384579398a07a C:\WINDOWS\system32\iasnap.dll

MD5: a1419a4097076819cb50d509e617109e C:\WINDOWS\System32\iaspolcy.dll

MD5: f2a06bd5d60a9ae592f2d0b340263dbf C:\WINDOWS\System32\iasrad.dll

MD5: 9e39ed61bf90d23ed82d02c875c74761 C:\WINDOWS\system32\iassam.dll

MD5: 5fcbcde1a9a2292da093b47e1075a681 C:\WINDOWS\system32\iassdo.dll

MD5: f187b5265814cc846df3df4a80421c3e C:\WINDOWS\System32\iassvcs.dll

MD5: f2af09f0b1ade2a2b0dd08c95547eb90 c:\windows\system32\ICAAPI.dll

MD5: ad3ea8bfa19489bdd40139a5452efac9 C:\WINDOWS\system32\icm32.dll

MD5: 05ed9b845270ba6b04b0fca223567500 C:\WINDOWS\system32\iepeers.dll

MD5: 6c5d944c7c72af44554c29e8eede7dc4 C:\WINDOWS\system32\IMAGEHLP.dll

MD5: 4dba71b5715badfbe82a628261c199b7 C:\WINDOWS\system32\imapi.exe

MD5: edbf5b286c5327a801193ef67755d3ac C:\WINDOWS\system32\ImgUtil.dll

MD5: 7645b57df463e4dfaa2c6e99420060da C:\WINDOWS\system32\IMM32.DLL

MD5: 4fdd6ddf522cad71998b9a2b2fa6dc8c C:\WINDOWS\system32\inetpp.dll

MD5: 12c0990ecf799eea874c260eb185d763 C:\WINDOWS\system32\iphlpapi.dll

MD5: 42afc2da36c983c2192062f7a5345a65 c:\windows\system32\ipnathlp.dll

MD5: 1f535a8af2908e6f347144966ce81f06 C:\WINDOWS\System32\iprtprio.dll

MD5: 8d782a96d336ada5361f5baaf68432c8 C:\WINDOWS\System32\iprtrmgr.dll

MD5: 18e78743cfd42254932c2b05f99f13de C:\WINDOWS\system32\ipsecsvc.dll

MD5: 3c92a99c069491b116f6b86f76c27011 C:\WINDOWS\system32\jscript.dll

MD5: dbbed940a56f4cba33371d536b006171 C:\WINDOWS\system32\kerberos.dll

MD5: bf1cdaf5792b78d4730727facf307d46 C:\WINDOWS\system32\kernel32.dll

MD5: b5553333e4511b5dba523846a74966f3 C:\WINDOWS\System32\kmddsp.tsp

MD5: 5c3907a0fcf9e3940ee6c6414fc47ae7 C:\WINDOWS\System32\kmsvc.dll

MD5: f1f58e2cb49b357142380a6c2cb6c54c C:\WINDOWS\system32\KsUser.dll

MD5: 505804b2bdd0edeeadf31be26e546979 C:\WINDOWS\system32\LINKINFO.dll

MD5: b503b858d30afd561208aed67588a47d c:\windows\system32\lmhsvc.dll

MD5: d64c6f0d0b0d7b8ddebd0bbd26c7687a C:\WINDOWS\system32\localspl.dll

MD5: 34924d2ae0d0e7a956ac535c0fc04604 C:\WINDOWS\system32\locator.exe

MD5: 585c5b365163cc8c4767987beea4866b C:\WINDOWS\system32\logonui.exe

MD5: 1efb14775b5feee55dc744ebfcca1cfd C:\WINDOWS\System32\LPK.DLL

MD5: a46d8a8a6dc342c34e8c1c64195cb7a0 C:\WINDOWS\system32\LSASRV.dll

MD5: bc16a35900d8abdbce0d87e9fcf21f65 C:\WINDOWS\system32\lsass.exe

MD5: 21a67095edc11a528f5434d28bb0ef3c C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

MD5: 743cac2a53ba132d086853141246d7d7 C:\WINDOWS\system32\midimap.dll

MD5: 83528ed2bb39dd0b0c57784d5cd77acb C:\WINDOWS\system32\mlang.dll

MD5: f2ab0bc6bd8ef7b86cbe1e52b8c15924 C:\WINDOWS\system32\mnmsrvc.exe

MD5: f5606151ff1ee48bd331161e5aa320a4 C:\WINDOWS\system32\MPR.DLL

MD5: cda4afbf5b0bc1e8e4b9979313a0a33d C:\WINDOWS\System32\MPRAPI.dll

MD5: 3256f84faa80e2e7d14ab39cb457dc58 C:\WINDOWS\System32\mprddm.dll

MD5: ea0ab6dae208224f06231055875276a4 c:\windows\system32\mprdim.dll

MD5: 16cc36beb12c301a94e4c89eaad744fa C:\WINDOWS\System32\MSACM32.dll

MD5: f6dccd16f92358594eea83a1144f52b9 C:\WINDOWS\system32\msacm32.drv

MD5: 24f824eea5b8ec6d387071f86ada7d25 C:\WINDOWS\system32\MSASN1.dll

MD5: 79b6095bc9f7c4af1640eeab5c166c81 c:\windows\system32\mscms.dll

MD5: 0c8824c7fccbfe9d87ba5b3903b7864d C:\WINDOWS\system32\MSCTF.dll

MD5: ab2ba999ae682f8a69467c306828c7b1 C:\WINDOWS\system32\msctfime.ime

MD5: 1bbc2eea4ffef155f98f0481611a0f1e C:\WINDOWS\system32\MSDART.DLL

MD5: d9ff5f8b58d1e71933fbcf4dc6b3b492 C:\WINDOWS\system32\msdtc.exe

MD5: 38ddbe4177b9ff183fcaf122aaf188f5 C:\WINDOWS\system32\MSGINA.dll

MD5: 6a0e18bc3e2b2f795b5f1b0bec181e7a C:\WINDOWS\System32\msgsvc.dll

MD5: a1ce689d486141535b5beb80004b0c4e C:\WINDOWS\system32\mshtml.dll

MD5: 41925687871432722189eb62c8212e9c C:\WINDOWS\system32\mshtmled.dll

MD5: a3b0e93f22461c2af93598839d1770f1 c:\windows\system32\msi.dll

MD5: 63614ea8b23855892efea74b5e4567c2 C:\WINDOWS\System32\MSIDLE.DLL

MD5: 6c985ebcd34f92d666b365b28272195f C:\WINDOWS\system32\msiexec.exe

MD5: e805739a7471f326a14d71b9eb49418e C:\WINDOWS\system32\MSIMG32.dll

MD5: f31c0fb4fa5c56facaa54a0a6734b051 C:\WINDOWS\system32\msimtf.dll

MD5: e5de87dddb8cbe4687eadf296e58452a C:\WINDOWS\system32\msjtes40.dll

MD5: df922a00320a7614f1d859f9e4e8635b C:\WINDOWS\system32\msls31.dll

MD5: ae501d79c10be621cc2e0c45893a2a8a C:\WINDOWS\System32\mspatcha.dll

MD5: 1eabf5eff35e273054b978c89933b7f5 c:\windows\system32\mstlsapi.dll

MD5: be23777ddacd1f0b936e5ff090e95123 C:\WINDOWS\system32\MSUTB.dll

MD5: d1deba18e905c45d982b13d7d22d7cc6 C:\WINDOWS\system32\msv1_0.dll

MD5: bc3b4ff915515cd02e2a3112ffd29250 C:\WINDOWS\system32\MSVCP60.dll

MD5: 3845ebe57ad6a4efa5e0194285afaef4 C:\WINDOWS\system32\msvcrt.dll

MD5: d0d51648c6c3d5ab8a79dbb0343bb0fd C:\WINDOWS\system32\mswsock.dll

MD5: 099e58ce602254998364c69893322563 C:\WINDOWS\system32\msxml3.dll

MD5: 504daa0ec61d4bd056a6158d915bf8c9 C:\WINDOWS\system32\MTXCLU.DLL

MD5: 84b09f4ab5092f68fd5e4d334d7a0f88 C:\WINDOWS\system32\mui\0804\HHCTRLui.dll

MD5: dcd0799cbe62c252430537fe230b43ac C:\WINDOWS\system32\NCObjAPI.DLL

MD5: 51bf715f50b429e9202ab5c1ad5f7805 C:\WINDOWS\system32\NDdeApi.dll

MD5: dd5c7003b7cd0823423a59a6199c0d5c C:\WINDOWS\System32\ndptsp.tsp

MD5: 8da275ddcb297b00f287432643b1e56c C:\WINDOWS\system32\NETAPI32.dll

MD5: 0cbdab06a0c394604823cb567ee79218 C:\WINDOWS\System32\netcfgx.dll

MD5: c98a4266674bf276d19069a8cc15bd87 C:\WINDOWS\system32\netdde.exe

MD5: 3027a3ece900f832e3795b6b1ef11cef C:\WINDOWS\system32\netlogon.dll

MD5: 64d3d7fc996f063ff39b705dff9077ff c:\windows\system32\netman.dll

MD5: 589cdf7700f426b5699cb14e5769b8b9 C:\WINDOWS\System32\NETRAP.dll

MD5: a051fa53df49078385f6c960b8e81841 c:\windows\system32\netshell.dll

MD5: 599593fb8b8d3e9c0d6f19160f963574 C:\WINDOWS\System32\NETUI0.dll

MD5: 218321698c5886d776e1097accee758e C:\WINDOWS\System32\NETUI1.dll

MD5: 9e762b21dd4d10695799a9a6e9570b79 C:\WINDOWS\system32\ntdll.dll

MD5: 170d27710d3f93337ecf58b62ff7a0f2 C:\WINDOWS\system32\NTDSAPI.dll

MD5: b1669b80362960c18ec832412fd54ea8 C:\WINDOWS\System32\ntlanman.dll

MD5: a03dc8f5b15727d0d3805775e80502c0 C:\WINDOWS\System32\ntlsapi.dll

MD5: f64db910f99e5d92513b5fe3d6eadb49 C:\WINDOWS\System32\NTMARTA.DLL

MD5: adf07c8087d3357efaa66b0e88720fef C:\WINDOWS\system32\ntshrui.dll

MD5: a9148bc6e463266974ca24c802a78089 C:\WINDOWS\system32\nvapi.dll

MD5: 519a35fd7e1bf9a6f5e698c907897c91 C:\WINDOWS\system32\NvCpl.dll

MD5: 3365ce3e4633790c5b4e926d992993f2 C:\WINDOWS\system32\nvshell.dll

MD5: 934833b3cd462a6f8a96f64d024c8b20 C:\WINDOWS\system32\nvsvc32.exe

MD5: a85da2c80644b009d38e0955113fa565 C:\WINDOWS\system32\oakley.DLL

MD5: ca0c761534d2fbe9350cd5ff4d830651 C:\WINDOWS\system32\ODBC32.dll

MD5: 67a07b576cafd115aa05ab3cf3862c6e C:\WINDOWS\system32\odbcbcp.dll

MD5: 6de20fbb7a05711349efa02ba0dd1b14 C:\WINDOWS\system32\odbcint.dll

MD5: f78acf4eb632e1795024fbfc6dbf7eb3 C:\WINDOWS\system32\ole32.dll

MD5: 87073fc631c14d82c0b162118b3923aa C:\WINDOWS\system32\OLEAUT32.dll

MD5: 39697d1b24e572d88170d2215df51db7 C:\WINDOWS\system32\oledlg.dll

MD5: ca0843e2b7398edb73376b715eb86b70 c:\windows\system32\OneX.DLL

MD5: 004cc9e898588545a28818688def2ad7 C:\WINDOWS\system32\pdh.dll

MD5: 824d6f69c8e99dc521cd0e7b890cd631 C:\WINDOWS\system32\perfdisk.dll

MD5: 596e4f8ca611570662c6163c5c5555f4 C:\WINDOWS\system32\perfos.dll

MD5: 2f9fef409241ff92ddd7dc4b9d1fd546 C:\WINDOWS\system32\pngfilt.dll

MD5: 46b536fc727208f37f0e3fcd2e27183a c:\windows\system32\POWRPROF.dll

MD5: 6f34f3a3dd6a63ce57332195e4cdf0df C:\WINDOWS\system32\PROFMAP.dll

MD5: 94458ed8ac8347cd8fdbfe71b9a5dfcd C:\WINDOWS\system32\PSAPI.DLL

MD5: ffb6f0206f2c6bd1f8411ac55e7a4c77 C:\WINDOWS\system32\psbase.dll

MD5: f77b3bff0d1431a7ce6dce49cb7642f8 C:\WINDOWS\system32\pstorsvc.dll

MD5: ca624a432dfafd9d2765e56d4dc686c7 C:\WINDOWS\System32\qagentrt.dll

MD5: 77136d334eebb32f38fddd74e6d20380 c:\windows\system32\qmgr.dll

MD5: a89f959d7351fe16e20e34293083c8b1 C:\WINDOWS\system32\qmgrprxy.dll

MD5: aaad2f92a65482de50c4b72d1c20859d c:\windows\system32\QUtil.dll

MD5: 8d946a9a858266c20cd9d5ab0f931520 C:\WINDOWS\system32\rasadhlp.dll

MD5: d3d0076c6e5004134302342d7cb8b50b C:\WINDOWS\system32\RASAPI32.DLL

MD5: 38fdabad6c1ca2d5fa3442f0f6237a5e C:\WINDOWS\System32\rasauto.dll

MD5: a622041372ea5dc2c03d1e18d6f540a1 C:\WINDOWS\System32\raschap.dll

MD5: 62093dc79c9014d22002e153392b4b67 C:\WINDOWS\System32\RASDLG.dll

MD5: 335b705a8054c395ac6f176857fdc4b3 C:\WINDOWS\system32\rasman.dll

MD5: fef357207fb03c32af6ae18d01441478 C:\WINDOWS\System32\rasmans.dll

MD5: 2a5a0583af2ce4844582ad0a3e9c8a94 C:\WINDOWS\System32\rasppp.dll

MD5: 2b64cc3509ebc11ab48452de70173f70 C:\WINDOWS\System32\RASQEC.DLL

MD5: 2d78320dfa5125d99f997fcddb4de116 C:\WINDOWS\System32\rastapi.dll

MD5: 55f0db319a37f8306aa2be54d6d21a45 C:\WINDOWS\System32\rastls.dll

MD5: b438452af5286e808d8723e338137e27 C:\WINDOWS\system32\rdpwsx.dll

MD5: 52b1b6210291bbb3a164ffcc96adb5cf C:\WINDOWS\system32\REGAPI.dll

MD5: 347cf4f119823d39f4652d7b9b929559 C:\WINDOWS\system32\regsvc.dll

MD5: c62b084f6f7d2c1fce09cb7fe2a79f48 C:\WINDOWS\System32\RESUTILS.DLL

MD5: 0b0ab724184b74ad1dc6327da8327ef0 C:\WINDOWS\system32\RPCRT4.dll

MD5: b2432c9a8142d504542f7ea87eb75be4 c:\windows\system32\rpcss.dll

MD5: 53a79336f917ca1ff120043dcb74def8 C:\WINDOWS\system32\rsvp.exe

MD5: dad9310a7a55ca064a051331650ed135 C:\WINDOWS\system32\rsvpsp.dll

MD5: 9f184f971bd4a3e4b6517e920949eaff C:\WINDOWS\System32\rtm.dll

MD5: c3a0967d817df5c04a16e2e7e892e934 C:\WINDOWS\system32\rtutils.dll

MD5: 65e1140eace7baf5ab26d3e581b61ad5 C:\WINDOWS\System32\SAMLIB.dll

MD5: efbc88ba5dc1264b0e50fb8e37866c70 C:\WINDOWS\system32\SAMSRV.dll

MD5: e4523f1a50923c745021ab7fe6b4faf4 C:\WINDOWS\System32\SCardSvr.exe

MD5: a1eef4afe28750729b5d085c19f2d5a6 C:\WINDOWS\system32\scecli.dll

MD5: d4af1383c33fb89fc173a7d52d1b19a7 C:\WINDOWS\system32\SCESRV.dll

MD5: b4ac7df99f7d3391cbef6f9266e5c873 C:\WINDOWS\system32\schannel.dll

MD5: f5aa11c7faf36d9db4bdcfd83f3dbdeb c:\windows\system32\schedsvc.dll

MD5: 85b08d62a6dde9c39c1bf5a916ab46af C:\WINDOWS\system32\sclgntfy.dll

MD5: bbcc2167e9f6d0854ef94e06f4c57519 c:\windows\system32\seclogon.dll

MD5: ed8734ce43f5a23d2109d0375a8a48cc C:\WINDOWS\system32\Secur32.dll

MD5: 44b523a2bd388435373276b0aa9eaa87 c:\windows\system32\sens.dll

MD5: e29f7ec80990ca7fcd53287e8fbbe459 C:\WINDOWS\system32\sensapi.dll

MD5: 5edc33c1cfc364bc2e3ea66a75647914 C:\WINDOWS\system32\services.exe

MD5: 69d610f74ac246f138b4f4f33b2cb7e8 C:\WINDOWS\system32\sessmgr.exe

MD5: fe98818405b92bcd125eeaa73c03e6af C:\WINDOWS\system32\SETUPAPI.DLL

MD5: fe4945a769f7f9e6ac2e066afb7f820d C:\WINDOWS\system32\sfc.dll

MD5: fc6478857aac39435e63ed9be2bfe8ab C:\WINDOWS\system32\sfc_os.dll

MD5: 6e1d31cb7c9441f7a0e2ebbe3e7e7d7e C:\WINDOWS\system32\shdoclc.dll

MD5: 29e35c5da59a8b8145c64de768722319 C:\WINDOWS\system32\SHDOCVW.dll

MD5: cc401fa41e6a16e139526270810ab392 C:\WINDOWS\system32\SHELL32.dll

MD5: fcbe2a86640c4bd1f93ff015ffb80cd4 c:\windows\system32\SHFOLDER.dll

MD5: f91ddc04d1b21908caf378313ada1944 C:\WINDOWS\System32\ShimEng.dll

MD5: c3a8d3a3f594d1d6da2017e996b7766f C:\WINDOWS\system32\SHLWAPI.dll

MD5: 5daa2d4ebd23f1458bdcf1804ac99c5a C:\WINDOWS\system32\SHSVCS.dll

MD5: 4a1bbcfd7733132afdd9704062ea550d C:\WINDOWS\system32\smlogsvc.exe

MD5: 6129c73d0a6402008f7695ddc7b683e2 C:\WINDOWS\system32\smss.exe

MD5: fec3ace4d5e9b8b13c401941ee50f476 C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD83.DLL

MD5: c9347e7aa13cdff240911aacb904c98a C:\WINDOWS\system32\SPOOLSS.DLL

MD5: 6475496dea6eae2046e15cf422c205fa C:\WINDOWS\system32\spoolsv.exe

MD5: f90582ac2b3433776b37d811d2d3baf6 c:\windows\system32\srsvc.dll

MD5: d62596b55a2b7e4df4fb4e396c7f8d96 c:\windows\system32\srvsvc.dll

MD5: b768d6bbee2fd9b8590ada102897fb3e C:\WINDOWS\system32\SSDPAPI.dll

MD5: c4f05393cd7c1fb5b4a095cf9585483e c:\windows\system32\ssdpsrv.dll

MD5: 7ad575e1c90b75114ea891a51a2457fb C:\WINDOWS\system32\sti.dll

MD5: 453b554fc3830752eddddc473a1ea5a4 C:\WINDOWS\system32\stobject.dll

MD5: 20804a1c4979d2ef157564d7fd26dae9 C:\WINDOWS\System32\strmfilt.dll

MD5: e31fb4f13f5949b868c117714bb44375 C:\WINDOWS\system32\svchost.exe

MD5: f7f720e2285b61ead1268efc6e62a3b9 C:\WINDOWS\system32\SXS.DLL

MD5: a1c52eb02259c0f3f2eac6fea99c6b1d C:\WINDOWS\system32\syncui.dll

MD5: edad60106cd82ede0e894bd19821d057 C:\WINDOWS\system32\t2embed.dll

MD5: 4c7fd6b19056bf5ed4613bc46c7712b6 C:\WINDOWS\system32\TAPI32.dll

MD5: cb0b9e8766ffc557c0349e598312fdd4 c:\windows\system32\tapisrv.dll

MD5: a3f574d30c1a9cb6c14936b55fb1cedb C:\WINDOWS\system32\tcpmon.dll

MD5: 5313f3226526210ec9f9379591c0a63f c:\windows\system32\termsrv.dll

MD5: 329fe82e19db9844f43f05d043163f8a C:\WINDOWS\system32\themeui.dll

MD5: b643cb97aebacda0fee05fb83aa9cbb0 C:\WINDOWS\system32\tlntsvr.exe

MD5: fafad8f8dc9658a14d0e56c1a2bb40ad c:\windows\system32\trkwks.dll

MD5: 4199749a1d4dcadd71fb9707a0b6f1d3 C:\WINDOWS\system32\umpnpmgr.dll

MD5: 2e014430992a429968cec5ef501f76ca C:\WINDOWS\System32\unimdm.tsp

MD5: 13d55f365dfb585ad3c6f66369abb2cc C:\WINDOWS\System32\uniplat.dll

MD5: 9897b45c6b200cc28bb8f0d76fc7682d C:\WINDOWS\system32\upnp.dll

MD5: 604830407848314cad8a7ae05d1a729c C:\WINDOWS\System32\upnphost.dll

MD5: 67e7fb0b193ca7a2f08079a0eae8ea3c C:\WINDOWS\system32\urlmon.dll

MD5: 4d650a43ac674b3703f18ace33042b70 C:\WINDOWS\system32\usbmon.dll

MD5: f697644d5f59050fbe6af896c19cca93 C:\WINDOWS\system32\USER32.dll

MD5: 49e890294c29a113e47e4935429bf781 C:\WINDOWS\system32\USERENV.dll

MD5: 431fed77e71b1831cd485890159d467c c:\windows\system32\userinit.exe

MD5: afed3a9b8b2560728773c09e83ed3f4f C:\WINDOWS\System32\USP10.dll

MD5: b073857ddec507668cb1fe658c7b21a5 C:\WINDOWS\System32\UxTheme.dll

MD5: bb4838e85b3daed20a30d6a7cd652aab C:\WINDOWS\System32\VBAJET32.DLL

MD5: 2c5fbee16e1c05f8ff604b158437abd2 C:\WINDOWS\system32\VERSION.dll

MD5: f9699894083fd432b575874ac2841e99 C:\WINDOWS\system32\VSSAPI.DLL

MD5: cb53a6d464008b7541b1c23224958ee1 C:\WINDOWS\System32\vssvc.exe

MD5: 690d414750d1263ffde203e2ce166b5c C:\WINDOWS\system32\w32time.dll

MD5: f73a83fea9ea0ea702f6b36203c8fa9f c:\windows\system32\w3ssl.dll

MD5: 91d5de5828c0357b8b1b467c3786a95c C:\WINDOWS\system32\wbem\esscli.dll

MD5: 79e4e18e5850820d974c420b54fe6be5 C:\WINDOWS\system32\wbem\fastprox.dll

MD5: 89f6327ae3853d0496dc2674a8878d07 C:\WINDOWS\system32\wbem\ncprov.dll

MD5: 0043cbcf44106b3c7c9674615e9fa0bf C:\WINDOWS\system32\wbem\repdrvfs.dll

MD5: a8d4743cb59a1868ca299bc2002fda44 C:\WINDOWS\system32\wbem\wbemcomn.dll

MD5: 3db3aaabb57d19e3f35b228a53eb8087 C:\WINDOWS\system32\wbem\wbemcore.dll

MD5: 902f536e7d1fa0864f5217d069008ca7 C:\WINDOWS\system32\wbem\wbemess.dll

MD5: 0020553f141db5144a8a66081d1e66cf C:\WINDOWS\system32\wbem\wbemprox.dll

MD5: d839d19de964bbc977c8d6d35c8c0dac C:\WINDOWS\system32\wbem\wbemsvc.dll

MD5: 4dd0ffb1823f007e601b21fafd4f20dc C:\WINDOWS\system32\wbem\wmiapsrv.exe

MD5: 62000b664c1c7b05f8e6372676bdfa04 C:\WINDOWS\system32\wbem\wmiprvsd.dll

MD5: 0e83443a90dc888f40a25fee74bf877f c:\windows\system32\wbem\wmisvc.dll

MD5: 4ca3a89ac07a074bac555ccdce6fd3db C:\WINDOWS\system32\wbem\wmiutils.dll

MD5: 93ca49c5a89a5396f36b7081c2fb1557 C:\WINDOWS\system32\wdigest.dll

MD5: 2ac26a09d9b544d63b594b50aad96812 C:\WINDOWS\system32\wdmaud.drv

MD5: 8ef94370fa71c84bdb7bd17831bbe255 C:\WINDOWS\system32\webcheck.dll

MD5: a0e8e25401b2574c972a25e9d550f26c c:\windows\system32\webclnt.dll

MD5: 48941d45708f76e920ef834b1b6f8437 C:\WINDOWS\system32\WgaLogon.dll

MD5: e7906e5b988835f0d5c592e84a76a1bd c:\windows\system32\wiaservc.dll

MD5: 29f0a18d628ff39cc76440f66f043aca C:\WINDOWS\system32\win32spl.dll

MD5: cbcdb2a7dbc718acb464d8f94437eb9f C:\WINDOWS\system32\WINHTTP.dll

MD5: 4873c9a751530b2b7a62f7451572a81f C:\WINDOWS\system32\WININET.dll

MD5: e96083156c8d335549b0ae82f9fd59a5 C:\WINDOWS\system32\WINIPSEC.DLL

MD5: 440eda2420cfa1b3b2ab4725fc33825d C:\WINDOWS\system32\winlogon.exe

MD5: 27ba70e95f2f16dd59fe2ef36b56f939 C:\WINDOWS\System32\WINMM.dll

MD5: 45c8049cd8af11a402adee966fb4acfa C:\WINDOWS\System32\winrnr.dll

MD5: 154a4cdac2b37140fde067715d72b143 C:\WINDOWS\system32\WINSCARD.DLL

MD5: 695762bfab5dbaa38fbb74ae94349901 C:\WINDOWS\system32\WINSPOOL.DRV

MD5: 0afe73a430c9c7b17a1ead07272de19e C:\WINDOWS\system32\winsrv.dll

MD5: 67ea5179e3899ccf0450239dcce3ab15 C:\WINDOWS\system32\WINSTA.dll

MD5: 9084481fe35502eccd9c0491f0b266d8 C:\WINDOWS\system32\WINTRUST.dll

MD5: 0c9e62b7ee6b289ca135b05418d55b74 c:\windows\system32\wkssvc.dll

MD5: 9e5a35de16f9499e6323e94526f6c041 C:\WINDOWS\system32\WLDAP32.dll

MD5: 1761a1916119b4e34be1521a9e6876a5 C:\WINDOWS\system32\WlNotify.dll

MD5: eb2d4af435afa06f39d69e1e432a1a1b c:\windows\system32\WMI.dll

MD5: 1fae38adcbec656db1f26156720fac89 C:\WINDOWS\System32\WS2_32.dll

MD5: 662ced2dded6fa6416722f310b9bd4c2 C:\WINDOWS\System32\WS2HELP.dll

MD5: 0d722efc74b6108c3ec5bb57a33a1cea c:\windows\system32\wscsvc.dll

MD5: c518d746bc7fcc081ce242f9f7df01fd C:\WINDOWS\System32\wship6.dll

MD5: 13fbece0b685574ac2b37be2527c020d C:\WINDOWS\System32\wshtcpip.dll

MD5: 498594edcf7f7fdb49fb47b4c3168885 C:\WINDOWS\system32\wsock32.dll

MD5: 2dcb431c38dca5575e1483ca082c2bbe C:\WINDOWS\system32\WTSAPI32.dll

MD5: 02496b57ed09a83ce915b2ec1848021f c:\windows\system32\wuauserv.dll

MD5: ecb8b16a8dd75445030b9b9918e34429 c:\windows\system32\WZCSAPI.DLL

MD5: 7f55b7e5acab04944a01db5edfcb70d7 c:\windows\system32\wzcsvc.dll

MD5: f5be5b78268a2df316a8e2e4aba75780 C:\WINDOWS\System32\xactsrv.dll

MD5: 9cea8d414ab50632562a4cace60a5e49 C:\WINDOWS\System32\xmlprov.dll

MD5: 125f6ac3b40cf2d9bc3974173ce74956 C:\WINDOWS\System32\xpsp2res.dll

MD5: 1b7524806d0270b81360c63a2fa047cb C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL

MD5: ccc2e312486ae6b80970211da472268b C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL

MD5: afa7e91c8c9566e03fb1620f95230b93 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80CHS.DLL

MD5: 2e641e9df345d202726eb2daf9d3f453 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

MD5: 5f85fc94ea2da4e862b1e8efdc588291 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll

No file uploaded.

Scan finished - communication took 4 sec

Total traffic - 0.01 MB sent, 1.65 KB recvd

Scanned 531 files and modules - 17 seconds

==============================================================================

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.