Thank you very much Belahzur for your help! The following are the scanned results before I uninstall ComboFix.
ComboFix 10-01-04.01 - DONG 05/01/2010 16:39:01.3.2 - x86
执行位置: c:\users\DONG\Desktop\ComboFix.exe
Command switches used :: /u
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
----- BITS: Possible infected sites -----
hxxp://liveupdate.symantec.com.
((((((((((((((((((((((((( 2009-12-05 至 2010-01-05 的新的档案 )))))))))))))))))))))))))))))))
.
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\DONG\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-03 01:19 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 01:19 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08 . 2010-01-03 01:08 -------- d-----w- c:\users\DONG\AppData\Roaming\Malwarebytes
2010-01-03 01:08 . 2010-01-03 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 15:15 . 2010-01-03 01:28 -------- d-----w- c:\users\DONG\AppData\Local\cnubkf
2009-12-30 15:52 . 2009-12-30 15:52 -------- d-----w- C:\StormMedia
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Roaming\Thinstall
2009-12-23 19:15 . 2009-12-23 19:15 -------- d-----w- c:\users\DONG\AppData\Local\Thinstall
2009-12-09 00:01 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 00:01 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 00:01 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 23:23 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 23:23 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 14:37 . 2009-07-05 23:38 -------- d-----w- c:\users\DONG\AppData\Roaming\SogouPY
2010-01-05 03:22 . 2009-10-23 23:00 1356 ----a-w- c:\users\DONG\AppData\Local\d3d9caps.dat
2009-12-29 15:46 . 2009-10-01 00:21 -------- d-----w- c:\program files\Netease
2009-12-21 14:38 . 2009-07-06 00:21 -------- d-----w- c:\users\DONG\AppData\Roaming\GoodSync
2009-12-09 00:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-21 06:40 . 2009-12-08 23:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 23:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 23:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42 . 2009-10-03 12:45 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-25 14:11 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-16 12:59 . 2009-07-05 19:55 117632 ----a-w- c:\users\DONG\AppData\Local\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((((
SnapShot@2010-01-05_20.05.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 19:56 . 2010-01-05 21:06 16748 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-500399067-3763941887-1865380405-1003_UserData.bin
- 2009-07-05 19:35 . 2010-01-05 18:46 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-05 19:35 . 2010-01-05 18:46 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-05 19:35 . 2010-01-05 18:46 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-05 19:35 . 2010-01-05 21:37 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-05 19:50 . 2010-01-05 19:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-05 21:37 . 2010-01-05 21:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-05 19:50 . 2010-01-05 19:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-05 21:37 . 2010-01-05 21:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-10 21:32 . 2010-01-05 21:09 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-10 21:32 . 2010-01-05 17:53 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-05 17:48 . 2010-01-05 21:36 813472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-05 17:48 . 2010-01-05 19:49 813472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-29 02:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-5 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"AlwaysShowClassicMenu"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-29 02:46 90112 ----a-w- c:\windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-09 11:26 4702208 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"TOSCDSPD"=c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe"
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" /startup
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091217.001\IDSvix86.sys [22/12/2009 10:23 PM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 8:47 PM 149352]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [27/11/2009 9:51 PM 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/09/2009 10:00 PM 102448]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [02/09/2007 6:50 AM 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [05/07/2009 2:39 PM 252416]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 12:31 PM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [12/01/2008 9:32 PM 23888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
‘计划任务’ 文件夹 里的内容
2010-01-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 14:54]
2010-01-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - DONG.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
2010-01-05 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-10-05 18:39]
.
.
------- 而外的扫描 -------
.
uStart Page =
hxxp://www.google.com/mStart Page =
hxxp://www.shoptoshiba.ca/welcomeIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: 使用迅雷下载 - c:\program files\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder\Program\getallurl.htm
DPF: {1345F3CB-7C40-41C2-9AC2-87CF8B68E34E} -
hxxp://swf.news.163.com/2008/v/NetEaseTV_GZ.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-05 16:52
Windows 6.0.6001 Service Pack 1 NTFS
扫描被隐藏的进程 。。。
扫描被隐藏的启动组 。。。
扫描被隐藏的文件 。。。
扫描完成
被隐藏的档案: 0
**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
完成时间: 2010-01-05 16:54:58
ComboFix-quarantined-files.txt 2010-01-05 21:54
ComboFix2.txt 2010-01-05 20:08
ComboFix3.txt 2010-01-05 16:10
Pre-Run: 73,532,780,544 bytes free
Post-Run: 73,502,162,944 bytes free
- - End Of File - - BC67FF5EBFDE7717067E21537B72D71C