windows xp infected with "windows repair"

[vyan2000]

I think the file has been automatically renamed by

virus total.

If the "show all" button in additional information is clicked,

it will show the original name.

Thanks a lot,

Y

[vyan2000]

I tried to scan it again, and the log is the same.

Thanks a lot,

Y

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

winlogon.exe

Submission date:

2011-07-24 00:13:50 (UTC)

Current status:

finished

Result:

0/ 43 (0.0%)

[vyan2000]

http://www.virustotal.com/file-scan/report.html?id=200154b1d95f61bc55b314f7125c57b9b62d86be5129ce8c2ff09b8f8d85f0e5-1311466430

And the link is listed above.

Not sure why the scanner renamed it at the first time.

Y

[D-FRED-BROWN]

No worries . Let's do some more cleanup:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Regnull::

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications \q_髼螛磃.*l*n*k*\shell\open\command]

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

[HKEY_LOCAL_MACHINE\software\Classes\7u¬u臺麐.*M*y*N*S*H*a*n*d*l*e*r* \Clsid]

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

[vyan2000]

This is the log for combofix.

Thanks a lot,

Y

ComboFix 11-07-23.04 - Administrator -07-23 星期六 22:28:12.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.958.609 [GMT -4:00]

执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\桌面\CFScript.txt

.

.

((((((((((((((((((((((((( 2011-06-24 至 2011-07-24 的新的档案 )))))))))))))))))))))))))))))))

.

.

2011-07-23 05:15 . 2011-07-23 05:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure

2011-07-23 05:15 . 2011-07-23 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2011-07-22 17:03 . 2011-07-22 17:03 -------- d--h--w- c:\windows\PIF

2011-07-21 18:37 . 2011-07-21 18:37 -------- d-----w- c:\program files\VS Revo Group

2011-07-21 16:56 . 2011-07-21 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-18 17:24 . 2011-07-18 17:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\wbem\snmp

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\xircom

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\oobe

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\program files\microsoft frontpage

2011-06-26 04:38 . 2011-06-26 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\SPlayer

2011-06-24 14:03 . 2011-06-24 14:03 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-06-24 14:03 . 2011-06-24 14:03 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-17 23:43 . 2010-11-01 02:58 1430 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-07-10 13:47 . 2011-06-13 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-24 14:03 . 2011-05-13 22:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-11-24 16:08 . 2009-02-21 01:25 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll

2008-09-23 09:39 . 2008-11-11 09:54 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2010-09-15 15:04 . 2008-11-11 09:54 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-07-17_18.24.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-07-24 02:35 . 2011-07-24 02:35 16384 c:\windows\temp\Perflib_Perfdata_688.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 58642 c:\windows\system32\prfc0804.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 49990 c:\windows\system32\perfc009.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 49990 c:\windows\system32\perfc009.dat

+ 2010-09-23 08:47 . 2010-09-23 08:47 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe

+ 2010-09-23 07:03 . 2010-09-23 07:03 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2010-09-23 06:52 . 2010-09-23 06:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe

+ 2010-09-22 22:12 . 2010-09-22 22:12 15800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe

+ 2008-04-14 12:00 . 2011-07-17 23:43 198948 c:\windows\system32\prfh0804.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 334406 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 334406 c:\windows\system32\perfh009.dat

+ 2010-09-21 03:07 . 2010-09-21 03:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-22 22:10 . 2010-09-22 22:10 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll

+ 2010-09-10 22:17 . 2010-09-10 22:17 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll

+ 2010-09-23 00:41 . 2010-09-23 00:41 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-23 08:47 . 2010-09-23 08:47 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe

+ 2010-09-22 22:04 . 2010-09-22 22:04 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll

+ 2010-09-22 23:39 . 2010-09-22 23:39 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2010-09-22 22:50 . 2010-09-22 22:50 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe

+ 2011-07-23 16:03 . 2011-07-23 16:03 3940864 c:\windows\Installer\4b0d5c.msi

+ 2010-09-22 22:05 . 2010-09-22 22:05 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll

+ 2010-09-16 07:08 . 2010-09-16 07:08 6210560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll

+ 2010-06-19 21:51 . 2010-06-19 21:51 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll

+ 2011-05-27 20:22 . 2011-05-27 20:22 1220672 c:\windows\Downloaded Program Files\qsax.dll

+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\4b0e08.msp

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\4b0e07.msp

+ 2010-09-23 07:03 . 2010-09-23 07:03 20460984 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll

.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白与合法缺省登录将不会被显示

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-04-14 96256]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]

Ime File REG_SZ GOOGLEPINYIN2.IME

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804]

IME File REG_SZ winabc.ime

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^启动飞速土豆.lnk]

path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\启动飞速土豆.lnk

backup=c:\windows\pss\启动飞速土豆.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON_Tools_Lite\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Pinyin 2 Autoupdater]

2010-03-07 00:50 1193456 ----a-w- c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-26 22:37 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\FlvDetector.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveSupport.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveQuery.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"7554:TCP"= 7554:TCP:BitComet 7554 TCP

"7554:UDP"= 7554:UDP:BitComet 7554 UDP

.

R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 5:20 308248]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-11 5:16 717296]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-2 0:42 1691480]

.

‘计划任务’ 文件夹 里的内容

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

2011-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

.

------- 而外的扫描 -------

.

uStart Page = hxxp://www.google.com/webhp?hl=gn

uInternet Settings,ProxyOverride = <local>

IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: 将链接目标转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: 将链接目标追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: 转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: 追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

Trusted Zone: kuaiche.com\software

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8lmqm6iw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll

AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-23 22:36

Windows 5.1.2600 Service Pack 3 NTFS

.

扫描被隐藏的进程 。。。

.

扫描被隐藏的启动组 。。。

.

扫描被隐藏的文件 。。。

.

扫描完成

被隐藏的档案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

"VidOutput"=dword:00000001

"AudOutput"=dword:00000001

"VidPreview"=dword:00000001

"AudPreview"=dword:00000001

"FileFormat"=dword:00000000

"FileName"=".avi"

"SepAudio"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

"RtspHandler"=dword:00000001

"RtspFileExtFirst"=dword:00000001

"Windows Media file"="wmv wmp wm asf \\0"

"Windows Media Audio file"="wma \\0"

"Video file"="avi \\0"

"Audio file"="wav \\0"

"MPEG Media file"="mpg mpeg mpe m1v m2v mpv2 mp2v dat ts tp tpr pva pss \\0"

"MPEG Audio file"="mpa mp2 m1a m2a \\0"

"DVD file"="vob ifo \\0"

"DVD Audio file"="ac3 dts \\0"

"MP3 Format Sound"="mp3 \\0"

"MIDI file"="mid midi rmi \\0"

"Indeo Video file"="ivf \\0"

"AIFF Format Sound"="aif aifc aiff \\0"

"AU Format Sound"="au snd \\0"

"Ogg Media file"="ogm \\0"

"Ogg Vorbis Audio file"="ogg \\0"

"CD Audio Track"="cda \\0"

"FLIC file"="fli flc flic \\0"

"DVD2AVI Project file"="d2v \\0"

"MPEG4 file"="mp4 m4v m4b hdmov 3gp 3gpp \\0"

"MPEG4 Audio file"="m4a aac \\0"

"Matroska Media file"="mkv \\0"

"Matroska Audio file"="mka \\0"

"Smacker/Bink Media file"="smk bik \\0"

"ratdvd file"="ratdvd \\0"

"RoQ Media file"="roq \\0"

"Real Media file"="rm ram rpm rmm rnx \\1"

"Real Audio file"="ra \\1"

"Real Script file"="rt rp smi smil \\1"

"Dirac Video file"="drc \\0"

"DirectShow Media file"="dsm dsv dsa dss \\0"

"Musepack file"="mpc \\0"

"Flash Video file"="flv \\0"

"Shockwave Flash file"="swf \\3"

"Quicktime file"="mov qt amr 3g2 3gp2 \\2"

"Image file"="jpeg jpg bmp gif pic png dib tiff tif \\0"

"Playlist file"="asx m3u pls wvx wax wmx mpcpl \\0"

"Other"="divx vp6 rmvb amv \\0"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

"SrcFilters"=dword:fff30bbf

"TraFilters"=dword:fffff21c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

"LastUsedPage"=dword:00000000

"HideCaptionMenu"=dword:00000000

"ControlState"=dword:00000013

"DefaultVideoFrame"=dword:00000004

"KeepAspectRatio"=dword:00000001

"CompMonDeskARDiff"=dword:00000000

"Volume"=dword:0000001f

"Balance"=dword:00000000

"Mute"=dword:00000000

"LoopNum"=dword:00000001

"Loop"=dword:00000000

"Rewind"=dword:00000000

"Zoom"=dword:00000001

"AllowMultipleInstances"=dword:00000000

"TitleBarTextStyle"=dword:00000001

"TitleBarTextTitle"=dword:00000000

"OnTop"=dword:00000000

"TrayIcon"=dword:00000000

"AutoZoom"=dword:00000001

"FullScreenCtrls"=dword:00000001

"FullScreenCtrlsTimeOut"=dword:00000000

"FullscreenRes"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

"ExitFullscreenAtTheEnd"=dword:00000001

"RememberWindowPos"=dword:00000000

"RememberWindowSize"=dword:00000000

"SnapToDesktopEdges"=dword:00000000

"LastWindowRect"=hex:35,02,00,00,10,01,00,00,8b,03,00,00,55,02,00,00

"LastWindowType"=dword:00000000

"AspectRatioX"=dword:00000000

"AspectRatioY"=dword:00000000

"KeepHistory"=dword:00000000

"DSVidRen"=dword:00000006

"RMVidRen"=dword:00000000

"QTVidRen"=dword:00000000

"APSurfaceUsage"=dword:00000001

"VMRSyncFix"=dword:00000000

"DX9Resizer"=dword:00000001

"VMR9MixerMode"=dword:00000001

"VMRMixerYUV"=dword:00000000

"AudioRendererType"=""

"AutoloadAudio"=dword:00000001

"AutoloadSubtitles"=dword:00000000

"EnableWorkerThreadForOpening"=dword:00000001

"ReportFailedPins"=dword:00000001

"DVDPath"=""

"UseDVDPath"=dword:00000000

"MenuLang"=dword:00000804

"AudioLang"=dword:00000804

"SubtitlesLang"=dword:00000804

"AutoSpeakerConf"=dword:00000001

"SPDefaultStyle"="20,20,20,20,2,0,2.000000,3.000000,0xffffff,0x00ffff,0x000000,0x000000,0x00,0x00,0x00,0x80,1,Arial,18.000000,100.000000,100.000000,0.000000,700,0,0,0,0,0.000000,0.000000,0.000000,2"

"SPOverridePlacement"=dword:00000000

"SPHorPos"=dword:00000032

"SPVerPos"=dword:0000005a

"SPCSize"=dword:00000003

"SPCMaxRes"=dword:00000002

"SPCPow2Tex"=dword:00000001

"EnableSubtitles"=dword:00000001

"EnableAudioSwitcher"=dword:00000001

"EnableAudioTimeShift"=dword:00000000

"AudioTimeShift"=dword:00000000

"DownSampleTo441"=dword:00000000

"CustomChannelMapping"=dword:00000000

"SpeakerToChannelMapping"=hex:01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

"AudioNormalize"=dword:00000000

"AudioNormalizeRecover"=dword:00000001

"AudioBoost"=dword:00000001

"Shaders List"=""

"IntRealMedia"=dword:00000000

"RealMediaFPS"=dword:41c80000

"UseWinLirc"=dword:00000000

"WinLircAddr"="127.0.0.1:8765"

"UseUICE"=dword:00000000

"UICEAddr"="127.0.0.1:1234"

"DisableXPToolbars"=dword:00000000

"UseWMASFReader"=dword:00000000

"JumpDistS"=dword:000003e8

"JumpDistM"=dword:00001388

"JumpDistL"=dword:00004e20

"FreeWindowResizing"=dword:00000001

"NotifyMSN2"=dword:00000000

"NotifyGTSdll"=dword:00000000

"LogoFile"=""

"LogoID2"=dword:000000d5

"LogoExt"=dword:00000000

"HideCDROMsSubMenu"=dword:00000000

"Priority"=dword:00000020

"LaunchFullScreen"=dword:00000000

"EnableWebServer"=dword:00000000

"WebServerPort"=dword:0000350b

"WebServerPrintDebugIfo"=dword:00000000

"WebServerUseCompression"=dword:00000001

"WebServerLocalhostOnly"=dword:00000001

"WebRoot"="*./webroot"

"WebDefIndex"="index.html;index.php"

"WebServerCGI"=""

"SnapShotPath"="c:\\Documents and Settings\\Administrator\\My Documents\\My Pictures"

"SnapShotExt"=".bmp"

"ThumbRows"=dword:00000004

"ThumbCols"=dword:00000004

"ThumbWidth"=dword:00000400

"HideAviSplitterWarning"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

"Preset0"="Scale to 16:9 TV,0.500,0.500,1.000,1.333"

"Preset1"="Zoom To Widescreen,0.500,0.500,1.333,1.333"

"Preset2"="Zoom To Ultra-Widescreen,0.500,0.500,1.763,1.763"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

"Initialized"=dword:00000001

"Combine"=""

"0"="sharpen complex|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n\\n#define dx (p1[0]) \\n#define dy (p1[1]) \\n\\nfloat4 main( float2 tex : TEXCOORD0 ) : COLOR \\n{ \\n float4 ori; \\n float4 flou; \\n float4 cori; \\n float4 final; \\n\\n ori = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n flou = (c1+c3+c6+c8 + 2*(c2+c4+c5+c7)+ 4*ori)*0.0625; \\n\\n cori = 2*ori - flou; \\n\\n float delta1; \\n float delta2; \\n float value; \\n\\n delta1 = (c3 + 2*c5 + c8)-(c1 + 2*c4 + c6); \\n delta2 = (c6 + 2*c7 + c8)-(c1 + 2*c2 + c3); \\n\\n value = sqrt( mul(delta1,delta1) + mul(delta2,delta2) ) ; \\n\\n if( value >.3 ) \\n { \\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n final = ori*2 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * 0.125 ; \\n return final; \\n } \\n else \\n { \\n return cori; \\n } \\n}"

"1"="16-235 -> 0-255|ps_2_0|sampler s0 : register(s0);\\n\\n#define Const_1 (16.0/255.0)\\n#define Const_2 (255.0/219.0)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n return( ( tex2D( s0, tex ) - Const_1 ) * Const_2 );\\n}\\n"

"2"="emboss|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 1/width;\\n\\tfloat dy = 1/height;\\n\\t\\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy));\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\tfloat4 c9 = tex2D(s0, tex + float2(dx,dy));\\n\\t\\n\\tfloat4 c0 = (-c1-c2-c4+c6+c8+c9);\\n\\tc0 = (c0.r+c0.g+c0.b)/3 + 0.5;\\n\\t\\n\\treturn c0;\\n}\\n"

"3"="spotlight|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tfloat3 lightsrc = float3(sin(clock*PI/1.5)/2+0.5,cos(clock*PI)/2+0.5,1);\\n\\tfloat3 light = normalize(lightsrc - float3(tex.x,tex.y,0));\\n\\tc0 *= pow(dot(light, float3(0,0,1)), 50);\\n\\t\\n\\treturn c0;\\n}\\n"

"4"="deinterlace (blend)|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\t\\n\\tfloat2 h = float2(0, 1/height);\\n\\tfloat4 c1 = tex2D(s0, tex-h);\\n\\tfloat4 c2 = tex2D(s0, tex+h);\\n\\tc0 = (c0*2+c1+c2)/4;\\n\\t\\n\\treturn c0;\\n}"

"5"="invert|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = float4(1, 1, 1, 1) - tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}\\n"

"6"="procamp|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nstatic float4x4 r2y =\\n{\\n\\t0.299, 0.587, 0.114, 0,\\n\\t-0.147, -0.289, 0.437, 0,\\n\\t0.615, -0.515, -0.100, 0,\\n\\t0, 0, 0, 0\\n};\\n\\nstatic float4x4 y2r =\\n{\\n\\t1.0, 0.0, 1.140, 0, \\n\\t1.0, -0.394, -0.581, 0,\\n\\t1.0, 2.028, 0.0, 0, \\n\\t0, 0, 0, 0\\n};\\n\\n#define ymin (16.0/255)\\n#define ymax (235.0/255)\\n\\n// Brightness: -1.0 to 1.0, default 0.0\\n// Contrast: 0.0 to 10.0, default 1.0\\n// Hue: -180.0 to +180.0, default 0.0\\n// Saturation: 0.0 to 10.0, default 1.0\\n\\n#define Brightness 0.0\\n#define Contrast 1.0\\n#define Hue 0.0\\n#define Saturation 1.0\\n\\n// tv -> pc scale\\n// #define Brightness (-ymin)\\n// #define Contrast (1.0/(ymax-ymin))\\n\\nstatic float2x2 HueMatrix =\\n{\\n\\tcos(Hue * PI / 180), sin(Hue * PI / 180),\\n\\t-sin(Hue * PI / 180), cos(Hue * PI / 180)\\n};\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tc0 = mul(r2y, c0);\\n\\tc0.r = Contrast * (c0.r - ymin) + ymin + Brightness;\\n\\tc0.gb = mul(HueMatrix, c0.gb) * Saturation;\\n\\tc0 = mul(y2r, c0);\\n\\treturn c0; \\n}\\n"

"7"="contour|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 4/width;\\n\\tfloat dy = 4/height;\\n\\t\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\t\\n\\tfloat4 c0 = (-c2-c4+c5*4-c6-c8);\\n\\tif(length(c0) < 1.0) c0 = float4(0,0,0,0);\\n\\telse c0 = float4(1,1,1,0);\\n\\t\\n\\treturn c0;\\n}\\n"

"8"="letterbox|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tfloat2 ar = float2(16, 9);\\n\\tfloat h = (1 - width/height * ar.y/ar.x) / 2;\\n\\t\\n\\tif(tex.y >= h && tex.y <= 1-h)\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}"

"9"="nightvision|ps_2_0|sampler s0 : register(s0);\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c = dot(tex2D(s0, tex), float4(0.2, 0.6, 0.1, 0.1));\\n\\treturn float4(0,c,0,0);\\n}\\n"

"10"="wave|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// don't look at this for too long, you'll get dizzy \\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\ttex.x += sin(tex.x+clock/0.3)/20;\\n\\ttex.y += sin(tex.x+clock/0.3)/20;\\n\\t\\n\\tif(tex.x >= 0 && tex.x <= 1 && tex.y >= 0 && tex.y <= 1)\\n\\t{\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"11"="sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n \\n#define effect_width (1.6) \\n#define val0 (2.0) \\n#define val1 (-0.125) \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n \\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n\\tfloat dx = effect_width/width; \\n\\tfloat dy = effect_width/height; \\n \\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy)) * val1; \\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy)) * val1; \\n\\tfloat4 c3 = tex2D(s0, tex + float2(-dx,0)) * val1; \\n\\tfloat4 c4 = tex2D(s0, tex + float2(dx,0)) * val1; \\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,dy)) * val1; \\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,dy)) * val1; \\n\\tfloat4 c7 = tex2D(s0, tex + float2(-dx,+dy)) * val1; \\n\\tfloat4 c8 = tex2D(s0, tex + float2(+dx,-dy)) * val1; \\n\\tfloat4 c9 = tex2D(s0, tex) * val0; \\n\\t\\n\\tfloat4 c0 = (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 +c9); \\n\\t\\n\\treturn c0; \\n}"

"12"="sphere|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// - this is a very simple raytracer, one sphere only\\n\\t// - no reflection or refraction, yet (my ati 9800 has a 64 + 32 instruction limit...)\\n\\t\\n\\tfloat3 pl = float3(3,-3,-4); // light pos\\n\\tfloat4 cl = 0.4; // light color\\n\\t\\n\\tfloat3 pc = float3(0,0,-1); // cam pos\\n\\tfloat3 ps = float3(0,0,0.5); // sphere pos\\n\\tfloat r = 0.65; // sphere radius\\n\\t\\n\\tfloat3 pd = normalize(float3(tex.x-0.5, tex.y-0.5, 0) - pc);\\n\\t\\n\\tfloat A = 1;\\n\\tfloat B = 2*dot(pd, pc - ps);\\n\\tfloat C = dot(pc - ps, pc - ps) - r*r;\\n\\tfloat D = B*B - 4*A*C;\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tif(D >= 0)\\n\\t{\\n\\t\\t// t2 is the smaller, obviously...\\n\\t\\t// float t1 = (-B + sqrt(D)) / (2*A);\\n\\t\\t// float t2 = (-B - sqrt(D)) / (2*A);\\n\\t\\t// float t = min(t1, t2); \\n\\t\\t\\n\\t\\tfloat t = (-B - sqrt(D)) / (2*A);\\n\\t\\t\\n\\t\\t// intersection data\\n\\t\\tfloat3 p = pc + pd*t;\\n\\t\\tfloat3 n = normalize(p - ps);\\n\\t\\tfloat3 l = normalize(pl - p);\\n\\t\\t\\n\\t\\t// mapping the image onto the sphere\\n\\t\\ttex = acos(-n)/PI; \\n\\t\\t\\n\\t\\t// rotate it\\n\\t\\ttex.x = frac(tex.x + frac(clock/10));\\n\\t\\t\\n\\t\\t// diffuse + specular\\n\\t\\tc0 = tex2D(s0, tex) * dot(n, l) + cl * pow(max(dot(l, reflect(pd, n)), 0), 50);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"13"="grayscale|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c0 = dot(tex2D(s0, tex), float4(0.299, 0.587, 0.114, 0));\\n\\t\\n\\treturn c0;\\n}\\n"

"14"="edge sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n#define counter (p0[2]) \\n#define clock (p0[3]) \\n#define one_over_width (p1[0]) \\n#define one_over_height (p1[1]) \\n\\n#define PI acos(-1) \\n\\n#define NbPixel 1 \\n\\n#define Edge_threshold 0.2 \\n\\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n float dx = NbPixel/width; \\n float dy = NbPixel/height; \\n float4 Res = 0; \\n\\n float4 c0 = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n float4 delta1 = (c6+c4+c1-c3-c5-c8); \\n float4 delta2 = (c4+c1+c2-c5-c8-c7); \\n float4 delta3 = (c1+c2+c3-c8-c7-c6); \\n float4 delta4 = (c2+c3+c5-c7-c6-c4); \\n\\n float value = length(abs(delta1) + abs(delta2) + abs(delta3) + abs(delta4))/6; \\n\\n if(value > Edge_threshold ) \\n { \\n Res = c0 * Sharpen_val0 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * Sharpen_val1 ; \\n return Res; \\n } \\n else \\n return c0; \\n}"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

"Visible"=dword:00000000

"DockState"=dword:0000e81c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

"sizeHorzCX"=dword:000000bf

"sizeHorzCY"=dword:000001b2

"sizeVertCX"=dword:000000bf

"sizeVertCY"=dword:000001b2

"sizeFloatCX"=dword:000000bf

"sizeFloatCY"=dword:000001b2

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

"Visible"=dword:00000000

"DockState"=dword:0000e81e

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:00000064

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:00000064

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:00000064

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

"sizeHorzCX"=dword:00000129

"sizeHorzCY"=dword:0000006b

"sizeVertCX"=dword:00000129

"sizeVertCY"=dword:0000006b

"sizeFloatCX"=dword:00000129

"sizeFloatCY"=dword:0000006b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:000000c8

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:000000c8

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:000000c8

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,54,75,a3,fb,50,56,4a,93,58,97,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

"Order"=hex:08,00,00,00,02,00,00,00,10,02,00,00,01,00,00,00,04,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications\q_髼螛磃.*l*n*k*\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\桌面\\影音风暴.lnk\" %1"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

@="BDATuner.组件.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\7uu臺麐.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

"ApplicationName"="Google Chrome 浏览器"

"ApplicationIcon"="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

"ApplicationDescription"="Google Chrome 浏览器是一款可高速运行网页和应用程序的网络浏览器。它快捷、稳定且易于使用。Google Chrome 浏览器内置的恶意软件和网上诱骗防护功能可让您更加安全地浏览网页。"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

".xhtml"="ChromeHTML"

".xht"="ChromeHTML"

".shtml"="ChromeHTML"

".html"="ChromeHTML"

".htm"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

"StartMenuInternet"="Google Chrome 浏览器"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

"https"="ChromeHTML"

"http"="ChromeHTML"

"ftp"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

@="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

"IconsVisible"=dword:00000001

"ShowIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"

"HideIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"

"ReinstallCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""

.

--------------------- 运行进程下的动态链接库 ---------------------

.

- - - - - - - > 'explorer.exe'(3540)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP3\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ 其他运行进程 ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\locator.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\conime.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

完成时间: 2011-07-23 22:38:13 - 电脑已重新启动

ComboFix-quarantined-files.txt 2011-07-24 02:38

ComboFix2.txt 2011-07-23 14:34

ComboFix3.txt 2011-07-18 01:48

ComboFix4.txt 2011-07-17 18:38

.

Pre-Run: 7,932,366,848 可用字节

Post-Run: 7,923,634,176 可用字节

.

- - End Of File - - 628A01D800BA8662F8B510E6CBA45434

[D-FRED-BROWN]

Let's try this:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Reglock::

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software \Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications \q_髼螛磃.*l*n*k*\shell\open\command]

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

[HKEY_LOCAL_MACHINE\software\Classes\7u¬u臺麐.*M*y*N*S*H*a*n*d*l*e*r* \Clsid]

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

[vyan2000]

I will run the combofix when I get home around(7-7:30pm), since I do

not have access to the machine now.

Many thanks,

Y

[D-FRED-BROWN]

Sounds good

[vyan2000]

This is new log from Combofix.

Many Thanks,

Y

ComboFix 11-07-24.03 - Administrator -07-24 星期日 19:37:57.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.958.518 [GMT -4:00]

执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\桌面\CFScript.txt

.

.

((((((((((((((((((((((((( 2011-06-24 至 2011-07-24 的新的档案 )))))))))))))))))))))))))))))))

.

.

2011-07-23 05:15 . 2011-07-23 05:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure

2011-07-23 05:15 . 2011-07-23 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2011-07-22 17:03 . 2011-07-22 17:03 -------- d--h--w- c:\windows\PIF

2011-07-21 18:37 . 2011-07-21 18:37 -------- d-----w- c:\program files\VS Revo Group

2011-07-21 16:56 . 2011-07-21 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-18 17:24 . 2011-07-18 17:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\wbem\snmp

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\xircom

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\windows\system32\oobe

2011-07-17 18:23 . 2011-07-17 18:23 -------- d-----w- c:\program files\microsoft frontpage

2011-06-26 04:38 . 2011-06-26 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\SPlayer

.

.

.

(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-17 23:43 . 2010-11-01 02:58 1430 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-07-10 13:47 . 2011-06-13 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-24 14:03 . 2011-05-13 22:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-11-24 16:08 . 2009-02-21 01:25 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll

2008-09-23 09:39 . 2008-11-11 09:54 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2010-09-15 15:04 . 2008-11-11 09:54 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-07-17_18.24.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-07-24 23:47 . 2011-07-24 23:47 16384 c:\windows\temp\Perflib_Perfdata_690.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 58642 c:\windows\system32\prfc0804.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 49990 c:\windows\system32\perfc009.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 49990 c:\windows\system32\perfc009.dat

+ 2010-09-23 08:47 . 2010-09-23 08:47 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe

+ 2010-09-23 07:03 . 2010-09-23 07:03 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll

+ 2010-09-23 06:52 . 2010-09-23 06:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe

+ 2010-09-22 22:12 . 2010-09-22 22:12 15800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe

+ 2008-04-14 12:00 . 2011-07-17 23:43 198948 c:\windows\system32\prfh0804.dat

+ 2008-04-14 12:00 . 2011-07-17 23:43 334406 c:\windows\system32\perfh009.dat

- 2008-04-14 12:00 . 2011-03-16 04:50 334406 c:\windows\system32\perfh009.dat

+ 2010-09-21 03:07 . 2010-09-21 03:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe

+ 2010-09-22 22:10 . 2010-09-22 22:10 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll

+ 2010-09-10 22:17 . 2010-09-10 22:17 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll

+ 2010-09-23 00:41 . 2010-09-23 00:41 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe

+ 2010-09-23 08:47 . 2010-09-23 08:47 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe

+ 2010-09-22 22:04 . 2010-09-22 22:04 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll

+ 2010-09-22 23:39 . 2010-09-22 23:39 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe

+ 2010-09-21 03:07 . 2010-09-21 03:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe

+ 2010-09-22 22:50 . 2010-09-22 22:50 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe

+ 2011-07-23 16:03 . 2011-07-23 16:03 3940864 c:\windows\Installer\4b0d5c.msi

+ 2010-09-22 22:05 . 2010-09-22 22:05 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll

+ 2010-09-16 07:08 . 2010-09-16 07:08 6210560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll

+ 2010-06-19 21:51 . 2010-06-19 21:51 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll

+ 2011-05-27 20:22 . 2011-05-27 20:22 1220672 c:\windows\Downloaded Program Files\qsax.dll

+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\4b0e08.msp

+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\4b0e07.msp

+ 2010-09-23 07:03 . 2010-09-23 07:03 20460984 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll

.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*注意* 空白与合法缺省登录将不会被显示

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-04-14 96256]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]

Ime File REG_SZ GOOGLEPINYIN2.IME

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0040804]

IME File REG_SZ winabc.ime

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^「开始」菜单^程序^启动^启动飞速土豆.lnk]

path=c:\documents and settings\Administrator\「开始」菜单\程序\启动\启动飞速土豆.lnk

backup=c:\windows\pss\启动飞速土豆.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Acrobat 9.0\AcrobatReader\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON_Tools_Lite\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Pinyin 2 Autoupdater]

2010-03-07 00:50 1193456 ----a-w- c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-04-26 22:37 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 19:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\FlvDetector.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveSupport.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\FlashGetBHO\\LiveQuery.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=

"c:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"7554:TCP"= 7554:TCP:BitComet 7554 TCP

"7554:UDP"= 7554:UDP:BitComet 7554 UDP

.

R0 iaStor7;Intel AHCI Controller;c:\windows\system32\drivers\iastor7.sys [2008-1-23 5:20 308248]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-11-11 5:16 717296]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-2 0:42 1691480]

.

‘计划任务’ 文件夹 里的内容

.

2011-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

2011-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1935655697-1417001333-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 22:37]

.

.

------- 而外的扫描 -------

.

uStart Page = hxxp://www.google.com/webhp?hl=gn

uInternet Settings,ProxyOverride = <local>

IE: 使用迅雷查看图片 - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

IE: 将链接目标转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: 将链接目标追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: 转换为 Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: 追加到现有的 PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: {{548BF84E-9665-47f9-B635-7380F8943E90} - c:\program files\Thunder Network\Thunder\Program\repairimage.htm

Trusted Zone: kuaiche.com\software

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8lmqm6iw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 4

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-24 19:48

Windows 5.1.2600 Service Pack 3 NTFS

.

扫描被隐藏的进程 。。。

.

扫描被隐藏的启动组 。。。

.

扫描被隐藏的文件 。。。

.

扫描完成

被隐藏的档案: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\AppEvents\Schemes\Apps\Conf\ g篘*慂Q\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Capture]

"VidOutput"=dword:00000001

"AudOutput"=dword:00000001

"VidPreview"=dword:00000001

"AudPreview"=dword:00000001

"FileFormat"=dword:00000000

"FileName"=".avi"

"SepAudio"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\FileFormats]

"RtspHandler"=dword:00000001

"RtspFileExtFirst"=dword:00000001

"Windows Media file"="wmv wmp wm asf \\0"

"Windows Media Audio file"="wma \\0"

"Video file"="avi \\0"

"Audio file"="wav \\0"

"MPEG Media file"="mpg mpeg mpe m1v m2v mpv2 mp2v dat ts tp tpr pva pss \\0"

"MPEG Audio file"="mpa mp2 m1a m2a \\0"

"DVD file"="vob ifo \\0"

"DVD Audio file"="ac3 dts \\0"

"MP3 Format Sound"="mp3 \\0"

"MIDI file"="mid midi rmi \\0"

"Indeo Video file"="ivf \\0"

"AIFF Format Sound"="aif aifc aiff \\0"

"AU Format Sound"="au snd \\0"

"Ogg Media file"="ogm \\0"

"Ogg Vorbis Audio file"="ogg \\0"

"CD Audio Track"="cda \\0"

"FLIC file"="fli flc flic \\0"

"DVD2AVI Project file"="d2v \\0"

"MPEG4 file"="mp4 m4v m4b hdmov 3gp 3gpp \\0"

"MPEG4 Audio file"="m4a aac \\0"

"Matroska Media file"="mkv \\0"

"Matroska Audio file"="mka \\0"

"Smacker/Bink Media file"="smk bik \\0"

"ratdvd file"="ratdvd \\0"

"RoQ Media file"="roq \\0"

"Real Media file"="rm ram rpm rmm rnx \\1"

"Real Audio file"="ra \\1"

"Real Script file"="rt rp smi smil \\1"

"Dirac Video file"="drc \\0"

"DirectShow Media file"="dsm dsv dsa dss \\0"

"Musepack file"="mpc \\0"

"Flash Video file"="flv \\0"

"Shockwave Flash file"="swf \\3"

"Quicktime file"="mov qt amr 3g2 3gp2 \\2"

"Image file"="jpeg jpg bmp gif pic png dib tiff tif \\0"

"Playlist file"="asx m3u pls wvx wax wmx mpcpl \\0"

"Other"="divx vp6 rmvb amv \\0"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Internal Filters]

"SrcFilters"=dword:fff30bbf

"TraFilters"=dword:fffff21c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings]

"LastUsedPage"=dword:00000000

"HideCaptionMenu"=dword:00000000

"ControlState"=dword:00000013

"DefaultVideoFrame"=dword:00000004

"KeepAspectRatio"=dword:00000001

"CompMonDeskARDiff"=dword:00000000

"Volume"=dword:0000001f

"Balance"=dword:00000000

"Mute"=dword:00000000

"LoopNum"=dword:00000001

"Loop"=dword:00000000

"Rewind"=dword:00000000

"Zoom"=dword:00000001

"AllowMultipleInstances"=dword:00000000

"TitleBarTextStyle"=dword:00000001

"TitleBarTextTitle"=dword:00000000

"OnTop"=dword:00000000

"TrayIcon"=dword:00000000

"AutoZoom"=dword:00000001

"FullScreenCtrls"=dword:00000001

"FullScreenCtrlsTimeOut"=dword:00000000

"FullscreenRes"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

"ExitFullscreenAtTheEnd"=dword:00000001

"RememberWindowPos"=dword:00000000

"RememberWindowSize"=dword:00000000

"SnapToDesktopEdges"=dword:00000000

"LastWindowRect"=hex:35,02,00,00,10,01,00,00,8b,03,00,00,55,02,00,00

"LastWindowType"=dword:00000000

"AspectRatioX"=dword:00000000

"AspectRatioY"=dword:00000000

"KeepHistory"=dword:00000000

"DSVidRen"=dword:00000006

"RMVidRen"=dword:00000000

"QTVidRen"=dword:00000000

"APSurfaceUsage"=dword:00000001

"VMRSyncFix"=dword:00000000

"DX9Resizer"=dword:00000001

"VMR9MixerMode"=dword:00000001

"VMRMixerYUV"=dword:00000000

"AudioRendererType"=""

"AutoloadAudio"=dword:00000001

"AutoloadSubtitles"=dword:00000000

"EnableWorkerThreadForOpening"=dword:00000001

"ReportFailedPins"=dword:00000001

"DVDPath"=""

"UseDVDPath"=dword:00000000

"MenuLang"=dword:00000804

"AudioLang"=dword:00000804

"SubtitlesLang"=dword:00000804

"AutoSpeakerConf"=dword:00000001

"SPDefaultStyle"="20,20,20,20,2,0,2.000000,3.000000,0xffffff,0x00ffff,0x000000,0x000000,0x00,0x00,0x00,0x80,1,Arial,18.000000,100.000000,100.000000,0.000000,700,0,0,0,0,0.000000,0.000000,0.000000,2"

"SPOverridePlacement"=dword:00000000

"SPHorPos"=dword:00000032

"SPVerPos"=dword:0000005a

"SPCSize"=dword:00000003

"SPCMaxRes"=dword:00000002

"SPCPow2Tex"=dword:00000001

"EnableSubtitles"=dword:00000001

"EnableAudioSwitcher"=dword:00000001

"EnableAudioTimeShift"=dword:00000000

"AudioTimeShift"=dword:00000000

"DownSampleTo441"=dword:00000000

"CustomChannelMapping"=dword:00000000

"SpeakerToChannelMapping"=hex:01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

"AudioNormalize"=dword:00000000

"AudioNormalizeRecover"=dword:00000001

"AudioBoost"=dword:00000001

"Shaders List"=""

"IntRealMedia"=dword:00000000

"RealMediaFPS"=dword:41c80000

"UseWinLirc"=dword:00000000

"WinLircAddr"="127.0.0.1:8765"

"UseUICE"=dword:00000000

"UICEAddr"="127.0.0.1:1234"

"DisableXPToolbars"=dword:00000000

"UseWMASFReader"=dword:00000000

"JumpDistS"=dword:000003e8

"JumpDistM"=dword:00001388

"JumpDistL"=dword:00004e20

"FreeWindowResizing"=dword:00000001

"NotifyMSN2"=dword:00000000

"NotifyGTSdll"=dword:00000000

"LogoFile"=""

"LogoID2"=dword:000000d5

"LogoExt"=dword:00000000

"HideCDROMsSubMenu"=dword:00000000

"Priority"=dword:00000020

"LaunchFullScreen"=dword:00000000

"EnableWebServer"=dword:00000000

"WebServerPort"=dword:0000350b

"WebServerPrintDebugIfo"=dword:00000000

"WebServerUseCompression"=dword:00000001

"WebServerLocalhostOnly"=dword:00000001

"WebRoot"="*./webroot"

"WebDefIndex"="index.html;index.php"

"WebServerCGI"=""

"SnapShotPath"="c:\\Documents and Settings\\Administrator\\My Documents\\My Pictures"

"SnapShotExt"=".bmp"

"ThumbRows"=dword:00000004

"ThumbCols"=dword:00000004

"ThumbWidth"=dword:00000400

"HideAviSplitterWarning"=dword:00000001

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Settings\PnSPresets]

"Preset0"="Scale to 16:9 TV,0.500,0.500,1.000,1.333"

"Preset1"="Zoom To Widescreen,0.500,0.500,1.333,1.333"

"Preset2"="Zoom To Ultra-Widescreen,0.500,0.500,1.763,1.763"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\Shaders]

"Initialized"=dword:00000001

"Combine"=""

"0"="sharpen complex|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n\\n#define dx (p1[0]) \\n#define dy (p1[1]) \\n\\nfloat4 main( float2 tex : TEXCOORD0 ) : COLOR \\n{ \\n float4 ori; \\n float4 flou; \\n float4 cori; \\n float4 final; \\n\\n ori = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n flou = (c1+c3+c6+c8 + 2*(c2+c4+c5+c7)+ 4*ori)*0.0625; \\n\\n cori = 2*ori - flou; \\n\\n float delta1; \\n float delta2; \\n float value; \\n\\n delta1 = (c3 + 2*c5 + c8)-(c1 + 2*c4 + c6); \\n delta2 = (c6 + 2*c7 + c8)-(c1 + 2*c2 + c3); \\n\\n value = sqrt( mul(delta1,delta1) + mul(delta2,delta2) ) ; \\n\\n if( value >.3 ) \\n { \\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n final = ori*2 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * 0.125 ; \\n return final; \\n } \\n else \\n { \\n return cori; \\n } \\n}"

"1"="16-235 -> 0-255|ps_2_0|sampler s0 : register(s0);\\n\\n#define Const_1 (16.0/255.0)\\n#define Const_2 (255.0/219.0)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n return( ( tex2D( s0, tex ) - Const_1 ) * Const_2 );\\n}\\n"

"2"="emboss|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 1/width;\\n\\tfloat dy = 1/height;\\n\\t\\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy));\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\tfloat4 c9 = tex2D(s0, tex + float2(dx,dy));\\n\\t\\n\\tfloat4 c0 = (-c1-c2-c4+c6+c8+c9);\\n\\tc0 = (c0.r+c0.g+c0.b)/3 + 0.5;\\n\\t\\n\\treturn c0;\\n}\\n"

"3"="spotlight|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tfloat3 lightsrc = float3(sin(clock*PI/1.5)/2+0.5,cos(clock*PI)/2+0.5,1);\\n\\tfloat3 light = normalize(lightsrc - float3(tex.x,tex.y,0));\\n\\tc0 *= pow(dot(light, float3(0,0,1)), 50);\\n\\t\\n\\treturn c0;\\n}\\n"

"4"="deinterlace (blend)|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\t\\n\\tfloat2 h = float2(0, 1/height);\\n\\tfloat4 c1 = tex2D(s0, tex-h);\\n\\tfloat4 c2 = tex2D(s0, tex+h);\\n\\tc0 = (c0*2+c1+c2)/4;\\n\\t\\n\\treturn c0;\\n}"

"5"="invert|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = float4(1, 1, 1, 1) - tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}\\n"

"6"="procamp|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nstatic float4x4 r2y =\\n{\\n\\t0.299, 0.587, 0.114, 0,\\n\\t-0.147, -0.289, 0.437, 0,\\n\\t0.615, -0.515, -0.100, 0,\\n\\t0, 0, 0, 0\\n};\\n\\nstatic float4x4 y2r =\\n{\\n\\t1.0, 0.0, 1.140, 0, \\n\\t1.0, -0.394, -0.581, 0,\\n\\t1.0, 2.028, 0.0, 0, \\n\\t0, 0, 0, 0\\n};\\n\\n#define ymin (16.0/255)\\n#define ymax (235.0/255)\\n\\n// Brightness: -1.0 to 1.0, default 0.0\\n// Contrast: 0.0 to 10.0, default 1.0\\n// Hue: -180.0 to +180.0, default 0.0\\n// Saturation: 0.0 to 10.0, default 1.0\\n\\n#define Brightness 0.0\\n#define Contrast 1.0\\n#define Hue 0.0\\n#define Saturation 1.0\\n\\n// tv -> pc scale\\n// #define Brightness (-ymin)\\n// #define Contrast (1.0/(ymax-ymin))\\n\\nstatic float2x2 HueMatrix =\\n{\\n\\tcos(Hue * PI / 180), sin(Hue * PI / 180),\\n\\t-sin(Hue * PI / 180), cos(Hue * PI / 180)\\n};\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = tex2D(s0, tex);\\n\\tc0 = mul(r2y, c0);\\n\\tc0.r = Contrast * (c0.r - ymin) + ymin + Brightness;\\n\\tc0.gb = mul(HueMatrix, c0.gb) * Saturation;\\n\\tc0 = mul(y2r, c0);\\n\\treturn c0; \\n}\\n"

"7"="contour|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat dx = 4/width;\\n\\tfloat dy = 4/height;\\n\\t\\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy));\\n\\tfloat4 c4 = tex2D(s0, tex + float2(-dx,0));\\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,0));\\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,0));\\n\\tfloat4 c8 = tex2D(s0, tex + float2(0,dy));\\n\\t\\n\\tfloat4 c0 = (-c2-c4+c5*4-c6-c8);\\n\\tif(length(c0) < 1.0) c0 = float4(0,0,0,0);\\n\\telse c0 = float4(1,1,1,0);\\n\\t\\n\\treturn c0;\\n}\\n"

"8"="letterbox|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tfloat2 ar = float2(16, 9);\\n\\tfloat h = (1 - width/height * ar.y/ar.x) / 2;\\n\\t\\n\\tif(tex.y >= h && tex.y <= 1-h)\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t\\n\\treturn c0;\\n}"

"9"="nightvision|ps_2_0|sampler s0 : register(s0);\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c = dot(tex2D(s0, tex), float4(0.2, 0.6, 0.1, 0.1));\\n\\treturn float4(0,c,0,0);\\n}\\n"

"10"="wave|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// don't look at this for too long, you'll get dizzy \\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\ttex.x += sin(tex.x+clock/0.3)/20;\\n\\ttex.y += sin(tex.x+clock/0.3)/20;\\n\\t\\n\\tif(tex.x >= 0 && tex.x <= 1 && tex.y >= 0 && tex.y <= 1)\\n\\t{\\n\\t\\tc0 = tex2D(s0, tex);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"11"="sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n \\n#define effect_width (1.6) \\n#define val0 (2.0) \\n#define val1 (-0.125) \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n \\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n\\tfloat dx = effect_width/width; \\n\\tfloat dy = effect_width/height; \\n \\n\\tfloat4 c1 = tex2D(s0, tex + float2(-dx,-dy)) * val1; \\n\\tfloat4 c2 = tex2D(s0, tex + float2(0,-dy)) * val1; \\n\\tfloat4 c3 = tex2D(s0, tex + float2(-dx,0)) * val1; \\n\\tfloat4 c4 = tex2D(s0, tex + float2(dx,0)) * val1; \\n\\tfloat4 c5 = tex2D(s0, tex + float2(0,dy)) * val1; \\n\\tfloat4 c6 = tex2D(s0, tex + float2(dx,dy)) * val1; \\n\\tfloat4 c7 = tex2D(s0, tex + float2(-dx,+dy)) * val1; \\n\\tfloat4 c8 = tex2D(s0, tex + float2(+dx,-dy)) * val1; \\n\\tfloat4 c9 = tex2D(s0, tex) * val0; \\n\\t\\n\\tfloat4 c0 = (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 +c9); \\n\\t\\n\\treturn c0; \\n}"

"12"="sphere|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\t// - this is a very simple raytracer, one sphere only\\n\\t// - no reflection or refraction, yet (my ati 9800 has a 64 + 32 instruction limit...)\\n\\t\\n\\tfloat3 pl = float3(3,-3,-4); // light pos\\n\\tfloat4 cl = 0.4; // light color\\n\\t\\n\\tfloat3 pc = float3(0,0,-1); // cam pos\\n\\tfloat3 ps = float3(0,0,0.5); // sphere pos\\n\\tfloat r = 0.65; // sphere radius\\n\\t\\n\\tfloat3 pd = normalize(float3(tex.x-0.5, tex.y-0.5, 0) - pc);\\n\\t\\n\\tfloat A = 1;\\n\\tfloat B = 2*dot(pd, pc - ps);\\n\\tfloat C = dot(pc - ps, pc - ps) - r*r;\\n\\tfloat D = B*B - 4*A*C;\\n\\t\\n\\tfloat4 c0 = 0;\\n\\t\\n\\tif(D >= 0)\\n\\t{\\n\\t\\t// t2 is the smaller, obviously...\\n\\t\\t// float t1 = (-B + sqrt(D)) / (2*A);\\n\\t\\t// float t2 = (-B - sqrt(D)) / (2*A);\\n\\t\\t// float t = min(t1, t2); \\n\\t\\t\\n\\t\\tfloat t = (-B - sqrt(D)) / (2*A);\\n\\t\\t\\n\\t\\t// intersection data\\n\\t\\tfloat3 p = pc + pd*t;\\n\\t\\tfloat3 n = normalize(p - ps);\\n\\t\\tfloat3 l = normalize(pl - p);\\n\\t\\t\\n\\t\\t// mapping the image onto the sphere\\n\\t\\ttex = acos(-n)/PI; \\n\\t\\t\\n\\t\\t// rotate it\\n\\t\\ttex.x = frac(tex.x + frac(clock/10));\\n\\t\\t\\n\\t\\t// diffuse + specular\\n\\t\\tc0 = tex2D(s0, tex) * dot(n, l) + cl * pow(max(dot(l, reflect(pd, n)), 0), 50);\\n\\t}\\n\\t\\n\\treturn c0;\\n}\\n"

"13"="grayscale|ps_2_0|sampler s0 : register(s0);\\nfloat4 p0 : register(c0);\\nfloat4 p1 : register(c1);\\n\\n#define width (p0[0])\\n#define height (p0[1])\\n#define counter (p0[2])\\n#define clock (p0[3])\\n#define one_over_width (p1[0])\\n#define one_over_height (p1[1])\\n\\n#define PI acos(-1)\\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR\\n{\\n\\tfloat c0 = dot(tex2D(s0, tex), float4(0.299, 0.587, 0.114, 0));\\n\\t\\n\\treturn c0;\\n}\\n"

"14"="edge sharpen|ps_2_0|sampler s0 : register(s0); \\nfloat4 p0 : register(c0); \\nfloat4 p1 : register(c1); \\n\\n#define width (p0[0]) \\n#define height (p0[1]) \\n#define counter (p0[2]) \\n#define clock (p0[3]) \\n#define one_over_width (p1[0]) \\n#define one_over_height (p1[1]) \\n\\n#define PI acos(-1) \\n\\n#define NbPixel 1 \\n\\n#define Edge_threshold 0.2 \\n\\n#define Sharpen_val0 2.0 \\n#define Sharpen_val1 0.125 \\n\\nfloat4 main(float2 tex : TEXCOORD0) : COLOR \\n{ \\n float dx = NbPixel/width; \\n float dy = NbPixel/height; \\n float4 Res = 0; \\n\\n float4 c0 = tex2D(s0, tex); \\n float4 c1 = tex2D(s0, tex + float2(-dx,-dy)); \\n float4 c2 = tex2D(s0, tex + float2(0,-dy)); \\n float4 c3 = tex2D(s0, tex + float2(dx,-dy)); \\n float4 c4 = tex2D(s0, tex + float2(-dx,0)); \\n float4 c5 = tex2D(s0, tex + float2(dx,0)); \\n float4 c6 = tex2D(s0, tex + float2(-dx,dy)); \\n float4 c7 = tex2D(s0, tex + float2(0,dy)); \\n float4 c8 = tex2D(s0, tex + float2(dx,dy)); \\n\\n float4 delta1 = (c6+c4+c1-c3-c5-c8); \\n float4 delta2 = (c4+c1+c2-c5-c8-c7); \\n float4 delta3 = (c1+c2+c3-c8-c7-c6); \\n float4 delta4 = (c2+c3+c5-c7-c6-c4); \\n\\n float value = length(abs(delta1) + abs(delta2) + abs(delta3) + abs(delta4))/6; \\n\\n if(value > Edge_threshold ) \\n { \\n Res = c0 * Sharpen_val0 - (c1 + c2 + c3 + c4 + c5 + c6 + c7 + c8 ) * Sharpen_val1 ; \\n return Res; \\n } \\n else \\n return c0; \\n}"

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings]

"Visible"=dword:00000000

"DockState"=dword:0000e81c

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Capture Settings\State-SCBar-0]

"sizeHorzCX"=dword:000000bf

"sizeHorzCY"=dword:000001b2

"sizeVertCX"=dword:000000bf

"sizeVertCY"=dword:000001b2

"sizeFloatCX"=dword:000000bf

"sizeFloatCY"=dword:000001b2

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist]

"Visible"=dword:00000000

"DockState"=dword:0000e81e

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Playlist\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:00000064

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:00000064

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:00000064

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Shader Editor\State-SCBar-0]

"sizeHorzCX"=dword:00000129

"sizeHorzCY"=dword:0000006b

"sizeVertCX"=dword:00000129

"sizeVertCY"=dword:0000006b

"sizeFloatCX"=dword:00000129

"sizeFloatCY"=dword:0000006b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync]

"Visible"=dword:00000000

"DockState"=dword:0000e81b

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Gabest\q_髼螛磃 *(*M*Y*M*P*C*)*\ToolBars\Subresync\State-SCBar-0]

"sizeHorzCX"=dword:000000c8

"sizeHorzCY"=dword:000000c8

"sizeVertCX"=dword:000000c8

"sizeVertCY"=dword:000000c8

"sizeFloatCX"=dword:000000c8

"sizeFloatCY"=dword:000000c8

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]

"PositionInfo-Monitor1"=hex:4b,01,00,00,af,00,00,00,02,03,00,00,cc,01,00,00

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]

"Value"=multi:"\00\00"

"Maximum Entries"=dword:0000000a

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]

"Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,

90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\I*E*4O]

"Order"=hex:08,00,00,00,02,00,00,00,10,02,00,00,01,00,00,00,04,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

.

[HKEY_USERS\S-1-5-21-1614895754-1935655697-1417001333-500_Classes\Applications\q_髼螛磃.*l*n*k*\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\桌面\\影音风暴.lnk\" %1"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

.

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*膥鯪\CurVer]

@="BDATuner.组件.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\7uu臺麐.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Classes\zzKNh忶廠*C*+R?.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]

@="{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC}"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities]

"ApplicationName"="Google Chrome 浏览器"

"ApplicationIcon"="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

"ApplicationDescription"="Google Chrome 浏览器是一款可高速运行网页和应用程序的网络浏览器。它快捷、稳定且易于使用。Google Chrome 浏览器内置的恶意软件和网上诱骗防护功能可让您更加安全地浏览网页。"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\FileAssociations]

".xhtml"="ChromeHTML"

".xht"="ChromeHTML"

".shtml"="ChromeHTML"

".html"="ChromeHTML"

".htm"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\StartMenu]

"StartMenuInternet"="Google Chrome 浏览器"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\Capabilities\URLAssociations]

"https"="ChromeHTML"

"http"="ChromeHTML"

"ftp"="ChromeHTML"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\DefaultIcon]

@="c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\InstallInfo]

"IconsVisible"=dword:00000001

"ShowIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"

"HideIconsCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"

"ReinstallCommand"="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"

.

[HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *C*h*r*o*m*e* *Om葔hV\shell\open\command]

@="\"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""

.

--------------------- 运行进程下的动态链接库 ---------------------

.

- - - - - - - > 'explorer.exe'(2488)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP3\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ 其他运行进程 ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\locator.exe

c:\windows\system32\conime.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

完成时间: 2011-07-24 19:50:21 - 电脑已重新启动

ComboFix-quarantined-files.txt 2011-07-24 23:50

ComboFix2.txt 2011-07-24 02:38

ComboFix3.txt 2011-07-23 14:34

ComboFix4.txt 2011-07-18 01:48

ComboFix5.txt 2011-07-24 23:37

.

Pre-Run: 7,909,699,584 可用字节

Post-Run: 7,899,082,752 可用字节

.

- - End Of File - - 2DB9052AC3B8D0D286D96E8D043808C7

[D-FRED-BROWN]

Before we move on to the next step, please let me know if you can locate your Windows XP Installation CD.

[vyan2000]

I did not find my XP disk at home. I only located the Vista.

I might try it again in my studying area tonight.

Many thanks,

Y

[D-FRED-BROWN]

Okay, sounds good- let me know if you find it

[vyan2000]

I could not find my xp disc. It probably was packed with other

staff during the two movings during the past 4 years since

I bought this computer.

So what are the options I have? Since I did not buy any new

computers recently, I do not have win7. But I do have windows server

system to install as a student.

Please let me list all the back up system and tool I have for this

computer:

1. This infected computer is a dual-boot system with linux. So if anything

went sour, I can dump out all my files from the linux and repair any missing files

from linux.

2. I have another computer which is also dual-boot system with the same xp os and

a linux sytem.

-----------------------------------------

As another thing to report, when I clicked a website today on this infected computer

the java platform poped up again. So far, the machine seems normal. I am afraid of

infection, beacuse the end point protection has been uninstalled on this computer.

Any suggestion will be appreciated.

Many thanks,

Y

[D-FRED-BROWN]

My sincerest apologies for the delay,

The Java thing should be okay. I have a feeling that a few files may be corrupted on your computer. Let's try this to see which ones are

Please navigate to Start -> Run:

Once the Run box opens up, please type the following:

SFC.EXE /scannow

Then, press Enter. Windows will begin checking for and attempting to repair corrupted files. A log may be created- if so, please include it in your next reply.

Let me know how it goes

[vyan2000]

Thanks a lot for the help,

After I entered the SFC.EXE /scannow,

the system has the following prompt:

(((((((((((((

The files required by normal opteration of Windows has been

replaced by a version that cannot be identified. In order to

maitain the stability of the system, Windows has to recover those

files into original version.

Please insert your windows xp professional service pack 3.

)))))))))))))))

And this promp cannot be closed.

I will be away and be back in 3 hour and 30 minutes. Again, thanks a

lot for your help,

Y

[D-FRED-BROWN]

Well, your system appears to be clean- however, there is a lot of corruption going on due to your the installation of Windows you have. I would highly suggest that you reinstall the operating system and start fresh... Since we are nearly finished, I can walk you through the closing steps. Please let me know what you would like to do at this point

[vyan2000]

Thanks a lot for the help,

I think I will reinstall it, but not too recently since time is too limited.

I will do a full back up before I reinstall.

Could you help me to answer a question?

Since this infected system is dual-boot system with different partitioning for

xp and linux, do I need to format the windows partitioning only or all the partitioning

if I am going to install the windows server system on this machine. If I can keep the

linux part intact, that would be great, or it is going to be a great pain...

Y

[D-FRED-BROWN]

I'd say only the Windows partition

Also, I would look for something other than Windows Server as your operating system- perhaps Vista, or even XP.

[vyan2000]

Any hints why not windows server? I will pass on Vista, which is

too slow~~~~

Thanks,

Y

[D-FRED-BROWN]

Because its designed for server-use, not as a personal computer operating system

[vyan2000]

This is good to know.

Thanks a lot for the help,

Y

[D-FRED-BROWN]

No problem Are there any remaining issues?

[vyan2000]

Nope.

And computer now is running fine.

Should I delete/uninstall diagnostic tools previously installed?

Thanks a lot for saving me from reinstalling the system without any

preparation, and I believe those corrupted files might be due to

many different infections during the past 4 years. :-)

This is great work!

Y

[D-FRED-BROWN]

Glad to hear things are well

Should I delete/uninstall diagnostic tools previously installed?

Sure, go ahead

I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled :

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

You have NO antivirus program installed !

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

• Outpost Firewall Free
  
• Online Armor Firewall

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[vyan2000]

Thanks a lot for the suggestion.

For the moment, I uninstalled the combofix and install avast to

replace the symentac thing.

Again, I greatfully appreciate all your help,

Y