ComboFix 11-03-06.05 - hez 07.03.2011 15:03:03.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1574 [GMT 1:00] Running from: c:\documents and settings\hez\Desktop\ComboFix.exe AV: F-Secure Anti-Virus for Workstations 9.00 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\favoritevideo\InvisibleFolder c:\windows\system32\drivers\360SelfProtection.sys . ----- BITS: Possible infected sites ----- . hxxp://jsus.ivt.ntnu.no . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\Legacy_360SelfProtection -------\Service_360SelfProtection . . ((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 ))))))))))))))))))))))))))))))) . . 2011-03-07 14:17 . 2011-01-13 16:46 126680 ----a-w- c:\windows\system32\drivers\360SelfProtection.sys 2011-03-07 09:01 . 2011-03-07 09:01 106496 ----a-r- c:\documents and settings\hez\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe 2011-03-07 09:01 . 2011-03-07 09:01 106496 ----a-r- c:\documents and settings\hez\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe 2011-03-04 10:34 . 2011-03-04 10:34 -------- d-----w- c:\documents and settings\hez\Application Data\F-Secure 2011-03-04 10:01 . 2011-03-04 10:01 -------- d-----w- c:\documents and settings\hez\Application Data\Malwarebytes 2011-03-04 08:16 . 2011-03-04 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Locktime 2011-02-07 11:37 . 2011-02-07 11:43 -------- d-----w- c:\program files\IP Address Shield . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 09:01 . 2010-02-08 16:43 106496 ----a-r- c:\documents and settings\hez\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe 2011-01-21 14:44 . 2008-04-14 03:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-18 15:07 . 2010-10-25 12:26 82136 ----a-w- c:\windows\system32\drivers\BAPIDRV.SYS 2011-01-07 14:09 . 2008-04-14 03:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2011-01-06 14:02 . 2011-01-06 14:02 0 ----a-w- c:\windows\system32\nss23D.tmp 2011-01-06 09:40 . 2010-10-25 12:26 153304 ----a-w- c:\windows\system32\drivers\qutmdrv.sys 2010-12-31 13:10 . 2008-04-14 03:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-30 13:15 . 2010-10-25 12:26 30040 ----a-w- c:\windows\system32\drivers\qutmipc.sys 2010-12-22 12:34 . 2008-04-14 03:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 03:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 03:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 03:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 03:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 03:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-16 03:04 . 2010-12-16 03:04 3234672 ----a-w- c:\windows\system32\SogouPY.ime 2010-12-15 14:15 . 2010-10-25 12:26 60376 ----a-w- c:\windows\system32\drivers\hookport.sys 2010-12-15 12:52 . 2010-02-03 10:23 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys 2010-12-09 15:15 . 2008-04-14 03:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 03:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 03:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-12-07 18:23 . 2010-10-25 12:26 150744 ----a-w- c:\windows\system32\drivers\360netmon.sys 2010-05-05 18:28 . 2010-05-31 14:10 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll . . ------- Sigcheck ------- . [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 1791B79392B2C5681F220423E7B14DCA . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}] 2010-06-25 06:43 147928 ----a-w- c:\program files\easyMule\modules\IE2EM.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}] 2010-02-04 08:36 120528 ----a-w- c:\program files\Thunder Network\Thunder\Program\EmbedDetectNow.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43BEAFD9-E005-483D-A367-146BA6C8A32E}] c:\program files\Tudou\??Tudou\tudouDetector.dll [?] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c14aa221-bae1-45f6-b0b3-90c23f2daa7d}] 2008-12-05 12:35 389120 ----a-w- c:\program files\Clue\adxloader.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6B896ADB-4A82-46e2-858C-13134782CE34}"= "c:\program files\Xmlbar\Tudou Downloader\IEBar\xbietb.dll" [2010-02-01 413696] . [HKEY_CLASSES_ROOT\clsid\{6b896adb-4a82-46e2-858c-13134782ce34}] [HKEY_CLASSES_ROOT\XBIEBar.XBIEBarObj.1] [HKEY_CLASSES_ROOT\TypeLib\{D4FB30ED-7DDB-4e2c-A7F2-C7B905D5D771}] [HKEY_CLASSES_ROOT\XBIEBar.XBIEBarObj] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-11-26 301680] "360Safetray"="c:\program files\360\360safe\safemon\360Tray.exe" [2011-02-14 959832] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "MaxGPOScriptWait"= 1200 (0x4b0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804] Ime File REG_SZ SOGOUPY.IME . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-17514\Scripts\Logon\0\0] "Script"=net . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-17514\Scripts\Logon\0\1] "Script"=net . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-17514\Scripts\Logon\0\2] "Script"=net . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-66367\Scripts\Logon\0\0] "Script"=net . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-66367\Scripts\Logon\0\1] "Script"=net . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3959417778-1711865379-3952174976-66367\Scripts\Logon\0\2] "Script"=net . [HKLM\~\startupfolder\C:^Documents and Settings^hez^Start Menu^Programs^Startup^??????.lnk] path=c:\documents and settings\hez\Start Menu\Programs\Startup\??????.lnk backup=c:\windows\pss\??????.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2009-02-27 10:14 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher] 2009-02-27 14:54 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB] 2009-11-26 09:22 1653360 ----a-w- c:\program files\F-Secure\FSGUI\tnbutil.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2008-04-14 03:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2008-04-14 03:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTudouAutoStart] 2007-09-21 10:26 958464 ----a-w- c:\program files\Tudou\iTudou\iTudou.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-12-13 16:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2008-04-14 03:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2008-04-14 03:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2008-04-14 03:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP] 2010-09-20 05:07 185784 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2005-09-22 13:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh] 2003-11-20 17:01 525824 ----a-w- c:\program files\COMPAQ\SetRefresh\SetRefresh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2009-09-29 22:13 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] 2011-01-12 16:07 1242448 ----a-w- c:\program files\Steam\Steam.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSeeMediaCenter] 2010-10-22 09:11 820600 ----a-w- c:\program files\Common Files\uusee\UUSeeMediaCenter.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "TSUSVC"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "nlsvc"=2 (0x2) "Microsoft Office Groove Audit Service"=3 (0x3) "JavaQuickStarterService"=3 (0x3) "iPod Service"=3 (0x3) "idsvc"=3 (0x3) "gupdate"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "ATI Smart"=3 (0x3) "Ati HotKey Poller"=3 (0x3) "Apple Mobile Device"=2 (0x2) "AdobeActiveFileMonitor7.0"=3 (0x3) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\uusee\\UUSeeMediaCenter.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [03.02.2010 11:23 42664] R0 HookPort;HookPort;c:\windows\system32\drivers\hookport.sys [25.10.2010 13:26 60376] R1 360netmon;360netmon;c:\windows\system32\drivers\360netmon.sys [25.10.2010 13:26 150744] R1 360SelfProtection;360SelfProtection;c:\windows\system32\drivers\360SelfProtection.sys [07.03.2011 15:17 126680] R1 BAPIDRV;BAPIDRV;c:\windows\system32\drivers\BAPIDRV.SYS [25.10.2010 13:26 82136] R1 EfiMon;EfiSystemMon;c:\windows\system32\drivers\EfiMon.sys [13.08.2010 11:54 19712] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [03.02.2010 11:23 68080] R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23.04.2007 12:03 82200] R1 qutmdserv;Quantum DeepScanner Servers;c:\windows\system32\drivers\qutmdrv.sys [25.10.2010 13:26 153304] R1 qutmipc;qutmipc;c:\windows\system32\drivers\qutmipc.sys [25.10.2010 13:26 30040] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [03.02.2010 11:22 130728] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [03.02.2010 11:23 63992] S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [18.08.2010 16:41 84608] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14.04.2008 04:00 14336] S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16.09.2008 13:03 169312] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [03.02.2010 11:22 39792] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [03.02.2010 11:22 25200] S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24.03.2010 15:08 136176] S4 TSUSVC;Tencent Software Update Service;c:\program files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe [09.12.2008 10:22 116040] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 360SELFPROTECTION . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM vvdsvc REG_MULTI_SZ vvdsvc . Contents of the 'Scheduled Tasks' folder . 2011-03-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3959417778-1711865379-3952174976-66367.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 17:38] . 2011-03-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3959417778-1711865379-3952174976-66367.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 17:38] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = about:blank uInternet Settings,ProxyOverride = local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Download by easyMule - c:\program files\easyMule\IE2EM.htm IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Use [ViDown] to download all links - c:\program files\ViDown\vd_linkall.htm IE: Use [ViDown] to download video - c:\program files\ViDown\vd_link.htm IE: ??iTudou???? - c:\program files\Tudou\iTudou\iTudou_Link.HTM IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm IE: ???????? - c:\program files\Thunder Network\Thunder\Program\repairimage.htm IE: ???????? - c:\program files\Thunder Network\Thunder\Program\OfflineDownload.htm IE: ??&Xmlbar?? - http://www.xmlbar.com/iebar/iemenu.php?lang=Chinese Simplified&ver=1.0 IE: {{612F6E5C-B314-4bab-93D1-D266AAFBE700} - c:\program files\Xmlbar\Tudou Downloader\TudouDownloader(xmlbar).exe Trusted Zone: buypass.no Trusted Zone: headit.no Trusted Zone: norsk-tipping.no FF - ProfilePath - c:\documents and settings\hez\Application Data\Mozilla\Firefox\Profiles\3cabpzju.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: network.proxy.type - 2 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: QuickStores-Toolbar: quickstores@quickstores.de - c:\program files\Mozilla Firefox\extensions\quickstores@quickstores.de FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: QuickStores-Toolbar: quickstores@quickstores.de - %profile%\extensions\quickstores@quickstores.de FF - Ext: CCTV player plugin for Firefox: cctvplayer-plugin@www.cctv.com - %profile%\extensions\cctvplayer-plugin@www.cctv.com FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} . . ------- File Associations ------- . txtfile=c:\windows\notepad.exe %1 . - - - - ORPHANS REMOVED - - - - . AddRemove-WinAVI MP4 Converter V2.2??????? - c:\program files\WinAVI MP4 Converter V2.2???????\Uninstall.exe AddRemove-???? - c:\program files\Tudou\??Tudou\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-07 15:17 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(528) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2104) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\SCardSvr.exe c:\program files\F-Secure\Anti-Virus\fsgk32st.exe c:\program files\F-Secure\Common\FSMA32.EXE c:\program files\F-Secure\Anti-Virus\FSGK32.EXE c:\windows\system32\locator.exe c:\program files\F-Secure\Common\FSHDLL32.EXE c:\program files\F-Secure\Common\FNRB32.EXE c:\program files\F-Secure\Anti-Virus\fssm32.exe c:\program files\F-Secure\Common\FIH32.EXE c:\program files\F-Secure\Anti-Virus\fsav32.exe . ************************************************************************** . Completion time: 2011-03-07 15:25:22 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-07 14:25 ComboFix2.txt 2011-03-04 09:01 . Pre-Run: 186 483 761 152 bytes free Post-Run: 186 578 178 048 bytes free . - - End Of File - - 6A73E7BD8BE0A2A6D1C06F2AE3E9AA43