Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple virus attack affecting explore [RESOLVED]


  • This topic is locked This topic is locked

#1
bj2008

bj2008

    Member

  • Member
  • PipPip
  • 15 posts
Hi

Your help will be sooo much appreciated since I don't know my head from my toes when it comes to pc, especially viruses.

I have follwed the guidelines set out above and downloaded the programs.

Problem. a week ago I used a friends portal Hard Disk to copy over work files, directly after that my virus program dtected a number of virus on my pc (turns out my friend pc was infected with the trojan horse PSW and Online.PSW trojan horse and it some how mutated to the portable and then to my pc). It has made my pc slower and prevented me from accessing program files via the start button and sometimes just shuts down my pc for no reason.

I did not download new antivirus but used my one, its is chinese version called rising

Below re the data you require. Let me just say thank you in advance here..........

KH



HIJACK THIS FILE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:20, on 2008-1-6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CnsM.dll] Rundll32.exe C:\PROGRA~1\3721\CnsM.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O11 - Options group: [!CNS] 中文上网
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - AppInit_DLLs: hookhelp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\SYSTEM32\ImpsSensor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: P4P Service - Unknown owner - C:\Program Files\Common Files\Sogou PXP\p2psvr.exe (file missing)
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 9477 bytes

HIJACK THIS UNINSTALL



3ivx D4 4.0.3 (remove only)
Adobe Acrobat 7.0 Professional - ChineseS
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0 - Chinese Simplified
AVG Anti-Spyware 7.5
CMBEdit
Fetion 2006
HijackThis 2.0.2
IBM ThinkPad Power Management Driver
J2SE Runtime Environment 5.0 Update 9
Microsoft Office Professional Edition 2003
MMSAssist
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Print Server
RealPlayer
safeInput2.3
Samsung SCX-4x21 Series
Skype (BETA)
Skype add-on for IE
Sony Ericsson PC Suite
SUPERAntiSpyware Free Edition
Tencent Traveler 3.1 Beta2
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player (KB911564) 安全更新
Windows Media Player 6.4 (KB925398) 安全更新
Windows Media Player 9 (KB917734) 安全更新
Windows Media Player 9 (KB936782) 安全更新
Windows XP (KB923689) 安全更新
Windows XP (KB941569) 安全更新
Windows XP 安全更新 (KB890046)
Windows XP 安全更新 (KB893756)
Windows XP 安全更新 (KB896358)
Windows XP 安全更新 (KB896423)
Windows XP 安全更新 (KB896424)
Windows XP 安全更新 (KB896428)
Windows XP 安全更新 (KB899587)
Windows XP 安全更新 (KB899589)
Windows XP 安全更新 (KB899591)
Windows XP 安全更新 (KB900725)
Windows XP 安全更新 (KB901017)
Windows XP 安全更新 (KB901190)
Windows XP 安全更新 (KB901214)
Windows XP 安全更新 (KB902400)
Windows XP 安全更新 (KB904706)
Windows XP 安全更新 (KB905414)
Windows XP 安全更新 (KB905749)
Windows XP 安全更新 (KB908519)
Windows XP 安全更新 (KB911562)
Windows XP 安全更新 (KB911567)
Windows XP 安全更新 (KB911927)
Windows XP 安全更新 (KB912919)
Windows XP 安全更新 (KB913433)
Windows XP 安全更新 (KB913580)
Windows XP 安全更新 (KB914388)
Windows XP 安全更新 (KB914389)
Windows XP 安全更新 (KB917159)
Windows XP 安全更新 (KB917344)
Windows XP 安全更新 (KB917422)
Windows XP 安全更新 (KB917953)
Windows XP 安全更新 (KB918118)
Windows XP 安全更新 (KB918439)
Windows XP 安全更新 (KB918899)
Windows XP 安全更新 (KB919007)
Windows XP 安全更新 (KB920213)
Windows XP 安全更新 (KB920214)
Windows XP 安全更新 (KB920670)
Windows XP 安全更新 (KB920683)
Windows XP 安全更新 (KB920685)
Windows XP 安全更新 (KB921398)
Windows XP 安全更新 (KB921503)
Windows XP 安全更新 (KB921883)
Windows XP 安全更新 (KB922616)
Windows XP 安全更新 (KB922760)
Windows XP 安全更新 (KB922819)
Windows XP 安全更新 (KB923191)
Windows XP 安全更新 (KB923414)
Windows XP 安全更新 (KB923694)
Windows XP 安全更新 (KB923980)
Windows XP 安全更新 (KB924191)
Windows XP 安全更新 (KB924270)
Windows XP 安全更新 (KB924496)
Windows XP 安全更新 (KB924667)
Windows XP 安全更新 (KB925454)
Windows XP 安全更新 (KB925486)
Windows XP 安全更新 (KB925902)
Windows XP 安全更新 (KB926255)
Windows XP 安全更新 (KB926436)
Windows XP 安全更新 (KB927779)
Windows XP 安全更新 (KB927802)
Windows XP 安全更新 (KB928090)
Windows XP 安全更新 (KB928255)
Windows XP 安全更新 (KB928843)
Windows XP 安全更新 (KB929123)
Windows XP 安全更新 (KB929969)
Windows XP 安全更新 (KB930178)
Windows XP 安全更新 (KB931261)
Windows XP 安全更新 (KB931768)
Windows XP 安全更新 (KB931784)
Windows XP 安全更新 (KB932168)
Windows XP 安全更新 (KB933566)
Windows XP 安全更新 (KB933729)
Windows XP 安全更新 (KB935839)
Windows XP 安全更新 (KB935840)
Windows XP 安全更新 (KB936021)
Windows XP 安全更新 (KB937143)
Windows XP 安全更新 (KB937894)
Windows XP 安全更新 (KB938127)
Windows XP 安全更新 (KB938829)
Windows XP 安全更新 (KB939653)
Windows XP 安全更新 (KB941202)
Windows XP 安全更新 (KB941568)
Windows XP 安全更新 (KB942615)
Windows XP 安全更新 (KB943460)
Windows XP 安全更新 (KB944653)
Windows XP 更新 (KB894391)
Windows XP 更新 (KB898461)
Windows XP 更新 (KB900485)
Windows XP 更新 (KB908531)
Windows XP 更新 (KB910437)
Windows XP 更新 (KB911280)
Windows XP 更新 (KB916595)
Windows XP 更新 (KB920872)
Windows XP 更新 (KB922582)
Windows XP 更新 (KB927891)
Windows XP 更新 (KB929338)
Windows XP 更新 (KB930916)
Windows XP 更新 (KB931836)
Windows XP 更新 (KB933360)
Windows XP 更新 (KB936357)
Windows XP 更新 (KB938828)
Windows XP 更新 (KB942763)
Windows XP 更新 (KB942840)
Windows XP 修补程序包 - KB873339
Windows XP 修补程序包 - KB885835
Windows XP 修补程序包 - KB885836
Windows XP 修补程序包 - KB886185
Windows XP 修补程序包 - KB886677
Windows XP 修补程序包 - KB887472
Windows XP 修补程序包 - KB888302
Windows XP 修补程序包 - KB890859
Windows XP 修补程序包 - KB891781
WinRAR 压缩文件管理器
暴风影音
金山词霸 2003
快乐影音 3.52
瑞星杀毒软件网络版
搜狐播放器 2.1.0.8
中文上网




AVG SPYWARE REPORT


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:24:55 2008-1-5

+ Scan result:



C:\WINDOWS\system32\cacb.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\system32\webdll.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\MMSAssist\Mmsass~1.dll -> Adware.Boran : Cleaned with backup (quarantined).
C:\Program Files\3721\CNSMIN.DAT -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\3721\alliveex.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\3721\alrex.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\3721\scrblock.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsHint.cab/CnsHint.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinDT.cab/cnsmin2.dat -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinDT.cab/cnsmindt.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinDT.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinEx.cab/CnsMinEx.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinEx.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinIO.cab/CnsIO.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\cnshint.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\cnsio.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\keepmainM.cab/cnsminkp.vxd -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\keepmainM.cab/cnsminkp2k.sys -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\keepmainM.cab/cnsminkpxp.sys -> Adware.Cdn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\CnsMinKP.sys -> Adware.Cdn : Cleaned with backup (quarantined).
[1000] C:\WINDOWS\DOWNLO~1\cnsio.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Assistant\yalliveex.dll -> Adware.Cdnup : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\Assist -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\Assist\Modules -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\AutoLive -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\AutoLive\scrblock -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMinCg -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMin\CnsMinEx -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AutoLive.Live\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsHelper.CH -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH.1 -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH\CLSID -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH\CurVer -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CnsMinHK.CnsHook\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj.1 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\List -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Reset -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\ResetCatch -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Tips -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\3721 -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\3721\CnsMin -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\3721\CnsMin\Variant -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\3721\CnsUrl -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\3721\InputCns -> Adware.CnsMin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38928D50-8A48-44C2-945F-D2F23F771410} -> Adware.CnsMin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1409082233-1993962763-842925246-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6671A431-5C3D-463D-A7CF-5587F9B7E191} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073159.exe -> Adware.Sohu : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Assistant\YAlive.dll/Assist\yasbar.dll/sremove.exe -> Adware.Yassist : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Assistant\YAlive.dll/yhelper.dll -> Adware.Yassist : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Assistant\YAlive.dll/ylive.exe -> Adware.Yassist : Cleaned with backup (quarantined).
C:\Program Files\Tencent\TT\TCPlus.exe -> Downloader.Agent : Cleaned with backup (quarantined).
C:\Program Files\3721\helper.dll -> Downloader.AutoLive : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CnsMinAL.cab/AutoLive.dll/Helper.dll -> Downloader.AutoLive : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\keepmainM.cab/cns1.exe -> Downloader.Baido : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cns.exe -> Downloader.Baido : Cleaned with backup (quarantined).
D:\3people\HR\中石化人力处长刘凯股权激励.htm -> Downloader.IFrame.ay : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ratbqtl.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\Program Files\Herosoft\Hero 9\SysExplr.exe -> Trojan.Inject.av : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kvdxkis.exe -> Trojan.OnLineGames.dwe : Cleaned with backup (quarantined).
C:\WINDOWS\system32\swrcfac.exe -> Trojan.OnLineGames.dwe : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jsqxazc.exe -> Trojan.OnLineGames.eza : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kawdhaz.exe -> Trojan.OnLineGames.gih : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sidjjaz.exe -> Trojan.OnLineGames.gih : Cleaned with backup (quarantined).
C:\WINDOWS\system32\okmhbaz.exe -> Trojan.OnLineGames.khi : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sidjhaz.exe -> Trojan.OnLineGames.kpq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avwlgst.exe -> Trojan.OnLineGames.kqd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kawdfaz.exe -> Trojan.OnLineGames.kqd : Cleaned with backup (quarantined).
C:\WINDOWS\PTSShell.exe -> Trojan.OnLineGames.ksq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kvdxskis.exe -> Trojan.OnLineGames.ktk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ratbotl.exe -> Trojan.OnLineGames.ktl : Cleaned with backup (quarantined).
C:\WINDOWS\LotusHlp.exe -> Trojan.OnLineGames.kvn : Cleaned with backup (quarantined).
C:\WINDOWS\SSLDyn.exE -> Trojan.OnLineGames.kwk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SSLDyn.dll -> Trojan.OnLineGames.kwk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\irlbtp.dll -> Trojan.OnLineGames.kwk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kvdxjisa.exe -> Trojan.OnLineGames.let : Cleaned with backup (quarantined).
C:\WINDOWS\system32\swjqbac.exe -> Trojan.OnLineGames.let : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sidjiaz.exe -> Trojan.OnLineGames.lrb : Cleaned with backup (quarantined).
C:\Program Files\lsassc.exe -> Trojan.QQPass.ajl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wxptdi.sys -> Worm.Downloader.aw : Cleaned with backup (quarantined).




[1000] C:\WINDOWS\DOWNLO~1\cnsio.dll -> Adware.Cdn : Cleaned.
HKLM\SOFTWARE\3721 -> Adware.CnsMin : Cleaned.
HKLM\SOFTWARE\3721\CnsMin -> Adware.CnsMin : Cleaned.
HKLM\SOFTWARE\Classes\CnsHelper.CH -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH.1 -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH\CLSID -> Adware.CnsMin : Error during cleaning.
HKLM\SOFTWARE\Classes\CnsHelper.CH\CurVer -> Adware.CnsMin : Error during cleaning.


SUPER SPYWARE REPORT


SUPERAntiSpyware Scan Log
Generated 01/05/2008 at 08:14 PM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 02:20:55

Memory items scanned : 405
Memory threats detected : 0
Registry items scanned : 4848
Registry threats detected : 47
File items scanned : 66786
File threats detected : 3

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{77962960-536E-47EC-9DDB-52651519705F}
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\InprocServer32
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\InprocServer32#ThreadingModel
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\ProgID
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\Programmable
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\TypeLib
HKCR\CLSID\{77962960-536E-47EC-9DDB-52651519705F}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\CACB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77962960-536E-47EC-9DDB-52651519705F}

Coolbar Shell Execute Hook by 3721.com
HKLM\Software\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Control
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Implemented Categories
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\InprocServer32
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\InprocServer32#ThreadingModel
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Insertable
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\MiscStatus
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\MiscStatus\1
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\ProgID
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Programmable
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\ToolboxBitmap32
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\TypeLib
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Version
HKCR\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\VersionIndependentProgID
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CNSMIN.DLL

CNS Module BHO
HKLM\Software\Classes\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\Implemented Categories
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\InprocServer32
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\InprocServer32#ThreadingModel
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\ProgID
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\Programmable
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\TypeLib
HKCR\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}\VersionIndependentProgID
C:\WINDOWS\DOWNLO~1\CNSHOOK.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
HKCR\CnsMinHK.CnsHook.1
HKCR\CnsMinHK.CnsHook
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}\1.0
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}\1.0\0
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}\1.0\0\win32
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}\1.0\FLAGS
HKCR\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}\1.0\HELPDIR


MY ANTI VIRUS - I use RISING

病毒名称 处理结果 发现日期 扫描方式 路径 文件 病毒来源
Trojan.Win32.Malagent.a 删除成功 2007-12-15 01:27 手动扫描 F:\ComboFix ntp.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:49 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\8XEJOTYR wow0617[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:49 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\8XEJOTYR zt0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:50 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\ALETCLOB jh0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:51 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\ALETCLOB wd0618[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:52 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CH6VCDUB qj0617[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:52 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CH6VCDUB tl0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:52 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CJRJY4X9 dh3[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:52 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CJRJY4X9 tl0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:52 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CJRJY4X9 tl0619[2].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:53 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CPURO927 jh0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:54 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\CPURO927 wd0618[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:55 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\IPZC1CNY jh0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:55 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\IPZC1CNY qj0617[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:55 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\IPZC1CNY qqsg[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:55 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\IPZC1CNY wl0618[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:56 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\J71J758W dh0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:56 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\J71J758W dh0616[2].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:56 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\J71J758W qqsg[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:58 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\O52XQ1A5 dh3[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:58 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\O52XQ1A5 jh0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 01:58 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\O52XQ1A5 qqsg[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 02:01 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\S123G5IV zt0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 02:01 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\S5Y70XIN dh0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 02:01 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\S5Y70XIN dh0616[2].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 02:04 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\X9TZIEF6 dh0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 02:05 手动扫描 F:\Documents and Settings\sf\Local Settings\Temporary Internet Files\Content.IE5\X9TZIEF6 tl0619[1].exe 本机
Trojan.Win32.Malagent.a 删除成功 2007-12-15 02:06 手动扫描 F:\Downloads ComboFix.exe>>ntp.exe 本机
Trojan.Win32.Malagent.a 删除成功 2007-12-15 02:39 手动扫描 F:\Program Files\Anti virus files downloaded ComboFix.exe>>ntp.exe 本机
Trojan.Win32.Malagent.a 删除成功 2007-12-15 02:40 手动扫描 F:\Program Files\Anti virus files downloaded\dec07 ComboFix.exe>>ntp.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:46 手动扫描 F:\WINDOWS anrjsc.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:46 手动扫描 F:\WINDOWS AVPSrv.exE 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:46 手动扫描 F:\WINDOWS cktvmz.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:46 手动扫描 F:\WINDOWS cmdbcs.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:46 手动扫描 F:\WINDOWS DbgHlp32.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:50 手动扫描 F:\WINDOWS eqpmml.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 04:52 手动扫描 F:\WINDOWS gwvfnt.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:04 手动扫描 F:\WINDOWS Kvsc3.exE 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:04 手动扫描 F:\WINDOWS mppds.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:04 手动扫描 F:\WINDOWS msccrt.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:04 手动扫描 F:\WINDOWS MsIMMs32.exE 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:06 手动扫描 F:\WINDOWS pmgfiy.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 05:06 手动扫描 F:\WINDOWS rdwegt.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:01 手动扫描 F:\WINDOWS\system32 k11976504193.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:01 手动扫描 F:\WINDOWS\system32 k11976504204.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:01 手动扫描 F:\WINDOWS\system32 k11976504215.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:01 手动扫描 F:\WINDOWS\system32 k11976504226.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:13 手动扫描 F:\WINDOWS upxdnd.exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 06:14 手动扫描 F:\WINDOWS xkfefx.exe 本机
Trojan.PSW.Win32.Shanda.bd 删除成功 2007-12-15 22:47 手动扫描 f:\documents and settings\sfvb\local settings\temporary internet files\content.ie5\bxybjy50 cs0619[1].exe>>Aspack212r 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:48 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\BXYBJY50 jh0619[1].exe 本机
Trojan.PSW.Win32.GameOnline.ahx 删除成功 2007-12-15 22:48 手动扫描 f:\documents and settings\sfvb\local settings\temporary internet files\content.ie5\bxybjy50 qqhx[1].exe>>upack0.32 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:48 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\BXYBJY50 tl0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:49 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\BXYBJY50 wd0618[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:49 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\FUYYPFE9 dh3[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:49 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\FUYYPFE9 qj0617[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:50 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\FUYYPFE9 wow0617[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:51 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\HIVN0YQ6 qqsg[1].exe 本机
Trojan.PSW.Win32.LMir.yys 删除成功 2007-12-15 22:52 手动扫描 f:\documents and settings\sfvb\local settings\temporary internet files\content.ie5\jhl1bfmb cq0619[1].exe>>Aspack212r 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:52 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\JHL1BFMB dh0616[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:52 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\JHL1BFMB jh0619[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:53 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\JHL1BFMB wl0618[1].exe 本机
Trojan.PSW.Win32.OnlineGames.GEN删除成功 2007-12-15 22:53 手动扫描 F:\Documents and Settings\SFVB\Local Settings\Temporary Internet Files\Content.IE5\JHL1BFMB zt0616[1].exe 本机
Trojan.Win32.Malagent.a 删除成功 2007-12-15 23:20 手动扫描 F:\Program Files\Anti virus files downloaded ComboFix.exe>>ntp.exe 本机
Trojan.Win32.Malagent.a 删除成功 2007-12-15 23:20 手动扫描 F:\Program Files\Anti virus files downloaded\dec07 ComboFix.exe>>ntp.exe
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there bj2008 sorry for the delay. You appear to have the Boran adware
To work..

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=userinit.exe,
O8 - Extra context menu item: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Log required : Combofix
  • 0

#3
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi EssexBoy

Thats perfectly fine, I understand you guys are doing us all favours by helping us out, and thats apprciated.

For te last day I have been trying to download combofix, I just cannot see to get it to run, the first time it did open and the box scrren opened, stating preparing to run and after two hours nothing happened, so i closed it and try re downloading and since then it wont run at all. When trying to run i have all application/docs closed.

await ur suggestion
  • 0

#4
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
H

i forgot to mention that i have tried to download combofix from other sites but still get the same failure box

nircmd.com, failure, software cannot start
  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is more than one way to skin a cat :)

Lets try this analysis programme and see if we can sneak in the back way

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
  • 0

#6
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HI

Well this cats seems to have more then 9 lives, but its now on its last......belwo the files in two parts

part one

WinPFind3 logfile created on: 2008-01-15 18:59:00
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\ke\桌面\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

254.98 Mb Total Physical Memory | 124.92 Mb Available Physical Memory | 48.99% Memory free
625.99 Mb Paging File | 271.14 Mb Available in Paging File | 43.31% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.65 Gb Total Space | 3.89 Gb Free Space | 26.53% Space Free
Drive D: | 19.53 Gb Total Space | 0.53 Gb Free Space | 2.71% Space Free
Drive E: | 3.08 Gb Total Space | 0.28 Gb Free Space | 9.22% Space Free
F: Drive not present or media not loaded

Computer Name: 何向宇
Current User Name: ke
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2004121400 | Size = 483328 bytes | Modified Date = 2004-12-14 02:12:02 | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 17:25:42 | Attr = ]
ccenter.exe -> %ProgramFiles%\Rising\Rav\CCenter.exe -> Beijing Rising Technology Co., Ltd. [Ver = 18, 0, 0, 3 | Size = 110592 bytes | Modified Date = 2006-10-10 10:42:44 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 20:31:10 | Attr = ]
ibmpmsvc.exe -> %System32%\ibmpmsvc.exe -> [Ver = | Size = 57344 bytes | Modified Date = 2003-07-03 01:25:00 | Attr = ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> Macrovision Corporation [Ver = 4, 60, 100, 37068 | Size = 81920 bytes | Modified Date = 2005-08-11 15:30:30 | Attr = ]
jucheck.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jucheck.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 241775 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
ravmond.exe -> %ProgramFiles%\Rising\Rav\RavMonD.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 41 | Size = 278528 bytes | Modified Date = 2007-01-12 11:01:02 | Attr = ]
ravservice.exe -> %ProgramFiles%\Rising\Rav\RavService.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 55 | Size = 1286144 bytes | Modified Date = 2007-05-21 08:31:26 | Attr = ]
ravstub.exe -> %ProgramFiles%\Rising\Rav\RavStub.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 4 | Size = 90112 bytes | Modified Date = 2007-01-12 11:01:04 | Attr = ]
ravtray.exe -> %ProgramFiles%\Rising\Rav\RavTray.exe -> Rising [Ver = 19, 0, 0, 16 | Size = 876544 bytes | Modified Date = 2007-03-20 08:31:04 | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
tp4mon.exe -> %System32%\tp4mon.exe -> IBM Corporation [Ver = 6.03 (xpsp_sp2_rtm.040803-2158) | Size = 82432 bytes | Modified Date = 2004-08-04 00:52:38 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 2007-11-21 09:19:46 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 2006-12-30 16:35:00 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 20:31:10 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 223744 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
(IBMPMSVC) IBM PM Service [Win32_Own | Auto | Running] -> %System32%\ibmpmsvc.exe -> [Ver = | Size = 57344 bytes | Modified Date = 2003-07-03 01:25:00 | Attr = ]
(RavService) RavService [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\RavService.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 55 | Size = 1286144 bytes | Modified Date = 2007-05-21 08:31:26 | Attr = ]
(RsCCenter) Rising Process Communication Center [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\CCenter.exe -> Beijing Rising Technology Co., Ltd. [Ver = 18, 0, 0, 3 | Size = 110592 bytes | Modified Date = 2006-10-10 10:42:44 | Attr = ]
(RsRavMon) RsRavMon Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\RavMonD.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 41 | Size = 278528 bytes | Modified Date = 2007-01-12 11:01:02 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 17:25:42 | Attr = ]
Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2004121400 | Size = 483328 bytes | Modified Date = 2004-12-14 02:12:02 | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe -> File not found
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> Macrovision Corporation [Ver = 4, 60, 100, 37068 | Size = 81920 bytes | Modified Date = 2005-08-11 15:30:30 | Attr = ]
RavTray -> %ProgramFiles%\Rising\Rav\RavTray.exe -> Rising [Ver = 19, 0, 0, 16 | Size = 876544 bytes | Modified Date = 2007-03-20 08:31:04 | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
TrackPointSrv -> %System32%\tp4mon.exe -> IBM Corporation [Ver = 6.03 (xpsp_sp2_rtm.040803-2158) | Size = 82432 bytes | Modified Date = 2004-08-04 00:52:38 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
hookhelp.dll -> hookhelp.dll -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{1D908534-AD45-920F-AC89-4024FA9D26D1} [HKLM] -> %System32%\gjfhayc.dll [gjfhayc.dll] -> File not found
{24909874-8982-F344-A322-7898787FA742} [HKLM] -> %System32%\swjqbzc.dll [swjqbzc.dll] -> File not found
{27650011-3344-6688-4899-345FABCD1572} [HKLM] -> %System32%\ratbqpi.dll [ratbqpi.dll] -> File not found
{2A57CAD1-412F-9547-713F-9641FA3FC7A2} [HKLM] -> %System32%\okmhbzy.dll [okmhbzy.dll] -> File not found
{2D30695F-C54D-32AD-BC43-5810F301A1D2} [HKLM] -> %System32%\gjgfbyc.dll [gjgfbyc.dll] -> [Ver = | Size = 22967 bytes | Modified Date = 2004-08-04 23:05:30 | Attr = ]
{2D908534-AD45-920F-AC89-4024FA9D26D2} [HKLM] -> %SystemRoot%\Fonts\gjfhbyc.dll [gjfhbyc.dll] -> [Ver = | Size = 524892 bytes | Modified Date = 2004-08-04 11:12:14 | Attr = ]
{32CD708B-60A7-4C00-9377-D73EAA495F0F} [HKLM] -> %System32%\RavExt.dll [Rising Execute File Exts hook] -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 7 | Size = 106496 bytes | Modified Date = 2007-01-12 11:01:00 | Attr = ]
{37650011-3344-6688-4899-345FABCD1573} [HKLM] -> %System32%\ratbrpi.dll [ratbrpi.dll] -> File not found
{3A57CAD1-412F-9547-713F-9641FA3FC7A3} [HKLM] -> %System32%\okmhczy.dll [okmhczy.dll] -> File not found
{3FA10261-B890-F432-A453-69F1023513F3} [HKLM] -> %System32%\gjcscyc.dll [gjcscyc.dll] -> File not found
{45679330-4034-9021-7012-909856721374} [HKLM] -> %System32%\wszjdzx.dll [wszjdzx.dll] -> [Ver = | Size = 23898 bytes | Modified Date = 2004-08-04 09:55:14 | Attr = ]
{471B15AD-7A9C-491D-9C19-4E15B12DCE00} [HKLM] -> %ProgramFiles%\Internet Explorer\PLUGINS\NvSys_55.Sys [] -> File not found
{47650011-3344-6688-4899-345FABCD1574} [HKLM] -> %System32%\ratbspi.dll [ratbspi.dll] -> File not found
{4A57CAD1-412F-9547-713F-9641FA3FC7A4} [HKLM] -> %System32%\okmhdzy.dll [okmhdzy.dll] -> File not found
{4FA10261-B890-F432-A453-69F1023513F4} [HKLM] -> %SystemRoot%\Fonts\gjcsdyc.dll [gjcsdyc.dll] -> [Ver = | Size = 525406 bytes | Modified Date = 2004-08-04 14:34:30 | Attr = ]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 2007-05-30 20:29:58 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 2006-12-20 12:55:48 | Attr = ]
{6598FF45-DA60-F48A-BC43-10AC47853D56} [HKLM] -> %SystemRoot%\Fonts\rarjfpi.dll [rarjfpi.dll] -> [Ver = | Size = 523876 bytes | Modified Date = 2004-08-04 11:51:50 | Attr = HS]
{67650011-3344-6688-4899-345FABCD1576} [HKLM] -> %SystemRoot%\Fonts\ratbupi.dll [ratbupi.dll] -> [Ver = | Size = 524388 bytes | Modified Date = 2004-08-04 11:09:54 | Attr = ]
{68907901-1416-3389-9981-372178569986} [HKLM] -> %System32%\kawdfzy.dll [kawdfzy.dll] -> File not found
{6A57CAD1-412F-9547-713F-9641FA3FC7A6} [HKLM] -> %SystemRoot%\Fonts\okmhfzy.dll [okmhfzy.dll] -> [Ver = | Size = 525928 bytes | Modified Date = 2004-08-04 11:08:02 | Attr = ]
{778A7521-FA87-34AB-34C2-4893F3AD34C7} [HKLM] -> %System32%\swrcfzc.dll [swrcfzc.dll] -> File not found
{792FADFA-BCDE-ACDF-CDEF-21054865CBA7} [HKLM] -> %System32%\wsmsezx.dll [wsmsezx.dll] -> File not found
{7960356A-458E-DE24-BD50-268F589A56A7} [HKLM] -> %System32%\avwlgmn.dll [avwlgmn.dll] -> File not found
{878A7521-FA87-34AB-34C2-4893F3AD34C8} [HKLM] -> %SystemRoot%\Fonts\swrcgzc.dll [swrcgzc.dll] -> [Ver = | Size = 524910 bytes | Modified Date = 2004-08-04 20:20:50 | Attr = ]
{88847374-8323-FADC-B443-4732ABCD3788} [HKLM] -> %System32%\sidjhzy.dll [sidjhzy.dll] -> File not found
{88907901-1416-3389-9981-372178569988} [HKLM] -> %System32%\kawdhzy.dll [kawdhzy.dll] -> File not found
{892FADFA-BCDE-ACDF-CDEF-21054865CBA8} [HKLM] -> %SystemRoot%\Fonts\wsmsfzx.dll [wsmsfzx.dll] -> [Ver = | Size = 529530 bytes | Modified Date = 2004-08-04 11:26:08 | Attr = HS]
{94783410-4F90-34A0-7820-3230ACD05F49} [HKLM] -> %System32%\raqjipi.dll [raqjipi.dll] -> [Ver = | Size = 25434 bytes | Modified Date = 2004-08-04 09:17:18 | Attr = HS]
{98847374-8323-FADC-B443-4732ABCD3789} [HKLM] -> %System32%\sidjizy.dll [sidjizy.dll] -> File not found
{98907901-1416-3389-9981-372178569989} [HKLM] -> %System32%\kawdizy.dll [kawdizy.dll] -> File not found
{9960356A-458E-DE24-BD50-268F589A56A9} [HKLM] -> %System32%\avwlimn.dll [avwlimn.dll] -> File not found
{A8847374-8323-FADC-B443-4732ABCD378A} [HKLM] -> %System32%\sidjjzy.dll [sidjjzy.dll] -> [Ver = | Size = 25517 bytes | Modified Date = 2004-08-04 23:02:02 | Attr = ]
{A8907901-1416-3389-9981-37217856998A} [HKLM] -> %SystemRoot%\Fonts\kawdjzy.dll [kawdjzy.dll] -> [Ver = | Size = 526950 bytes | Modified Date = 2004-08-04 11:51:28 | Attr = HS]
{A960356A-458E-DE24-BD50-268F589A56AA} [HKLM] -> %SystemRoot%\Fonts\avwljmn.dll [avwljmn.dll] -> [Ver = | Size = 527490 bytes | Modified Date = 2004-08-04 14:14:52 | Attr = ]
{AA1247C1-53DA-FF43-ABD3-345F323A48DA} [HKLM] -> %SystemRoot%\Fonts\avwgjmn.dll [avwgjmn.dll] -> [Ver = | Size = 527954 bytes | Modified Date = 2004-08-04 20:26:08 | Attr = ]
{AE32FA58-3453-FA2D-BC49-F340348ACCEA} [HKLM] -> %System32%\rsmyjpm.dll [rsmyjpm.dll] -> File not found
{B859245F-345D-BC13-AC4F-145D47DA34FB} [HKLM] -> %System32%\avzxkmn.dll [avzxkmn.dll] -> File not found
{B960356A-458E-DE24-BD50-268F589A56AB} [HKLM] -> %SystemRoot%\Fonts\avwlkmn.dll [avwlkmn.dll] -> [Ver = | Size = 528002 bytes | Modified Date = 2004-08-04 11:47:28 | Attr = HS]
{BC87A354-ABC3-DEDE-FF33-3213FD7447CB} [HKLM] -> %System32%\kvdxkma.dll [kvdxkma.dll] -> File not found
{BD561258-45F3-A451-F908-A258458226DB} [HKLM] -> %System32%\kvdxskma.dll [kvdxskma.dll] -> File not found
{BE32FA58-3453-FA2D-BC49-F340348ACCEB} [HKLM] -> %SystemRoot%\Fonts\rsmykpm.dll [rsmykpm.dll] -> [Ver = | Size = 527448 bytes | Modified Date = 2004-08-04 11:08:56 | Attr = ]
{CC87A354-ABC3-DEDE-FF33-3213FD7447CC} [HKLM] -> %System32%\kvdxlma.dll [kvdxlma.dll] -> File not found
{CD561258-45F3-A451-F908-A258458226DC} [HKLM] -> %System32%\kvdxslma.dll [kvdxslma.dll] -> File not found
{D7D81718-1314-5200-2597-58790101807D} [HKLM] -> %SystemRoot%\Fonts\kaqhmzy.dll [kaqhmzy.dll] -> [Ver = | Size = 2120534 bytes | Modified Date = 2004-08-04 12:23:36 | Attr = HS]
{D859245F-345D-BC13-AC4F-145D47DA34FD} [HKLM] -> %System32%\avzxmmn.dll [avzxmmn.dll] -> File not found
{DC87A354-ABC3-DEDE-FF33-3213FD7447CD} [HKLM] -> %SystemRoot%\Fonts\kvdxmma.dll [kvdxmma.dll] -> [Ver = | Size = 536686 bytes | Modified Date = 2004-08-04 11:43:30 | Attr = HS]
{DD561258-45F3-A451-F908-A258458226DD} [HKLM] -> %System32%\kvdxsmma.dll [kvdxsmma.dll] -> File not found
{E159854F-6971-3456-6941-10235412974E} [HKLM] -> %SystemRoot%\Fonts\hookhelp.dll [] -> [Ver = | Size = 16904 bytes | Modified Date = 2008-01-15 11:02:28 | Attr = ]
{E859245F-345D-BC13-AC4F-145D47DA34FE} [HKLM] -> %SystemRoot%\Fonts\avzxnmn.dll [avzxnmn.dll] -> [Ver = | Size = 528470 bytes | Modified Date = 2004-08-04 11:10:20 | Attr = ]
{F6650011-3344-6688-4899-345FABCD156F} [HKLM] -> %System32%\ratbopi.dll [ratbopi.dll] -> File not found
{FD561258-45F3-A451-F908-A258458226DF} [HKLM] -> %SystemRoot%\Fonts\kvdxsoma.dll [kvdxsoma.dll] -> [Ver = | Size = 524430 bytes | Modified Date = 2004-08-04 20:20:26 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
ImpsSensor -> %System32%\ImpsSensor.dll -> China Mobile [Ver = 2, 0, 0, 0 | Size = 77824 bytes | Modified Date = 2007-01-07 19:52:22 | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.yahoo.com.cn ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> about:blank ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\npjpi150_09.dll [MenuText: Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 69746 bytes | Modified Date = 2006-10-12 03:25:44 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [MenuText: Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 2006-10-12 03:25:44 | Attr = ]
{6354ABE6-05F1-49ed-B850-E423120EC338} -> http:\cn.widget.yahoo.com\index.htm [ButtonText: 雅虎WIDGET] -> File not found
{77BF5300-1474-4EC7-9980-D32B190E9B07} -> Reg Data - Value does not exist [ButtonText: Skype add-on] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: 信息检索] -> File not found
{9A687CA6-D585-4947-9ED9-BE96071F5CD9} -> Reg Data - Value does not exist [ButtonText: 词霸] -> File not found
{DE607142-AC19-422e-863A-3D70ABDF119A} -> http:\click2.ad4all.net\url2\urlmanage\url.asp [ButtonText: 易趣购物] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
导出到 Microsoft Office Excel(&X) -> -> File not found
转换链接目标为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换链接目标为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
转换为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
转换选定的链接为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
转换选定的链接为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
转换选项为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换选项为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{56C3DBAB-E146-48C7-AF70-D062D1121807} -> (1394 网络适配器) ->
{FC2CC0B0-2629-4A3A-A7EA-DF1E225B3DAF} -> (Intel® PRO/100 VE Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
dic -> %ProgramFiles%\Kingsoft\Powerword 2003\XDictExB.dll -> 金山软件股份有限公司 [Ver = 1, 0, 0, 0 | Size = 118784 bytes | Modified Date = 2003-06-02 10:19:42 | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{05C1004E-2596-48E5-8E26-39362985EEB9} -> MMCPlayer Class - CodeBase = http://p3p.sogou.com/MMCShell.cab ->
{0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} -> Edit Class - CodeBase = https://www.sz1.cmbc...oad/CMBEdit.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...ows-i586-jc.cab ->
{A3CD7F74-93C9-4BC4-B892-CCDF1514F714} -> Submit Class - CodeBase = https://pbank.95559....nk/ocx/safe.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macr...ash/swflash.cab ->
{ECCBA956-80E5-11D3-9285-0080ADB811C9} -> safeInput Class - CodeBase = https://pbank.95559....fe_bankcomm.cab ->
  • 0

#7
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
PART TWO

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\\NoAutoUpdate -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\\AUOptions -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> msv1_0; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> kerberos;msv1_0;schannel;wdigest; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 772 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> scecli; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> Windows NT Access Provider; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> ? V Wv澭?聁竍a77d917
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> ?i??'?->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> _e
8蹥 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> IISSUBA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 邪%?E鏩X箖 伭e ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> ?f炱 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> f銌鴟? ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> f銌鴟? ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> f銌鴟? ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> 为家庭和小型办公网络提供网络地址转换、寻址、名称解析和/或入侵保护服务。 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 19226 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\System32\ipnathlp.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> 允许下载并安装 Windows 更新。如果此服务被禁用,计算机将不能使用 Windows Update 网站的自动更新功能。 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> 使远程用户能修改此计算机上的注册表设置。如果此服务被终止,只有此计算机上的用户才能修改注册表。如果此服务被禁用,任何依赖它的服务将无法启动。 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService -> RPCSS; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> %SystemRoot%\system32\svchost.exe -k LocalService ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> %SystemRoot%\system32\regsvc.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\system32\tlntsvr.exe ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> RPCSS;TCPIP;NTLMSSP; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> 允许远程用户登录到此计算机并运行程序,并支持多种 TCP/IP Telnet 客户,包括基于 UNIX 和 Windows 的计算机。如果此服务停止,远程用户就不能访问程序,任何直接依靠它的服务将会启动失败。 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->

[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 2008-01-11 23:01:59 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2008-01-11 23:04:17 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2008-01-11 23:05:31 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 2008-01-11 23:03:25 | Attr = ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 16 bytes | Created Date = 2008-01-11 23:38:55 | Attr = ]
avwlhst.exe -> %System32%\avwlhst.exe -> [Ver = | Size = 16529 bytes | Created Date = 2007-12-26 11:48:15 | Attr = ]
avwlist.exe -> %System32%\avwlist.exe -> [Ver = | Size = 16498 bytes | Created Date = 2008-01-01 13:49:48 | Attr = ]
fwoxvl.dll -> %System32%\fwoxvl.dll -> [Ver = | Size = 27136 bytes | Created Date = 2007-12-17 18:09:20 | Attr = ]
gjcsczc.exe -> %System32%\gjcsczc.exe -> [Ver = | Size = 15645 bytes | Created Date = 2007-12-20 08:55:42 | Attr = ]
gjfhazc.exe -> %System32%\gjfhazc.exe -> [Ver = | Size = 15305 bytes | Created Date = 2007-12-23 23:04:47 | Attr = ]
gjgfbzc.exe -> %System32%\gjgfbzc.exe -> [Ver = | Size = 15012 bytes | Created Date = 2007-12-23 23:05:30 | Attr = ]
kaqhlaz.exe -> %System32%\kaqhlaz.exe -> [Ver = | Size = 15582 bytes | Created Date = 2007-12-20 08:47:43 | Attr = ]
kawdiaz.exe -> %System32%\kawdiaz.exe -> [Ver = | Size = 16183 bytes | Created Date = 2007-12-29 19:10:17 | Attr = ]
kvdxlis.exe -> %System32%\kvdxlis.exe -> [Ver = | Size = 15786 bytes | Created Date = 2007-12-28 19:01:22 | Attr = ]
kvdxslis.exe -> %System32%\kvdxslis.exe -> [Ver = | Size = 15471 bytes | Created Date = 2007-12-20 08:59:22 | Attr = ]
kvdxsmis.exe -> %System32%\kvdxsmis.exe -> [Ver = | Size = 15489 bytes | Created Date = 2008-01-05 14:14:45 | Attr = ]
okmhcaz.exe -> %System32%\okmhcaz.exe -> [Ver = | Size = 16147 bytes | Created Date = 2007-12-26 11:46:03 | Attr = ]
okmhdaz.exe -> %System32%\okmhdaz.exe -> [Ver = | Size = 16188 bytes | Created Date = 2008-01-02 13:49:20 | Attr = ]
ratbrtl.exe -> %System32%\ratbrtl.exe -> [Ver = | Size = 15087 bytes | Created Date = 2007-12-28 19:00:18 | Attr = ]
ratbstl.exe -> %System32%\ratbstl.exe -> [Ver = | Size = 15175 bytes | Created Date = 2008-01-02 14:02:13 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 2008-01-11 23:03:23 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-01-11 23:03:21 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-01-11 23:03:21 | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2008-01-11 23:03:22 | Attr = ]
wsmseax.exe -> %System32%\wsmseax.exe -> [Ver = | Size = 17042 bytes | Created Date = 2007-12-20 08:51:21 | Attr = ]
wszjdax.exe -> %System32%\wszjdax.exe -> [Ver = | Size = 15372 bytes | Created Date = 2007-12-20 08:56:13 | Attr = ]
yipvpr.dll -> %System32%\yipvpr.dll -> [Ver = | Size = 27648 bytes | Created Date = 2007-12-17 18:10:07 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2008-01-05 15:04:04 | Attr = ]

[Files/Folders - Modified Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 2008-01-14 13:24:42 | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 2008-01-05 17:32:26 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2008-01-11 23:38:26 | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2008-01-11 23:22:12 | Attr = ]
RAVBIN -> %SystemDrive%\RAVBIN -> [Folder | Modified Date = 2008-01-14 12:49:56 | Attr = RH ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2007-12-17 17:20:38 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2007-12-18 09:10:22 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 232 bytes | Modified Date = 2007-12-18 09:20:58 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 232 bytes | Modified Date = 2007-12-19 01:11:22 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2007-12-20 08:01:26 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-03 10:37:56 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-05 14:32:50 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-13 21:06:16 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-14 11:34:56 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-15 10:53:46 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-12-17 17:20:38 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-12-18 09:10:20 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-12-18 09:20:58 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-12-19 01:11:22 | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-12-20 08:01:26 | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-03 10:37:56 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-05 14:32:48 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-13 21:06:16 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-14 11:34:56 | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-15 10:53:46 | Attr = H ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2008-01-11 23:38:56 | Attr = ]
新建文件夹 -> %SystemDrive%\新建文件夹 -> [Folder | Modified Date = 2008-01-06 02:54:22 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2008-01-15 10:48:54 | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2008-01-11 23:22:10 | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2008-01-11 23:31:18 | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 2008-01-15 12:23:46 | Attr = R S]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 2008-01-05 17:48:20 | Attr = HS]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 2007-12-21 10:23:10 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2008-01-15 18:56:32 | Attr = ]
RavTray.INI -> %SystemRoot%\RavTray.INI -> [Ver = | Size = 51 bytes | Modified Date = 2008-01-15 03:22:04 | Attr = ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 16 bytes | Modified Date = 2008-01-15 03:22:02 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 2008-01-11 23:38:52 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 2008-01-11 23:33:24 | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 2008-01-11 23:23:02 | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 2008-01-15 12:24:22 | Attr = ]
ycns.dat -> %SystemRoot%\ycns.dat -> [Ver = | Size = 4 bytes | Modified Date = 2008-01-03 16:39:50 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2008-01-15 10:49:22 | Attr = H ]
avwlhst.exe -> %System32%\avwlhst.exe -> [Ver = | Size = 16529 bytes | Modified Date = 2007-12-31 01:23:44 | Attr = ]
avwlist.exe -> %System32%\avwlist.exe -> [Ver = | Size = 16498 bytes | Modified Date = 2008-01-02 14:00:04 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 2008-01-06 02:45:28 | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 2008-01-11 23:31:34 | Attr = ]
cpap.ini -> %System32%\cpap.ini -> [Ver = | Size = 49685 bytes | Modified Date = 2008-01-05 15:17:12 | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 2008-01-11 23:38:34 | Attr = ]
fwoxvl.dll -> %System32%\fwoxvl.dll -> [Ver = | Size = 27136 bytes | Modified Date = 2007-12-17 18:09:22 | Attr = ]
gjcsczc.exe -> %System32%\gjcsczc.exe -> [Ver = | Size = 15645 bytes | Modified Date = 2008-01-02 14:01:26 | Attr = ]
gjfhazc.exe -> %System32%\gjfhazc.exe -> [Ver = | Size = 15305 bytes | Modified Date = 2008-01-02 14:01:38 | Attr = ]
gjgfbzc.exe -> %System32%\gjgfbzc.exe -> [Ver = | Size = 15012 bytes | Modified Date = 2007-12-26 11:49:50 | Attr = ]
kaqhlaz.exe -> %System32%\kaqhlaz.exe -> [Ver = | Size = 15582 bytes | Modified Date = 2008-01-11 20:17:28 | Attr = ]
kawdiaz.exe -> %System32%\kawdiaz.exe -> [Ver = | Size = 16183 bytes | Modified Date = 2008-01-11 20:20:52 | Attr = ]
kvdxlis.exe -> %System32%\kvdxlis.exe -> [Ver = | Size = 15786 bytes | Modified Date = 2008-01-02 13:59:34 | Attr = ]
kvdxslis.exe -> %System32%\kvdxslis.exe -> [Ver = | Size = 15471 bytes | Modified Date = 2008-01-02 13:59:12 | Attr = ]
kvdxsmis.exe -> %System32%\kvdxsmis.exe -> [Ver = | Size = 15489 bytes | Modified Date = 2008-01-09 11:09:06 | Attr = ]
okmhcaz.exe -> %System32%\okmhcaz.exe -> [Ver = | Size = 16147 bytes | Modified Date = 2008-01-01 13:41:00 | Attr = ]
okmhdaz.exe -> %System32%\okmhdaz.exe -> [Ver = | Size = 16188 bytes | Modified Date = 2008-01-07 14:31:48 | Attr = ]
ratbrtl.exe -> %System32%\ratbrtl.exe -> [Ver = | Size = 15087 bytes | Modified Date = 2008-01-01 13:41:54 | Attr = ]
ratbstl.exe -> %System32%\ratbstl.exe -> [Ver = | Size = 15175 bytes | Modified Date = 2008-01-07 14:34:06 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 2008-01-13 17:54:50 | Attr = ]
wsmseax.exe -> %System32%\wsmseax.exe -> [Ver = | Size = 17042 bytes | Modified Date = 2008-01-11 20:17:16 | Attr = ]
wszjdax.exe -> %System32%\wszjdax.exe -> [Ver = | Size = 15372 bytes | Modified Date = 2007-12-22 15:49:14 | Attr = ]
yipvpr.dll -> %System32%\yipvpr.dll -> [Ver = | Size = 27648 bytes | Modified Date = 2007-12-17 18:10:08 | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 2008-01-11 23:38:34 | Attr = ]

[File String Scan - Non-Microsoft Only]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\avwlhst.exe -> [Ver = | Size = 16529 bytes | Modified Date = 2007-12-31 01:23:44 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\avwlist.exe -> [Ver = | Size = 16498 bytes | Modified Date = 2008-01-02 14:00:04 | Attr = ]
UPX0 , -> %System32%\bseng.dll -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 13 | Size = 118784 bytes | Modified Date = 2007-01-12 11:02:42 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41131 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjcsczc.exe -> [Ver = | Size = 15645 bytes | Modified Date = 2008-01-02 14:01:26 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjfhazc.exe -> [Ver = | Size = 15305 bytes | Modified Date = 2008-01-02 14:01:38 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjgfbzc.exe -> [Ver = | Size = 15012 bytes | Modified Date = 2007-12-26 11:49:50 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\kaqhlaz.exe -> [Ver = | Size = 15582 bytes | Modified Date = 2008-01-11 20:17:28 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\kawdiaz.exe -> [Ver = | Size = 16183 bytes | Modified Date = 2008-01-11 20:20:52 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxlis.exe -> [Ver = | Size = 15786 bytes | Modified Date = 2008-01-02 13:59:34 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxslis.exe -> [Ver = | Size = 15471 bytes | Modified Date = 2008-01-02 13:59:12 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxsmis.exe -> [Ver = | Size = 15489 bytes | Modified Date = 2008-01-09 11:09:06 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\okmhcaz.exe -> [Ver = | Size = 16147 bytes | Modified Date = 2008-01-01 13:41:00 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\okmhdaz.exe -> [Ver = | Size = 16188 bytes | Modified Date = 2008-01-07 14:31:48 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\raqjitl.exe -> [Ver = | Size = 16096 bytes | Modified Date = 2007-12-15 09:17:14 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\ratbrtl.exe -> [Ver = | Size = 15087 bytes | Modified Date = 2008-01-01 13:41:54 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\ratbstl.exe -> [Ver = | Size = 15175 bytes | Modified Date = 2008-01-07 14:34:06 | Attr = ]
UPX0 , -> %System32%\rsbseng.dll -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 25 | Size = 120320 bytes | Modified Date = 2007-04-23 10:01:40 | Attr = ]
UPX! , UPX0 , -> %System32%\safeInput.dll -> Beijing eChannels Century Technology Co.,Ltd [Ver = 2, 3, 1, 0 | Size = 69120 bytes | Modified Date = 2006-09-25 16:32:54 | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 2000-08-31 08:00:00 | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 2000-08-31 08:00:00 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\wsmseax.exe -> [Ver = | Size = 17042 bytes | Modified Date = 2008-01-11 20:17:16 | Attr = ]
UpackByDwing , MZKERNEL32.DLL , -> %System32%\wszjdax.exe -> [Ver = | Size = 15372 bytes | Modified Date = 2007-12-22 15:49:14 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]

< End of report >
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets start removing some of the claws :)

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> hookhelp.dll -> hookhelp.dll
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {1D908534-AD45-920F-AC89-4024FA9D26D1} [HKLM] -> %System32%\gjfhayc.dll [gjfhayc.dll]
YN -> {24909874-8982-F344-A322-7898787FA742} [HKLM] -> %System32%\swjqbzc.dll [swjqbzc.dll]
YN -> {27650011-3344-6688-4899-345FABCD1572} [HKLM] -> %System32%\ratbqpi.dll [ratbqpi.dll]
YN -> {2A57CAD1-412F-9547-713F-9641FA3FC7A2} [HKLM] -> %System32%\okmhbzy.dll [okmhbzy.dll]
YY -> {2D30695F-C54D-32AD-BC43-5810F301A1D2} [HKLM] -> %System32%\gjgfbyc.dll [gjgfbyc.dll]
YY -> {2D908534-AD45-920F-AC89-4024FA9D26D2} [HKLM] -> %SystemRoot%\Fonts\gjfhbyc.dll [gjfhbyc.dll]
YN -> {37650011-3344-6688-4899-345FABCD1573} [HKLM] -> %System32%\ratbrpi.dll [ratbrpi.dll]
YN -> {3A57CAD1-412F-9547-713F-9641FA3FC7A3} [HKLM] -> %System32%\okmhczy.dll [okmhczy.dll]
YN -> {3FA10261-B890-F432-A453-69F1023513F3} [HKLM] -> %System32%\gjcscyc.dll [gjcscyc.dll]
YY -> {45679330-4034-9021-7012-909856721374} [HKLM] -> %System32%\wszjdzx.dll [wszjdzx.dll]
YN -> {471B15AD-7A9C-491D-9C19-4E15B12DCE00} [HKLM] -> %ProgramFiles%\Internet Explorer\PLUGINS\NvSys_55.Sys []
YN -> {47650011-3344-6688-4899-345FABCD1574} [HKLM] -> %System32%\ratbspi.dll [ratbspi.dll]
YN -> {4A57CAD1-412F-9547-713F-9641FA3FC7A4} [HKLM] -> %System32%\okmhdzy.dll [okmhdzy.dll]
YY -> {4FA10261-B890-F432-A453-69F1023513F4} [HKLM] -> %SystemRoot%\Fonts\gjcsdyc.dll [gjcsdyc.dll]
YY -> {6598FF45-DA60-F48A-BC43-10AC47853D56} [HKLM] -> %SystemRoot%\Fonts\rarjfpi.dll [rarjfpi.dll]
YY -> {67650011-3344-6688-4899-345FABCD1576} [HKLM] -> %SystemRoot%\Fonts\ratbupi.dll [ratbupi.dll]
YN -> {68907901-1416-3389-9981-372178569986} [HKLM] -> %System32%\kawdfzy.dll [kawdfzy.dll]
YY -> {6A57CAD1-412F-9547-713F-9641FA3FC7A6} [HKLM] -> %SystemRoot%\Fonts\okmhfzy.dll [okmhfzy.dll]
YN -> {778A7521-FA87-34AB-34C2-4893F3AD34C7} [HKLM] -> %System32%\swrcfzc.dll [swrcfzc.dll]
YN -> {792FADFA-BCDE-ACDF-CDEF-21054865CBA7} [HKLM] -> %System32%\wsmsezx.dll [wsmsezx.dll]
YN -> {7960356A-458E-DE24-BD50-268F589A56A7} [HKLM] -> %System32%\avwlgmn.dll [avwlgmn.dll]
YY -> {878A7521-FA87-34AB-34C2-4893F3AD34C8} [HKLM] -> %SystemRoot%\Fonts\swrcgzc.dll [swrcgzc.dll]
YN -> {88847374-8323-FADC-B443-4732ABCD3788} [HKLM] -> %System32%\sidjhzy.dll [sidjhzy.dll]
YN -> {88907901-1416-3389-9981-372178569988} [HKLM] -> %System32%\kawdhzy.dll [kawdhzy.dll]
YY -> {892FADFA-BCDE-ACDF-CDEF-21054865CBA8} [HKLM] -> %SystemRoot%\Fonts\wsmsfzx.dll [wsmsfzx.dll]
YY -> {94783410-4F90-34A0-7820-3230ACD05F49} [HKLM] -> %System32%\raqjipi.dll [raqjipi.dll]
YN -> {98847374-8323-FADC-B443-4732ABCD3789} [HKLM] -> %System32%\sidjizy.dll [sidjizy.dll]
YN -> {98907901-1416-3389-9981-372178569989} [HKLM] -> %System32%\kawdizy.dll [kawdizy.dll]
YN -> {9960356A-458E-DE24-BD50-268F589A56A9} [HKLM] -> %System32%\avwlimn.dll [avwlimn.dll]
YY -> {A8847374-8323-FADC-B443-4732ABCD378A} [HKLM] -> %System32%\sidjjzy.dll [sidjjzy.dll]
YY -> {A8907901-1416-3389-9981-37217856998A} [HKLM] -> %SystemRoot%\Fonts\kawdjzy.dll [kawdjzy.dll]
YY -> {A960356A-458E-DE24-BD50-268F589A56AA} [HKLM] -> %SystemRoot%\Fonts\avwljmn.dll [avwljmn.dll]
YY -> {AA1247C1-53DA-FF43-ABD3-345F323A48DA} [HKLM] -> %SystemRoot%\Fonts\avwgjmn.dll [avwgjmn.dll]
YN -> {AE32FA58-3453-FA2D-BC49-F340348ACCEA} [HKLM] -> %System32%\rsmyjpm.dll [rsmyjpm.dll]
YN -> {B859245F-345D-BC13-AC4F-145D47DA34FB} [HKLM] -> %System32%\avzxkmn.dll [avzxkmn.dll]
YY -> {B960356A-458E-DE24-BD50-268F589A56AB} [HKLM] -> %SystemRoot%\Fonts\avwlkmn.dll [avwlkmn.dll]
YN -> {BC87A354-ABC3-DEDE-FF33-3213FD7447CB} [HKLM] -> %System32%\kvdxkma.dll [kvdxkma.dll]
YN -> {BD561258-45F3-A451-F908-A258458226DB} [HKLM] -> %System32%\kvdxskma.dll [kvdxskma.dll]
YY -> {BE32FA58-3453-FA2D-BC49-F340348ACCEB} [HKLM] -> %SystemRoot%\Fonts\rsmykpm.dll [rsmykpm.dll]
YN -> {CC87A354-ABC3-DEDE-FF33-3213FD7447CC} [HKLM] -> %System32%\kvdxlma.dll [kvdxlma.dll]
YN -> {CD561258-45F3-A451-F908-A258458226DC} [HKLM] -> %System32%\kvdxslma.dll [kvdxslma.dll]
YY -> {D7D81718-1314-5200-2597-58790101807D} [HKLM] -> %SystemRoot%\Fonts\kaqhmzy.dll [kaqhmzy.dll]
YN -> {D859245F-345D-BC13-AC4F-145D47DA34FD} [HKLM] -> %System32%\avzxmmn.dll [avzxmmn.dll]
YN -> {DD561258-45F3-A451-F908-A258458226DD} [HKLM] -> %System32%\kvdxsmma.dll [kvdxsmma.dll]
YY -> {E159854F-6971-3456-6941-10235412974E} [HKLM] -> %SystemRoot%\Fonts\hookhelp.dll []
YY -> {E859245F-345D-BC13-AC4F-145D47DA34FE} [HKLM] -> %SystemRoot%\Fonts\avzxnmn.dll [avzxnmn.dll]
YN -> {F6650011-3344-6688-4899-345FABCD156F} [HKLM] -> %System32%\ratbopi.dll [ratbopi.dll]
YY -> {FD561258-45F3-A451-F908-A258458226DF} [HKLM] -> %SystemRoot%\Fonts\kvdxsoma.dll [kvdxsoma.dll]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {DE607142-AC19-422e-863A-3D70ABDF119A} -> http:\click2.ad4all.net\url2\urlmanage\url.asp [ButtonText: ????]
[Files/Folders - Created Within 30 days]
NY -> RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL
NY -> avwlhst.exe -> %System32%\avwlhst.exe
NY -> avwlist.exe -> %System32%\avwlist.exe
NY -> fwoxvl.dll -> %System32%\fwoxvl.dll
NY -> gjcsczc.exe -> %System32%\gjcsczc.exe
NY -> gjfhazc.exe -> %System32%\gjfhazc.exe
NY -> gjgfbzc.exe -> %System32%\gjgfbzc.exe
NY -> kaqhlaz.exe -> %System32%\kaqhlaz.exe
NY -> kawdiaz.exe -> %System32%\kawdiaz.exe
NY -> kvdxlis.exe -> %System32%\kvdxlis.exe
NY -> kvdxslis.exe -> %System32%\kvdxslis.exe
NY -> kvdxsmis.exe -> %System32%\kvdxsmis.exe
NY -> okmhcaz.exe -> %System32%\okmhcaz.exe
NY -> okmhdaz.exe -> %System32%\okmhdaz.exe
NY -> ratbrtl.exe -> %System32%\ratbrtl.exe
NY -> ratbstl.exe -> %System32%\ratbstl.exe
NY -> wsmseax.exe -> %System32%\wsmseax.exe
NY -> wszjdax.exe -> %System32%\wszjdax.exe
NY -> yipvpr.dll -> %System32%\yipvpr.dll
[Files/Folders - Modified Within 30 days]
NY -> ycns.dat -> %SystemRoot%\ycns.dat
NY -> avwlhst.exe -> %System32%\avwlhst.exe
NY -> avwlist.exe -> %System32%\avwlist.exe
NY -> cpap.ini -> %System32%\cpap.ini
NY -> fwoxvl.dll -> %System32%\fwoxvl.dll
NY -> gjcsczc.exe -> %System32%\gjcsczc.exe
NY -> gjfhazc.exe -> %System32%\gjfhazc.exe
NY -> gjgfbzc.exe -> %System32%\gjgfbzc.exe
NY -> kaqhlaz.exe -> %System32%\kaqhlaz.exe
NY -> kawdiaz.exe -> %System32%\kawdiaz.exe
NY -> kvdxlis.exe -> %System32%\kvdxlis.exe
NY -> kvdxslis.exe -> %System32%\kvdxslis.exe
NY -> kvdxsmis.exe -> %System32%\kvdxsmis.exe
NY -> okmhcaz.exe -> %System32%\okmhcaz.exe
NY -> okmhdaz.exe -> %System32%\okmhdaz.exe
NY -> ratbrtl.exe -> %System32%\ratbrtl.exe
NY -> ratbstl.exe -> %System32%\ratbstl.exe
NY -> wszjdax.exe -> %System32%\wszjdax.exe
NY -> yipvpr.dll -> %System32%\yipvpr.dll
[File String Scan - Non-Microsoft Only]
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\avwlhst.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\avwlist.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjcsczc.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjfhazc.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\gjgfbzc.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\kaqhlaz.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\kawdiaz.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxlis.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxslis.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\kvdxsmis.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\okmhcaz.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\okmhdaz.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\raqjitl.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\ratbrtl.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\ratbstl.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\wsmseax.exe
NY -> UpackByDwing , MZKERNEL32.DLL , -> %System32%\wszjdax.exe
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

NEXT

I would like you to delete your current copy of combofix and download a fresh version But I would like you to rename combofix before you run it. To do this right click the file and select rename Call it Gotcha :)

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If combofix should fail to run then download and use this programme

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Logs required : Winpfind report and either combofix or DSS depending on which one ran
  • 0

#9
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi

We may under estimated this "cat", seems it has joined the forces of evil and gained more lives.........

Follewed, to the letter, the instruction, copied files in winpfind3u, took about 40 seconds, but then froze, no "ok" button, no report was produced, and had to use task manager to closer the program............so slayer of cats...what to do.

While I wait ur reply ill download the other programs as instructed.
  • 0

#10
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Right god only knows what happened but about an hour after running the winpfind3u i shut down opened and the report appeared, tried the combo re install and re name but no luck so did the second option..........

attached the reports in order


windpfind3u



[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls written successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{1D908534-AD45-920F-AC89-4024FA9D26D1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D908534-AD45-920F-AC89-4024FA9D26D1} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{24909874-8982-F344-A322-7898787FA742} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24909874-8982-F344-A322-7898787FA742} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{27650011-3344-6688-4899-345FABCD1572} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27650011-3344-6688-4899-345FABCD1572} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{2A57CAD1-412F-9547-713F-9641FA3FC7A2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A57CAD1-412F-9547-713F-9641FA3FC7A2} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{2D30695F-C54D-32AD-BC43-5810F301A1D2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D30695F-C54D-32AD-BC43-5810F301A1D2} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\gjgfbyc.dll
C:\WINDOWS\SYSTEM32\gjgfbyc.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\gjgfbyc.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{2D908534-AD45-920F-AC89-4024FA9D26D2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D908534-AD45-920F-AC89-4024FA9D26D2} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\gjfhbyc.dll
C:\WINDOWS\Fonts\gjfhbyc.dll NOT unregistered.
C:\WINDOWS\Fonts\gjfhbyc.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{37650011-3344-6688-4899-345FABCD1573} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37650011-3344-6688-4899-345FABCD1573} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{3A57CAD1-412F-9547-713F-9641FA3FC7A3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A57CAD1-412F-9547-713F-9641FA3FC7A3} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{3FA10261-B890-F432-A453-69F1023513F3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FA10261-B890-F432-A453-69F1023513F3} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{45679330-4034-9021-7012-909856721374} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45679330-4034-9021-7012-909856721374} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\wszjdzx.dll
C:\WINDOWS\SYSTEM32\wszjdzx.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\wszjdzx.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{471B15AD-7A9C-491D-9C19-4E15B12DCE00} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{47650011-3344-6688-4899-345FABCD1574} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47650011-3344-6688-4899-345FABCD1574} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4A57CAD1-412F-9547-713F-9641FA3FC7A4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A57CAD1-412F-9547-713F-9641FA3FC7A4} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4FA10261-B890-F432-A453-69F1023513F4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FA10261-B890-F432-A453-69F1023513F4} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\gjcsdyc.dll
C:\WINDOWS\Fonts\gjcsdyc.dll NOT unregistered.
C:\WINDOWS\Fonts\gjcsdyc.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6598FF45-DA60-F48A-BC43-10AC47853D56} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6598FF45-DA60-F48A-BC43-10AC47853D56} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\rarjfpi.dll
C:\WINDOWS\Fonts\rarjfpi.dll NOT unregistered.
C:\WINDOWS\Fonts\rarjfpi.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{67650011-3344-6688-4899-345FABCD1576} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67650011-3344-6688-4899-345FABCD1576} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\ratbupi.dll
C:\WINDOWS\Fonts\ratbupi.dll NOT unregistered.
C:\WINDOWS\Fonts\ratbupi.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{68907901-1416-3389-9981-372178569986} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68907901-1416-3389-9981-372178569986} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6A57CAD1-412F-9547-713F-9641FA3FC7A6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A57CAD1-412F-9547-713F-9641FA3FC7A6} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\okmhfzy.dll
C:\WINDOWS\Fonts\okmhfzy.dll NOT unregistered.
C:\WINDOWS\Fonts\okmhfzy.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{778A7521-FA87-34AB-34C2-4893F3AD34C7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{778A7521-FA87-34AB-34C2-4893F3AD34C7} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{792FADFA-BCDE-ACDF-CDEF-21054865CBA7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{792FADFA-BCDE-ACDF-CDEF-21054865CBA7} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{7960356A-458E-DE24-BD50-268F589A56A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7960356A-458E-DE24-BD50-268F589A56A7} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{878A7521-FA87-34AB-34C2-4893F3AD34C8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{878A7521-FA87-34AB-34C2-4893F3AD34C8} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\swrcgzc.dll
C:\WINDOWS\Fonts\swrcgzc.dll NOT unregistered.
C:\WINDOWS\Fonts\swrcgzc.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{88847374-8323-FADC-B443-4732ABCD3788} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88847374-8323-FADC-B443-4732ABCD3788} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{88907901-1416-3389-9981-372178569988} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88907901-1416-3389-9981-372178569988} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{892FADFA-BCDE-ACDF-CDEF-21054865CBA8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{892FADFA-BCDE-ACDF-CDEF-21054865CBA8} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\wsmsfzx.dll
C:\WINDOWS\Fonts\wsmsfzx.dll NOT unregistered.
C:\WINDOWS\Fonts\wsmsfzx.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{94783410-4F90-34A0-7820-3230ACD05F49} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94783410-4F90-34A0-7820-3230ACD05F49} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\raqjipi.dll
C:\WINDOWS\SYSTEM32\raqjipi.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\raqjipi.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{98847374-8323-FADC-B443-4732ABCD3789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98847374-8323-FADC-B443-4732ABCD3789} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{98907901-1416-3389-9981-372178569989} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98907901-1416-3389-9981-372178569989} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{9960356A-458E-DE24-BD50-268F589A56A9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9960356A-458E-DE24-BD50-268F589A56A9} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A8847374-8323-FADC-B443-4732ABCD378A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8847374-8323-FADC-B443-4732ABCD378A} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\sidjjzy.dll
C:\WINDOWS\SYSTEM32\sidjjzy.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\sidjjzy.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A8907901-1416-3389-9981-37217856998A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8907901-1416-3389-9981-37217856998A} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\kawdjzy.dll
C:\WINDOWS\Fonts\kawdjzy.dll NOT unregistered.
C:\WINDOWS\Fonts\kawdjzy.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{A960356A-458E-DE24-BD50-268F589A56AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A960356A-458E-DE24-BD50-268F589A56AA} deleted successfully.
File C:\WINDOWS\Fonts\avwljmn.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AA1247C1-53DA-FF43-ABD3-345F323A48DA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA1247C1-53DA-FF43-ABD3-345F323A48DA} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\avwgjmn.dll
C:\WINDOWS\Fonts\avwgjmn.dll NOT unregistered.
C:\WINDOWS\Fonts\avwgjmn.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AE32FA58-3453-FA2D-BC49-F340348ACCEA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE32FA58-3453-FA2D-BC49-F340348ACCEA} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{B859245F-345D-BC13-AC4F-145D47DA34FB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B859245F-345D-BC13-AC4F-145D47DA34FB} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{B960356A-458E-DE24-BD50-268F589A56AB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B960356A-458E-DE24-BD50-268F589A56AB} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\avwlkmn.dll
C:\WINDOWS\Fonts\avwlkmn.dll NOT unregistered.
C:\WINDOWS\Fonts\avwlkmn.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{BC87A354-ABC3-DEDE-FF33-3213FD7447CB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC87A354-ABC3-DEDE-FF33-3213FD7447CB} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{BD561258-45F3-A451-F908-A258458226DB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD561258-45F3-A451-F908-A258458226DB} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{BE32FA58-3453-FA2D-BC49-F340348ACCEB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE32FA58-3453-FA2D-BC49-F340348ACCEB} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\rsmykpm.dll
C:\WINDOWS\Fonts\rsmykpm.dll NOT unregistered.
C:\WINDOWS\Fonts\rsmykpm.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{CC87A354-ABC3-DEDE-FF33-3213FD7447CC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC87A354-ABC3-DEDE-FF33-3213FD7447CC} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{CD561258-45F3-A451-F908-A258458226DC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD561258-45F3-A451-F908-A258458226DC} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{D7D81718-1314-5200-2597-58790101807D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7D81718-1314-5200-2597-58790101807D} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\kaqhmzy.dll
C:\WINDOWS\Fonts\kaqhmzy.dll NOT unregistered.
C:\WINDOWS\Fonts\kaqhmzy.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{D859245F-345D-BC13-AC4F-145D47DA34FD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D859245F-345D-BC13-AC4F-145D47DA34FD} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{DD561258-45F3-A451-F908-A258458226DD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD561258-45F3-A451-F908-A258458226DD} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{E159854F-6971-3456-6941-10235412974E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E159854F-6971-3456-6941-10235412974E} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\hookhelp.dll
C:\WINDOWS\Fonts\hookhelp.dll NOT unregistered.
C:\WINDOWS\Fonts\hookhelp.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{E859245F-345D-BC13-AC4F-145D47DA34FE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E859245F-345D-BC13-AC4F-145D47DA34FE} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\avzxnmn.dll
C:\WINDOWS\Fonts\avzxnmn.dll NOT unregistered.
C:\WINDOWS\Fonts\avzxnmn.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{F6650011-3344-6688-4899-345FABCD156F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6650011-3344-6688-4899-345FABCD156F} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{FD561258-45F3-A451-F908-A258458226DF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD561258-45F3-A451-F908-A258458226DF} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\kvdxsoma.dll
C:\WINDOWS\Fonts\kvdxsoma.dll NOT unregistered.
C:\WINDOWS\Fonts\kvdxsoma.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DE607142-AC19-422e-863A-3D70ABDF119A} deleted successfully.
[Files/Folders - Created Within 30 days]
LoadLibrary failed for C:\WINDOWS\RSBDBACKUP.DLL
C:\WINDOWS\RSBDBACKUP.DLL NOT unregistered.
File move failed. C:\WINDOWS\RSBDBACKUP.DLL scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\avwlhst.exe moved successfully.
C:\WINDOWS\SYSTEM32\avwlist.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\fwoxvl.dll
C:\WINDOWS\SYSTEM32\fwoxvl.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\fwoxvl.dll moved successfully.
C:\WINDOWS\SYSTEM32\gjcsczc.exe moved successfully.
C:\WINDOWS\SYSTEM32\gjfhazc.exe moved successfully.
C:\WINDOWS\SYSTEM32\gjgfbzc.exe moved successfully.
C:\WINDOWS\SYSTEM32\kaqhlaz.exe moved successfully.
C:\WINDOWS\SYSTEM32\kawdiaz.exe moved successfully.
C:\WINDOWS\SYSTEM32\kvdxlis.exe moved successfully.
C:\WINDOWS\SYSTEM32\kvdxslis.exe moved successfully.
C:\WINDOWS\SYSTEM32\kvdxsmis.exe moved successfully.
C:\WINDOWS\SYSTEM32\okmhcaz.exe moved successfully.
C:\WINDOWS\SYSTEM32\okmhdaz.exe moved successfully.
C:\WINDOWS\SYSTEM32\ratbrtl.exe moved successfully.
C:\WINDOWS\SYSTEM32\ratbstl.exe moved successfully.
C:\WINDOWS\SYSTEM32\wsmseax.exe moved successfully.
C:\WINDOWS\SYSTEM32\wszjdax.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\yipvpr.dll
C:\WINDOWS\SYSTEM32\yipvpr.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\yipvpr.dll moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\ycns.dat moved successfully.
File C:\WINDOWS\SYSTEM32\avwlhst.exe not found!
File C:\WINDOWS\SYSTEM32\avwlist.exe not found!
C:\WINDOWS\SYSTEM32\cpap.ini moved successfully.
File C:\WINDOWS\SYSTEM32\fwoxvl.dll not found!
File C:\WINDOWS\SYSTEM32\gjcsczc.exe not found!
File C:\WINDOWS\SYSTEM32\gjfhazc.exe not found!
File C:\WINDOWS\SYSTEM32\gjgfbzc.exe not found!
File C:\WINDOWS\SYSTEM32\kaqhlaz.exe not found!
File C:\WINDOWS\SYSTEM32\kawdiaz.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxlis.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxslis.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxsmis.exe not found!
File C:\WINDOWS\SYSTEM32\okmhcaz.exe not found!
File C:\WINDOWS\SYSTEM32\okmhdaz.exe not found!
File C:\WINDOWS\SYSTEM32\ratbrtl.exe not found!
File C:\WINDOWS\SYSTEM32\ratbstl.exe not found!
File C:\WINDOWS\SYSTEM32\wszjdax.exe not found!
File C:\WINDOWS\SYSTEM32\yipvpr.dll not found!
[File String Scan - Non-Microsoft Only]
File C:\WINDOWS\SYSTEM32\avwlhst.exe not found!
File C:\WINDOWS\SYSTEM32\avwlist.exe not found!
File C:\WINDOWS\SYSTEM32\gjcsczc.exe not found!
File C:\WINDOWS\SYSTEM32\gjfhazc.exe not found!
File C:\WINDOWS\SYSTEM32\gjgfbzc.exe not found!
File C:\WINDOWS\SYSTEM32\kaqhlaz.exe not found!
File C:\WINDOWS\SYSTEM32\kawdiaz.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxlis.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxslis.exe not found!
File C:\WINDOWS\SYSTEM32\kvdxsmis.exe not found!
File C:\WINDOWS\SYSTEM32\okmhcaz.exe not found!
File C:\WINDOWS\SYSTEM32\okmhdaz.exe not found!
C:\WINDOWS\SYSTEM32\raqjitl.exe moved successfully.
File C:\WINDOWS\SYSTEM32\ratbrtl.exe not found!
File C:\WINDOWS\SYSTEM32\ratbstl.exe not found!
File C:\WINDOWS\SYSTEM32\wsmseax.exe not found!
File C:\WINDOWS\SYSTEM32\wszjdax.exe not found!
[Empty Temp Folders]
C:\DOCUME~1\ke\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\ke\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 01-16-2008 19:28:36





HIJACKTHIS



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:52, on 2008-1-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [CnsM.dll] Rundll32.exe C:\PROGRA~1\3721\CnsM.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo 3.5G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.c...p;btn=yahoomail (file missing)
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.c...amp;btn=yassist (file missing)
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.c...mp;btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.c...c...&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.c...c...s&btn=clean (file missing)
O11 - Options group: [!CNS] 中文上网
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O20 - AppInit_DLLs: rarjepi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\SYSTEM32\ImpsSensor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: P4P Service - Unknown owner - C:\Program Files\Common Files\Sogou PXP\p2psvr.exe (file missing)
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 12278 bytes




DSS - MAIN


Deckard's System Scanner v20071014.68
Run by ke on 2008-01-17 00:23:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-01-16 16:24:10 UTC - RP328 - Deckard's System Scanner Restore Point
5: 2008-01-16 12:45:48 UTC - RP327 - 系统检查点
4: 2008-01-13 10:11:45 UTC - RP326 - 系统检查点
3: 2008-01-11 15:05:22 UTC - RP325 - ComboFix created restore point
2: 2008-01-05 09:47:59 UTC - RP324 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-01-05 06:56:32 UTC - RP323 - anti


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as ke.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:25, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\ke\桌面\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ke.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\SYSTEM32\ImpsSensor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 6918 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080111-225313-380 F2 - REG:system.ini: UserInit=userinit.exe,
backup-20080111-225313-626 O8 - Extra context menu item: >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RsNTGDI - c:\windows\system32\drivers\rsntgdi.sys <Not Verified; Beijing Rising Technology Co., Ltd.; Rising Antivirus Software>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 BaseTDI - c:\windows\system32\drivers\basetdi.sys <Not Verified; Beijing Rising Technology Co., Ltd.; Rising PFW>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; Samsung Electronics Co., Ltd.; Samsung Electronics Co., Ltd. VECP for Windows 2000, XP>
R2 ExpScaner - c:\program files\rising\rav\expscan.sys <Not Verified; ; ExpScan.sys>
R2 HookCont - c:\program files\rising\rav\hookcont.sys <Not Verified; Rising; HookCont>
R2 HookReg - c:\program files\rising\rav\hookreg.sys
R2 HookSys - c:\program files\rising\rav\hooksys.sys <Not Verified; Rising; Hooksys>
R2 MEMSCAN - c:\program files\rising\rav\memscan.sys <Not Verified; Beijing Rising Technology Co., Ltd.; MemScan Drivers for Windows NT>
R2 RSPPSYS - c:\program files\rising\rav\rsppsys.sys <Not Verified; Rising; RSPPSYS>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 lbshndjh - c:\windows\\systemroot\system32\drivers\lbshndjh.sys (file missing)
S3 catchme - c:\docume~1\ke\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RavService - "c:\program files\rising\rav\ravservice.exe" /service <Not Verified; Beijing Rising Technology Co., Ltd.; Ravservice>
R2 RsCCenter (Rising Process Communication Center) - c:\program files\rising\rav\ccenter.exe <Not Verified; Beijing Rising Technology Co., Ltd.; Rising Antivirus Software>
R2 RsRavMon (RsRavMon Service) - "c:\program files\rising\rav\ravmond.exe" <Not Verified; Beijing Rising Technology Co., Ltd.; Rising Antivirus Software>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: 视频控制器(VGA 兼容)
Device ID: PCI\VEN_1002&DEV_4C59&SUBSYS_02391014&REV_00\4&45A7597&0&0008
Manufacturer:
Name: 视频控制器(VGA 兼容)
PNP Device ID: PCI\VEN_1002&DEV_4C59&SUBSYS_02391014&REV_00\4&45A7597&0&0008
Service:


-- Files created between 2007-12-17 and 2008-01-17 -----------------------------

2008-01-16 19:46:21 16 --a------ C:\WINDOWS\RSBDBACKUP.DLL
2008-01-06 02:24:11 0 d-------- C:\Program Files\Trend Micro
2008-01-05 17:48:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 17:48:06 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 17:48:06 0 d-------- C:\Documents and Settings\ke\Application Data\SUPERAntiSpyware.com
2008-01-05 17:47:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 17:33:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-05 17:32:25 0 d-------- C:\Documents and Settings\Administrator\桌面
2008-01-05 17:32:25 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-05 17:32:25 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-05 17:32:25 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-01-05 17:32:25 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-05 17:32:25 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-05 17:32:25 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-05 17:32:25 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-01-05 17:32:25 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-05 17:32:25 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-01-05 17:32:25 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-01-05 17:32:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-05 17:32:25 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-05 17:32:25 0 dr------- C:\Documents and Settings\Administrator\「开始」菜单
2008-01-05 15:04:34 0 d-------- C:\Documents and Settings\ke\Application Data\Grisoft
2008-01-05 15:03:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft


-- Find3M Report ---------------------------------------------------------------

2008-01-11 23:22:08 0 d-------- C:\Program Files\Yahoo!
2008-01-11 23:22:07 0 d-------- C:\Program Files\Common Files
2007-12-29 14:24:46 0 d-------- C:\Documents and Settings\ke\Application Data\Skype
2007-12-09 21:48:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-08 11:33]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-08 11:33]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-08 11:33]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 00:52 C:\WINDOWS\system32\tp4mon.exe]
"IMSCMig"="C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2003-07-14 22:57]
"RavTray"="C:\Program Files\Rising\Rav\RavTray.exe" [2007-03-20 08:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 17:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-08 11:33]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= C:\WINDOWS\system32\RavExt.dll [2007-01-12 11:00 106496]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{DC87A354-ABC3-DEDE-FF33-3213FD7447CD}"= C:\WINDOWS\Fonts\kvdxmma.dll [2004-08-04 11:43 536686]
"{94783410-4F90-34A0-7820-3230ACD05F49}&q
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again - although it may not seem so at the moment we are eating away at this miscreant..Winpfind obviously had a struggle but got a few of them. I will next do a driver search for any hidden ones after we have removed a few more files.. Combofix is trying to start

ComboFix created restore point


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A45B2C37-01D0-4D3E-BE5E-CC119B17BE9E} - C:\Program Files\Internet Explorer\IEXPLORE32.win
O2 - BHO: (no name) - {C5E87A05-F463-4841-B19E-DD3EC3862368} - C:\Program Files\Internet Explorer\IEXPLORE32.Sys
O2 - BHO: (no name) - {EE12D60D-AD9A-4095-B839-3BE6862679FD} - C:\Program Files\Internet Explorer\IEXPLORE32.Dat
O9 - Extra button: 名品折扣 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.ally...?allyesPara=816 (file missing)
O9 - Extra button: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE607142-AC19-422e-863A-3D70ABDF119A} - http://click2.ad4all...ge/url.asp?id=5 (file missing)
O20 - AppInit_DLLs: rarjepi.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Fonts\kvdxmma.dll 
    C:\Program Files\Internet Explorer\IEXPLORE32.win
    C:\Program Files\Internet Explorer\IEXPLORE32.Sys
    C:\Program Files\Internet Explorer\IEXPLORE32.Dat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

We will now do a deep search of your processes and files

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
  • Click on the 揈xecute selected scripts.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the 揂dvanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post
  • 0

#12
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Essexboy, I am ready to impose slow torture so bring it on... none of the hijackthis points you asked me to check were present, my first thought is that I posted wrong report however I have been careful to follow instruction... so after doing what you asked in the others I run new hijackthis and posted.

by the way I really appreciate your patience and help so far.....



Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:17, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbc...oad/CMBEdit.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\SYSTEM32\ImpsSensor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 6716 bytes





OTMoveIt


DllUnregisterServer procedure not found in C:\WINDOWS\Fonts\kvdxmma.dll
C:\WINDOWS\Fonts\kvdxmma.dll NOT unregistered.
C:\WINDOWS\Fonts\kvdxmma.dll moved successfully.
File/Folder C:\Program Files\Internet Explorer\IEXPLORE32.win not found.
File/Folder C:\Program Files\Internet Explorer\IEXPLORE32.Sys not found.
File/Folder C:\Program Files\Internet Explorer\IEXPLORE32.Dat not found.

OTMoveIt2 v1.0.7 log created on 01172008_145137






virusinfo_syscure.zip


virusinfo_syscheck.zip

Attached Files


  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets hit it with this one and see what happens

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{05C1004E-2596-48E5-8E26-39362985EEB9}');
     RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}');
     DeleteFile('C:\WINDOWS\system32\PRTdlink.dll');
     DeleteFile('C:\WINDOWS\Fonts\avwlkmn.dll');
     DeleteFile('C:\WINDOWS\Fonts\avzxnmn.dll');
     DeleteFile('C:\WINDOWS\Fonts\gjcsdyc.dll');
     DeleteFile('C:\WINDOWS\Fonts\gjfhbyc.dll');
     DeleteFile('C:\WINDOWS\Fonts\kaqhmzy.dll');
     DeleteFile('C:\WINDOWS\Fonts\hookhelp.dll');
     DeleteFile('C:\WINDOWS\Fonts\kawdjzy.dll');
     DeleteFile('C:\WINDOWS\Fonts\kvdxmma.dll');
     DeleteFile('C:\WINDOWS\Fonts\kvdxsoma.dll');
     DeleteFile('C:\WINDOWS\Fonts\okmhfzy.dll');
     DeleteFile('C:\WINDOWS\Fonts\rarjfpi.dll');
     DeleteFile('C:\WINDOWS\Fonts\rsmykpm.dll');
     DeleteFile('C:\WINDOWS\Fonts\swrcgzc.dll');
     DeleteFile('C:\WINDOWS\Fonts\wsmsfzx.dll');
     DeleteFile('C:\WINDOWS\system32\gjgfbyc.dll');
     DeleteFile('C:\WINDOWS\system32\raqjipi.dll');
     DeleteFile('C:\WINDOWS\system32\sidjjzy.dll');
     DeleteFile('C:\WINDOWS\system32\wszjdzx.dll');
     DeleteFile('ImpsSensor.dll');
     DeleteFile('C:\WINDOWS\Downloaded Program Files\MMCShell.dll');
     DeleteFile('C:\WINDOWS\system32\CMBEdit.dll');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

ON COMPLETION

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the 揂dvanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post
  • 0

#14
bj2008

bj2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Essexboy,

Here gies the attachment you require.............

Attached Files


  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Methinks we are getting somewhere :)

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     DeleteFile('C:\WINDOWS\Fonts\avwgjmn.dll');
     DeleteFile('C:\WINDOWS\Fonts\ratbupi.dll');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.
  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

ON COMPLETION

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the 揂dvanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post


In addition to the AVZ file I would also like another Hijackthis. However, before you run Hijackthis I would like you to right click the icon and select rename - call it Gotcha (or anything you like really)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP