Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

multiple virus attack affecting explore [RESOLVED]

Started by bj2008 , Jan 05 2008 01:10 PM

This topic is locked

#16
bj2008

Posted 19 January 2008 - 10:01 AM

Member

Topic Starter
Member
15 posts

Hi, Essexboy,

the earth may have been created in 7 days but god did not have to deal with this virus..........smile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57, on 2008-01-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 6521 bytes

Attached Files

virusinfo_syscheck.zip 29.12KB 94 downloads

#17
Essexboy

Posted 19 January 2008 - 01:42 PM

GeekU Moderator

Retired Staff
69,964 posts

Looks like most of the runners have gone. Lets try combofix again, delete the copy you have at the moment and download a new Version. How is your system now, any noticeable improvement ?

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Again if that does not work I would like you to run Superantispyware

On the first page select Check for Updates
On completion select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT
Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply

#18
bj2008

Posted 21 January 2008 - 03:51 AM

Member

Topic Starter
Member
15 posts

Hi

still no luck with combofix, i deleted the one i have, run a search in acse it was hiding else where and deleted all combo files, re downloaded and still no luck getting it tio start (all programs are closed and not clicking the mouse), but what i do notice is that it take a few secinds to download and the combo folder is twice the size as previously.

Followed the rest of teh instruction, attached........

superantispyware

SUPERAntiSpyware Scan Log
Generated 01/21/2008 at 04:59 PM

Application Version : 3.6.1000

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 02:58:37

Memory items scanned : 386
Memory threats detected : 0
Registry items scanned : 4735
Registry threats detected : 0
File items scanned : 82743
File threats detected : 23

Adware.Tracking Cookie
C:\Documents and Settings\ke\Cookies\[email protected][2].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\ke@tribalfusion[2].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\[email protected][2].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\ke@advertising[1].txt
C:\Documents and Settings\ke\Cookies\ke@statcounter[1].txt
C:\Documents and Settings\ke\Cookies\ke@atdmt[1].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\[email protected][2].txt
C:\Documents and Settings\ke\Cookies\ke@1057777968[1].txt
C:\Documents and Settings\ke\Cookies\ke@serving-sys[2].txt
C:\Documents and Settings\ke\Cookies\ke@doubleclick[1].txt
C:\Documents and Settings\ke\Cookies\ke@cgi-bin[2].txt
C:\Documents and Settings\ke\Cookies\[email protected][1].txt
C:\Documents and Settings\ke\Cookies\[email protected][2].txt
C:\Documents and Settings\ke\Cookies\ke@mediaplex[1].txt

Adware.Vundo-Variant
C:\DOCUMENTS AND SETTINGS\KE\桌面\WINPFIND3U\MOVEDFILES\WINDOWS\SYSTEM32\GJGFBYC.DLL
C:\DOCUMENTS AND SETTINGS\KE\桌面\WINPFIND3U\MOVEDFILES\WINDOWS\SYSTEM32\WSZJDZX.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073625.DLL

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25, on 2008-01-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 6537 bytes

#19
Essexboy

Posted 21 January 2008 - 01:49 PM

GeekU Moderator

Retired Staff
69,964 posts

First question how is your computer running now ?

Your log looks clean now so we will try an online scan to see if it finds anything else

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#20
bj2008

Posted 23 January 2008 - 01:03 PM

Member

Topic Starter
Member
15 posts

Hi, Essexboy,

Im back........I'm sure by now you are dreading to see my name.............smile

my laptop looks ok, I have explorer function back, however the start up process is still taking longer then usual. I see that kaspersky found a few virus's (94) and 190 infections, which my av did not pick up.............

Thanks again for your help and patience

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 23, 2008 1:18:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/01/2008
Kaspersky Anti-Virus database records: 526598
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 84741
Number of viruses found: 94
Number of infected objects: 190
Number of suspicious objects: 0
Duration of the scan process: 04:58:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\ke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\ke\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ke\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ke\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ke\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ke\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00001.dta Infected: Trojan-PSW.Win32.OnLineGames.kps skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00002.dta Infected: Trojan-PSW.Win32.OnLineGames.kwk skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00003.dta Infected: Trojan-PSW.Win32.OnLineGames.kwk skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00004.dta Infected: Trojan-PSW.Win32.OnLineGames.kps skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00005.dta Infected: Trojan-PSW.Win32.OnLineGames.nim skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00006.dta Infected: Trojan-PSW.Win32.OnLineGames.kps skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Infected\2008-01-17\avz00007.dta Infected: Trojan-PSW.Win32.OnLineGames.nil skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Quarantine\2008-01-17\avz00001.dta Infected: Trojan-PSW.Win32.OnLineGames.nvp skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Quarantine\2008-01-17\avz00002.dta Infected: Trojan-PSW.Win32.OnLineGames.nim skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Quarantine\2008-01-17\avz00003.dta Infected: Trojan-PSW.Win32.OnLineGames.kpr skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Quarantine\2008-01-17\avz00004.dta Infected: Trojan-PSW.Win32.OnLineGames.lck skipped
C:\Documents and Settings\ke\桌面\avz4\avz4\Quarantine\2008-01-17\avz00005.dta Infected: Trojan-PSW.Win32.OnLineGames.ncp skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\avwgjmn.dll Infected: Trojan-PSW.Win32.OnLineGames.nsu skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\avwlkmn.dll Infected: Trojan-PSW.Win32.OnLineGames.och skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\avzxnmn.dll Infected: Trojan-PSW.Win32.OnLineGames.nvp skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\gjcsdyc.dll Infected: Trojan-PSW.Win32.OnLineGames.nct skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\gjfhbyc.dll Infected: Trojan-PSW.Win32.OnLineGames.nnk skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\hookhelp.dll Infected: Trojan-PSW.Win32.OnLineGames.oat skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\kaqhmzy.dll Infected: Trojan-PSW.Win32.OnLineGames.nwy skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\kawdjzy.dll Infected: Trojan-PSW.Win32.OnLineGames.odc skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\kvdxsoma.dll Infected: Trojan-PSW.Win32.OnLineGames.nna skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\okmhfzy.dll Infected: Trojan-PSW.Win32.OnLineGames.nxu skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\rarjfpi.dll Infected: Trojan-PSW.Win32.OnLineGames.nzg skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\ratbupi.dll Infected: Trojan-PSW.Win32.OnLineGames.nit skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\rsmykpm.dll Infected: Trojan-PSW.Win32.OnLineGames.nhv skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\swrcgzc.dll Infected: Trojan-PSW.Win32.OnLineGames.nim skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\Fonts\wsmsfzx.dll Infected: Trojan-PSW.Win32.OnLineGames.nzi skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\avwlhst.exe Infected: Trojan-PSW.Win32.OnLineGames.mqz skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\avwlist.exe Infected: Trojan-PSW.Win32.OnLineGames.mqz skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\fwoxvl.dll Infected: Trojan-PSW.Win32.OnLineGames.kvm skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\gjcsczc.exe Infected: Trojan-PSW.Win32.OnLineGames.mqy skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\gjfhazc.exe Infected: Trojan-PSW.Win32.OnLineGames.mul skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\gjgfbzc.exe Infected: Trojan-PSW.Win32.OnLineGames.lub skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\kaqhlaz.exe Infected: Trojan-PSW.Win32.OnLineGames.mwh skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\kawdiaz.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\kvdxlis.exe Infected: Trojan-PSW.Win32.OnLineGames.muz skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\kvdxslis.exe Infected: Trojan-PSW.Win32.OnLineGames.mrb skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\kvdxsmis.exe Infected: Trojan-PSW.Win32.OnLineGames.mwp skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\okmhcaz.exe Infected: Trojan-PSW.Win32.OnLineGames.mrj skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\okmhdaz.exe Infected: Trojan-PSW.Win32.OnLineGames.nbx skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\raqjipi.dll Infected: Trojan-PSW.Win32.OnLineGames.kwt skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\raqjitl.exe Infected: Trojan-PSW.Win32.OnLineGames.kxb skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\ratbrtl.exe Infected: Trojan-PSW.Win32.OnLineGames.mqy skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\ratbstl.exe Infected: Trojan-PSW.Win32.OnLineGames.mxp skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\wsmseax.exe Infected: Trojan-PSW.Win32.OnLineGames.mws skipped
C:\Documents and Settings\ke\桌面\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\wszjdax.exe Infected: Trojan-PSW.Win32.OnLineGames.lkv skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Internet Explorer\IEXPLORE32.bbs Infected: Trojan-Spy.Win32.Delf.awx skipped
C:\Program Files\Rising\Rav\RavSoft.db Object is locked skipped
C:\Program Files\Rising\Rav\viruslog.ldb Object is locked skipped
C:\Program Files\Rising\Rav\viruslog.mdb Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\System76.Ins.vir Infected: Trojan-PSW.Win32.OnLineGames.mfj skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir Infected: Trojan-Spy.Win32.Delf.awx skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys.vir Infected: Trojan-PSW.Win32.QQPass.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\a.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mfj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avwghmn.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.mlv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avwghst.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avzxkst.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.kqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avzxlst.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mqz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\avzxmst.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jsqxayc.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.mjx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kaqhlzy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.llj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kawdizy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.mmg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kvdxlma.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.mkx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\LotusHlp.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.kvm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\LYLOADER.EXE.vir Infected: Trojan-PSW.Win32.OnLineGames.kpr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\PTSShell.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.kps skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rarjepi.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.lck skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rarjetl.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rsmyjsp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.nng skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\swjqbzc.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.kxt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\swrcfzc.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.kqw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wsmsezx.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.llg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073198.exe Infected: Trojan-PSW.Win32.QQPass.aoz skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073200.exe Infected: Trojan-PSW.Win32.OnLineGames.kvn skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073201.exe Infected: Trojan-PSW.Win32.OnLineGames.ksq skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073202.exE Infected: Trojan-PSW.Win32.OnLineGames.kwk skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073205.exe Infected: Trojan-PSW.Win32.OnLineGames.kqd skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073206.exe Infected: Trojan-PSW.Win32.OnLineGames.lgn skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073207.exe Infected: Trojan-PSW.Win32.OnLineGames.mht skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073208.exe Infected: Trojan-PSW.Win32.OnLineGames.lwh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073209.exe Infected: Trojan-PSW.Win32.OnLineGames.mmc skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073210.exe Infected: Trojan-PSW.Win32.OnLineGames.ndl skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073212.exe Infected: Trojan-PSW.Win32.OnLineGames.ndh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073213.exe Infected: Trojan-PSW.Win32.OnLineGames.med skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073214.exe Infected: Trojan-PSW.Win32.OnLineGames.ktk skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073215.exe Infected: Trojan-PSW.Win32.OnLineGames.lwi skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073216.exe Infected: Trojan-PSW.Win32.OnLineGames.lgn skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073217.exe Infected: Trojan-PSW.Win32.OnLineGames.lym skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073218.exe Infected: Trojan-PSW.Win32.OnLineGames.kpq skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073219.exe Infected: Trojan-PSW.Win32.OnLineGames.lrc skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073220.sys Infected: Worm.Win32.Downloader.cu skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073224.dll Infected: not-a-virus:AdWare.Win32.Boran.e skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073227.dll Infected: not-a-virus:AdWare.Win32.BHO.ag skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073478.exe Infected: Trojan-PSW.Win32.OnLineGames.nbx skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073480.exe Infected: Trojan-PSW.Win32.OnLineGames.nng skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073483.exe Infected: Trojan-PSW.Win32.OnLineGames.mws skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073485.exe Infected: Trojan-PSW.Win32.OnLineGames.mwh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073488.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073489.exe Infected: Trojan-PSW.Win32.OnLineGames.mwp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073491.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073492.exe Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073497.dll Infected: Trojan-PSW.Win32.OnLineGames.ljc skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073538.exe Infected: Trojan-PSW.Win32.OnLineGames.nbx skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073540.exe Infected: Trojan-PSW.Win32.OnLineGames.nng skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073543.exe Infected: Trojan-PSW.Win32.OnLineGames.mws skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073545.exe Infected: Trojan-PSW.Win32.OnLineGames.mwh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073547.exe Infected: Trojan-PSW.Win32.OnLineGames.mxp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073549.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073550.exe Infected: Trojan-PSW.Win32.OnLineGames.mwp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073552.exe Infected: Trojan-PSW.Win32.OnLineGames.nam skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073554.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073555.exe Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073557.exe Infected: Trojan-PSW.Win32.OnLineGames.nal skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073559.exe Infected: Trojan-PSW.Win32.OnLineGames.mqz skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073598.exe Infected: Trojan-PSW.Win32.OnLineGames.mws skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073600.exe Infected: Trojan-PSW.Win32.OnLineGames.mwh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073602.exe Infected: Trojan-PSW.Win32.OnLineGames.mwp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073604.exe Infected: Trojan-PSW.Win32.OnLineGames.nam skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073608.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073609.exe Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073611.exe Infected: Trojan-PSW.Win32.OnLineGames.nal skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073614.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073620.dll Infected: Trojan-PSW.Win32.OnLineGames.mur skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073621.dll Infected: Trojan-PSW.Win32.OnLineGames.llq skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073622.dll Infected: Trojan-PSW.Win32.OnLineGames.mus skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073623.dll Infected: Trojan-PSW.Win32.OnLineGames.mrt skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073654.exe Infected: Trojan-PSW.Win32.OnLineGames.nio skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073656.exe Infected: Trojan-PSW.Win32.OnLineGames.nhs skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073658.exe Infected: Trojan-PSW.Win32.OnLineGames.mws skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073660.exe Infected: Trojan-PSW.Win32.OnLineGames.mwh skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073662.exe Infected: Trojan-PSW.Win32.OnLineGames.nez skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073664.exe Infected: Trojan-PSW.Win32.OnLineGames.nga skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073666.exe Infected: Trojan-PSW.Win32.OnLineGames.nam skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073668.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073669.exe Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073671.exe Infected: Trojan-PSW.Win32.OnLineGames.nal skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP324\A0073672.exe Infected: Trojan-PSW.Win32.OnLineGames.nni skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073711.exe Infected: Trojan-PSW.Win32.OnLineGames.mfj skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073712.exe Infected: Trojan-PSW.Win32.OnLineGames.kqz skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073713.exe Infected: Trojan-PSW.Win32.OnLineGames.mqz skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073714.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073789.Ins Infected: Trojan-PSW.Win32.OnLineGames.mfj skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073825.EXE Infected: Trojan-PSW.Win32.OnLineGames.kpr skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073826.exe Infected: Trojan-PSW.Win32.OnLineGames.mue skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073827.dll Infected: Trojan-PSW.Win32.OnLineGames.lck skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073828.dll Infected: Trojan-PSW.Win32.OnLineGames.kvm skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073831.dll Infected: Trojan-PSW.Win32.OnLineGames.mlv skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073832.dll Infected: Trojan-PSW.Win32.OnLineGames.kxt skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073833.dll Infected: Trojan-PSW.Win32.OnLineGames.kqw skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073834.dll Infected: Trojan-PSW.Win32.OnLineGames.llg skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073836.dll Infected: Trojan-PSW.Win32.OnLineGames.llj skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073837.dll Infected: Trojan-PSW.Win32.OnLineGames.mmg skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073838.dll Infected: Trojan-PSW.Win32.OnLineGames.mjx skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073839.dll Infected: Trojan-PSW.Win32.OnLineGames.mkx skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073840.Sys Infected: Trojan-PSW.Win32.QQPass.aoy skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073841.exe Infected: Trojan-PSW.Win32.OnLineGames.mwf skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073843.exe Infected: Trojan-PSW.Win32.OnLineGames.nng skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073861.dll Infected: Trojan-PSW.Win32.OnLineGames.mwp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074092.exe Infected: Trojan-PSW.Win32.OnLineGames.nio skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074093.exe Infected: Trojan-PSW.Win32.OnLineGames.nhs skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074095.exe Infected: Trojan-PSW.Win32.OnLineGames.nez skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074096.exe Infected: Trojan-PSW.Win32.OnLineGames.nil skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074098.exe Infected: Trojan-PSW.Win32.OnLineGames.nal skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074099.exe Infected: Trojan-PSW.Win32.OnLineGames.nni skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074100.exe Infected: Trojan-PSW.Win32.OnLineGames.nkn skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074106.dll Infected: Trojan-PSW.Win32.OnLineGames.ncp skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP328\A0074252.exe Infected: Trojan-PSW.Win32.OnLineGames.nil skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP330\A0074500.dll Infected: Trojan-PSW.Win32.OnLineGames.luq skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP330\A0074501.dll Infected: Trojan-PSW.Win32.OnLineGames.llm skipped
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP331\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\avwgjst.exe Infected: Trojan-PSW.Win32.OnLineGames.nzd skipped
C:\WINDOWS\Fonts\avwljst.exe Infected: Trojan-PSW.Win32.OnLineGames.nam skipped
C:\WINDOWS\Fonts\avwlkst.exe Infected: Trojan-PSW.Win32.OnLineGames.nzd skipped
C:\WINDOWS\Fonts\gjcsdzc.exe Infected: Trojan-PSW.Win32.OnLineGames.nxo skipped
C:\WINDOWS\Fonts\kaqhmaz.exe Infected: Trojan-PSW.Win32.OnLineGames.nzc skipped
C:\WINDOWS\Fonts\kawdjaz.exe Infected: Trojan-PSW.Win32.OnLineGames.nzk skipped
C:\WINDOWS\Fonts\kvdxmis.exe Infected: Trojan-PSW.Win32.OnLineGames.obr skipped
C:\WINDOWS\Fonts\kvdxsois.exe Infected: Trojan-PSW.Win32.OnLineGames.nzk skipped
C:\WINDOWS\Fonts\okmhfaz.exe Infected: Trojan-PSW.Win32.OnLineGames.nzc skipped
C:\WINDOWS\Fonts\rarjftl.exe Infected: Trojan-PSW.Win32.OnLineGames.nzd skipped
C:\WINDOWS\Fonts\ratbutl.exe Infected: Trojan-PSW.Win32.OnLineGames.nzc skipped
C:\WINDOWS\Fonts\rsmyksp.exe Infected: Trojan-PSW.Win32.OnLineGames.nzh skipped
C:\WINDOWS\Fonts\swrcgac.exe Infected: Trojan-PSW.Win32.OnLineGames.oee skipped
C:\WINDOWS\Fonts\wsmsfax.exe Infected: Trojan-PSW.Win32.OnLineGames.nzc skipped
C:\WINDOWS\RSBDBACKUP.DLL Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET1.tmp Object is locked skipped
C:\WINDOWS\Temp\JET26A4.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_500.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\01172008_145137\WINDOWS\Fonts\kvdxmma.dll Infected: Trojan-PSW.Win32.OnLineGames.obr skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\RECYCLER\S-1-5-21-1659004503-842925246-1202660629-1003\De8\HA-Kmplayer726fix.exe/file862 Infected: Trojan-Downloader.Win32.Adload.cz skipped
E:\RECYCLER\S-1-5-21-1659004503-842925246-1202660629-1003\De8\HA-Kmplayer726fix.exe Inno: infected - 1 skipped
E:\RECYCLER\S-1-5-21-1659004503-842925246-1202660629-1003\De9.zip/HA-Kmplayer726fix.exe/file862 Infected: Trojan-Downloader.Win32.Adload.cz skipped
E:\RECYCLER\S-1-5-21-1659004503-842925246-1202660629-1003\De9.zip/HA-Kmplayer726fix.exe Infected: Trojan-Downloader.Win32.Adload.cz skipped
E:\RECYCLER\S-1-5-21-1659004503-842925246-1202660629-1003\De9.zip ZIP: infected - 2 skipped
E:\StormCodec6.04.08暴风影音.exe/stream/data0023/data0003 Infected: not-a-virus:AdWare.Win32.Boran.e skipped
E:\StormCodec6.04.08暴风影音.exe/stream/data0023 Infected: not-a-virus:AdWare.Win32.Boran.e skipped
E:\StormCodec6.04.08暴风影音.exe/stream Infected: not-a-virus:AdWare.Win32.Boran.e skipped
E:\StormCodec6.04.08暴风影音.exe NSIS: infected - 3 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#21
Essexboy

Posted 23 January 2008 - 02:56 PM

GeekU Moderator

Retired Staff
69,964 posts

Im back........I'm sure by now you are dreading to see my name.............smile

No actually as it is going better than I thought. As a lot of the stuff Kaspersky found was allready quarantined or in system restore, and Combofix had done some work C:\QooBox\Quarantine\

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\Internet Explorer\IEXPLORE32.bbs 
C:\WINDOWS\Fonts\avwgjst.exe 
C:\WINDOWS\Fonts\avwljst.exe 
C:\WINDOWS\Fonts\avwlkst.exe 
C:\WINDOWS\Fonts\gjcsdzc.exe 
C:\WINDOWS\Fonts\kaqhmaz.exe 
C:\WINDOWS\Fonts\kawdjaz.exe 
C:\WINDOWS\Fonts\kvdxmis.exe 
C:\WINDOWS\Fonts\kvdxsois.exe 
C:\WINDOWS\Fonts\okmhfaz.exe 
C:\WINDOWS\Fonts\rarjftl.exe 
C:\WINDOWS\Fonts\ratbutl.exe 
C:\WINDOWS\Fonts\rsmyksp.exe 
C:\WINDOWS\Fonts\swrcgac.exe 
C:\WINDOWS\Fonts\wsmsfax.exe 
E:\StormCodec6.04.08暴风影音.exe
E:\StormCodec6.04.08暴风影音.exe
E:\StormCodec6.04.08暴风影音.exe
E:\StormCodec6.04.08暴风影音.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If you could follow this up with one more Winpfind run to do a double check

Close ALL OTHER PROGRAMS.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Logs this time : OTMoveit and Winpfind

#22
bj2008

Posted 24 January 2008 - 01:20 PM

Member

Topic Starter
Member
15 posts

Hi Essexboy, here is stuff you require:

OTMoveit

C:\Program Files\Internet Explorer\IEXPLORE32.bbs moved successfully.
C:\WINDOWS\Fonts\avwgjst.exe moved successfully.
C:\WINDOWS\Fonts\avwljst.exe moved successfully.
C:\WINDOWS\Fonts\avwlkst.exe moved successfully.
C:\WINDOWS\Fonts\gjcsdzc.exe moved successfully.
C:\WINDOWS\Fonts\kaqhmaz.exe moved successfully.
C:\WINDOWS\Fonts\kawdjaz.exe moved successfully.
C:\WINDOWS\Fonts\kvdxmis.exe moved successfully.
C:\WINDOWS\Fonts\kvdxsois.exe moved successfully.
C:\WINDOWS\Fonts\okmhfaz.exe moved successfully.
C:\WINDOWS\Fonts\rarjftl.exe moved successfully.
C:\WINDOWS\Fonts\ratbutl.exe moved successfully.
C:\WINDOWS\Fonts\rsmyksp.exe moved successfully.
C:\WINDOWS\Fonts\swrcgac.exe moved successfully.
C:\WINDOWS\Fonts\wsmsfax.exe moved successfully.
File/Folder E:\StormCodec6.04.08暴风影音.exe not found. (these four i have deleted before runing software)
File/Folder E:\StormCodec6.04.08暴风影音.exe not found.
File/Folder E:\StormCodec6.04.08暴风影音.exe not found.
File/Folder E:\StormCodec6.04.08暴风影音.exe not found.

OTMoveIt2 v1.0.7 log created on 01242008_142151

Winpfind

WinPFind3 logfile created on: 2008-01-25 02:50:08
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\ke\桌面\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

254.98 Mb Total Physical Memory | 147.89 Mb Available Physical Memory | 58.00% Memory free
929.86 Mb Paging File | 554.76 Mb Available in Paging File | 59.66% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.65 Gb Total Space | 3.30 Gb Free Space | 22.51% Space Free
Drive D: | 19.53 Gb Total Space | 0.54 Gb Free Space | 2.77% Space Free
Drive E: | 3.08 Gb Total Space | 0.28 Gb Free Space | 9.20% Space Free
F: Drive not present or media not loaded

Computer Name: 何向宇
Current User Name: ke
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2004121400 | Size = 483328 bytes | Modified Date = 2004-12-14 02:12:02 | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 17:25:42 | Attr = ]
ccenter.exe -> %ProgramFiles%\Rising\Rav\CCenter.exe -> Beijing Rising Technology Co., Ltd. [Ver = 18, 0, 0, 3 | Size = 110592 bytes | Modified Date = 2006-10-10 10:42:44 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 20:31:10 | Attr = ]
ibmpmsvc.exe -> %System32%\ibmpmsvc.exe -> [Ver = | Size = 57344 bytes | Modified Date = 2003-07-03 01:25:00 | Attr = ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> Macrovision Corporation [Ver = 4, 60, 100, 37068 | Size = 81920 bytes | Modified Date = 2005-08-11 15:30:30 | Attr = ]
jucheck.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jucheck.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 241775 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
ravmond.exe -> %ProgramFiles%\Rising\Rav\RavMonD.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 41 | Size = 278528 bytes | Modified Date = 2007-01-12 11:01:02 | Attr = ]
ravservice.exe -> %ProgramFiles%\Rising\Rav\RavService.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 55 | Size = 1286144 bytes | Modified Date = 2007-05-21 08:31:26 | Attr = ]
ravstub.exe -> %ProgramFiles%\Rising\Rav\RavStub.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 4 | Size = 90112 bytes | Modified Date = 2007-01-12 11:01:04 | Attr = ]
ravtray.exe -> %ProgramFiles%\Rising\Rav\RavTray.exe -> Rising [Ver = 19, 0, 0, 16 | Size = 876544 bytes | Modified Date = 2007-03-20 08:31:04 | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
tp4mon.exe -> %System32%\tp4mon.exe -> IBM Corporation [Ver = 6.03 (xpsp_sp2_rtm.040803-2158) | Size = 82432 bytes | Modified Date = 2004-08-04 00:52:38 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 2007-11-21 09:19:46 | Attr = ]
wpservice.exe -> %ProgramFiles%\CMBCHINA\WebProtect\WPService.exe -> China Merchants Bank [Ver = 1, 0, 0, 1 | Size = 232848 bytes | Modified Date = 2007-08-27 16:35:42 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 2006-12-30 16:35:00 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 20:31:10 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 223744 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
(IBMPMSVC) IBM PM Service [Win32_Own | Auto | Running] -> %System32%\ibmpmsvc.exe -> [Ver = | Size = 57344 bytes | Modified Date = 2003-07-03 01:25:00 | Attr = ]
(RavService) RavService [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\RavService.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 55 | Size = 1286144 bytes | Modified Date = 2007-05-21 08:31:26 | Attr = ]
(RsCCenter) Rising Process Communication Center [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\CCenter.exe -> Beijing Rising Technology Co., Ltd. [Ver = 18, 0, 0, 3 | Size = 110592 bytes | Modified Date = 2006-10-10 10:42:44 | Attr = ]
(RsRavMon) RsRavMon Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Rising\Rav\RavMonD.exe -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 41 | Size = 278528 bytes | Modified Date = 2007-01-12 11:01:02 | Attr = ]
(CMBWPS) Cmb WebProtect Support [Win32_Own | Auto | Running] -> %ProgramFiles%\CMBCHINA\WebProtect\WPService.exe -> China Merchants Bank [Ver = 1, 0, 0, 1 | Size = 232848 bytes | Modified Date = 2007-08-27 16:35:42 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 17:25:42 | Attr = ]
Acrobat Assistant 7.0 -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\acrotray.exe -> Adobe Systems Inc. [Ver = 6.0.1.2004121400 | Size = 483328 bytes | Modified Date = 2004-12-14 02:12:02 | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe -> File not found
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> Macrovision Corporation [Ver = 4, 60, 100, 37068 | Size = 81920 bytes | Modified Date = 2005-08-11 15:30:30 | Attr = ]
RavTray -> %ProgramFiles%\Rising\Rav\RavTray.exe -> Rising [Ver = 19, 0, 0, 16 | Size = 876544 bytes | Modified Date = 2007-03-20 08:31:04 | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 2006-10-12 03:10:54 | Attr = ]
TrackPointSrv -> %System32%\tp4mon.exe -> IBM Corporation [Ver = 6.03 (xpsp_sp2_rtm.040803-2158) | Size = 82432 bytes | Modified Date = 2004-08-04 00:52:38 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{32CD708B-60A7-4C00-9377-D73EAA495F0F} [HKLM] -> %System32%\RavExt.dll [Rising Execute File Exts hook] -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 7 | Size = 106496 bytes | Modified Date = 2007-01-12 11:01:00 | Attr = ]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 2007-05-30 20:29:58 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 2006-12-20 12:55:48 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 2007-02-27 11:39:26 | Attr = ]
ImpsSensor -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.yahoo.com.cn ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> about:blank ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} [HKLM] -> %ProgramFiles%\CMBCHINA\WebProtect\WebProtect.dll [WebProtect] -> China Merchants Bank [Ver = 1, 0, 0, 1 | Size = 341904 bytes | Modified Date = 2007-08-20 16:15:10 | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 2004-12-14 02:13:40 | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\npjpi150_09.dll [MenuText: Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 69746 bytes | Modified Date = 2006-10-12 03:25:44 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [MenuText: Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 2006-10-12 03:25:44 | Attr = ]
{6354ABE6-05F1-49ed-B850-E423120EC338} -> http:\cn.widget.yahoo.com\index.htm [ButtonText: 雅虎WIDGET] -> File not found
{77BF5300-1474-4EC7-9980-D32B190E9B07} -> Reg Data - Value does not exist [ButtonText: Skype add-on] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: 信息检索] -> File not found
{9A687CA6-D585-4947-9ED9-BE96071F5CD9} -> Reg Data - Value does not exist [ButtonText: 词霸] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
导出到 Microsoft Office Excel(&X) -> -> File not found
转换链接目标为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换链接目标为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
转换为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
转换选定的链接为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
转换选定的链接为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
转换选项为 Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
转换选项为现有 PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{56C3DBAB-E146-48C7-AF70-D062D1121807} -> (1394 网络适配器) ->
{FC2CC0B0-2629-4A3A-A7EA-DF1E225B3DAF} -> (Intel® PRO/100 VE Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
dic -> %ProgramFiles%\Kingsoft\Powerword 2003\XDictExB.dll -> 金山软件股份有限公司 [Ver = 1, 0, 0, 0 | Size = 118784 bytes | Modified Date = 2003-06-02 10:19:42 | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} -> Edit Class - CodeBase = https://site.cmbchin...oad/CMBEdit.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab ->
{1E0DFFCF-27FF-4574-849B-55007349FEDA} -> iTrusPTA Class - CodeBase = https://img.alipay.c...101/aliedit.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...ows-i586-jc.cab ->
{A3CD7F74-93C9-4BC4-B892-CCDF1514F714} -> Submit Class - CodeBase = https://pbank.95559....nk/ocx/safe.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macr...ash/swflash.cab ->
{ECCBA956-80E5-11D3-9285-0080ADB811C9} -> safeInput Class - CodeBase = https://pbank.95559....fe_bankcomm.cab ->

[Files/Folders - Created Within 30 days]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 2008-01-17 00:23:07 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2008-01-11 23:04:17 | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 2008-01-17 14:51:37 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2008-01-11 23:05:31 | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Created Date = 2008-01-24 21:39:39 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 2008-01-11 23:03:25 | Attr = ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 16 bytes | Created Date = 2008-01-16 19:46:21 | Attr = ]
aliedit -> %System32%\aliedit -> [Folder | Created Date = 2008-01-24 21:39:43 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 2008-01-22 17:17:33 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 2008-01-11 23:03:23 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-01-11 23:03:21 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-01-11 23:03:21 | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2008-01-11 23:03:22 | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2008-01-05 15:04:04 | Attr = ]

[Files/Folders - Modified Within 30 days]
Deckard -> %SystemDrive%\Deckard -> [Folder | Modified Date = 2008-01-17 00:23:08 | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 2008-01-05 17:32:26 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2008-01-24 21:55:18 | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2008-01-11 23:22:12 | Attr = ]
RAVBIN -> %SystemDrive%\RAVBIN -> [Folder | Modified Date = 2008-01-21 13:46:36 | Attr = RH ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-17 15:50:24 | Attr = H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-17 23:01:58 | Attr = H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-18 09:49:00 | Attr = H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-18 14:20:20 | Attr = H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-18 16:32:58 | Attr = H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-19 09:13:16 | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-19 18:37:20 | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-19 23:50:30 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-20 03:16:32 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-20 12:20:42 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-21 13:36:08 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-22 16:17:52 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-23 11:22:50 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-05 14:32:50 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-13 21:06:16 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-14 11:34:56 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-15 10:53:46 | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-16 18:24:04 | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-16 19:49:32 | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-01-17 11:24:26 | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-17 11:24:26 | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-17 15:50:24 | Attr = H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-17 23:01:58 | Attr = H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-18 09:48:58 | Attr = H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-18 14:20:20 | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-18 16:32:58 | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-19 09:13:16 | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-19 18:37:20 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-19 23:50:30 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-20 03:16:32 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-20 12:20:42 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-21 13:36:08 | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-22 16:17:52 | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-23 11:22:50 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-05 14:32:48 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-13 21:06:16 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-14 11:34:56 | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-15 10:53:46 | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-16 18:24:04 | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-01-16 19:49:32 | Attr = H ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2008-01-24 21:39:40 | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 2008-01-17 14:51:38 | Attr = ]
新建文件夹 -> %SystemDrive%\新建文件夹 -> [Folder | Modified Date = 2008-01-06 02:54:22 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2008-01-24 11:07:28 | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2008-01-24 21:44:50 | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2008-01-17 00:24:12 | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 2008-01-24 14:22:16 | Attr = R S]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 2008-01-22 17:17:34 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 2008-01-05 17:48:20 | Attr = HS]
LastGood -> %SystemRoot%\LastGood -> [Folder | Modified Date = 2008-01-24 21:44:48 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2008-01-24 21:55:28 | Attr = ]
RavTray.INI -> %SystemRoot%\RavTray.INI -> [Ver = | Size = 40 bytes | Modified Date = 2008-01-24 03:39:36 | Attr = ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 16 bytes | Modified Date = 2008-01-24 03:39:34 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 2008-01-11 23:38:52 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 2008-01-24 21:44:42 | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 2008-01-11 23:23:02 | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 2008-01-24 21:44:48 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2008-01-24 11:08:04 | Attr = H ]
aliedit -> %System32%\aliedit -> [Folder | Modified Date = 2008-01-24 21:39:46 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 2008-01-24 21:39:42 | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 2008-01-11 23:31:34 | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 2008-01-19 23:57:10 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 2008-01-22 17:17:34 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 2008-01-22 16:13:44 | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 2008-01-11 23:38:34 | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX0 , -> %System32%\bseng.dll -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 13 | Size = 118784 bytes | Modified Date = 2007-01-12 11:02:42 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41131 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
UPX0 , -> %System32%\rsbseng.dll -> Beijing Rising Technology Co., Ltd. [Ver = 19, 0, 0, 25 | Size = 120320 bytes | Modified Date = 2007-04-23 10:01:40 | Attr = ]
UPX! , UPX0 , -> %System32%\safeInput.dll -> Beijing eChannels Century Technology Co.,Ltd [Ver = 2, 3, 1, 0 | Size = 69120 bytes | Modified Date = 2006-09-25 16:32:54 | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 2000-08-31 08:00:00 | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 2000-08-31 08:00:00 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 2004-08-08 11:33:54 | Attr = ]

< End of report >

#23
Essexboy

Posted 24 January 2008 - 03:13 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi again - methinks we may be near the end

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: ????]
YN -> {9A687CA6-D585-4947-9ED9-BE96071F5CD9} -> Reg Data - Value does not exist [ButtonText: ??]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

How is your computer now ?

#24
bj2008

Posted 27 January 2008 - 02:19 PM

Member

Topic Starter
Member
15 posts

Hi, Essexboy,

I think my computer is ok now. do I need to remove one spyware of Super or AVG?

WinpFind

[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9A687CA6-D585-4947-9ED9-BE96071F5CD9} not found.
[Empty Temp Folders]
C:\DOCUME~1\ke\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\ke\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 01-27-2008 23:58:43

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:36, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Tencent\TT\TTraveler.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RavTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 转换为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换选定的链接为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: 转换选定的链接为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: 转换选项为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换选项为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 转换链接目标为 Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: 转换链接目标为现有 PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: 雅虎WIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yah....htm?source=Cns (file missing)
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchin...oad/CMBEdit.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.c...101/aliedit.cab
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559....nk/ocx/safe.cab
O16 - DPF: {ECCBA956-80E5-11D3-9285-0080ADB811C9} (safeInput Class) - https://pbank.95559....fe_bankcomm.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ImpsSensor - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: RavService - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavService.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe

--
End of file - 7024 bytes

#25
Essexboy

Posted 27 January 2008 - 03:59 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi again bj2008

I think my computer is ok now. do I need to remove one spyware of Super or AVG?

The choice is yours as to which one to keep, personally I would go keep Superantispyware

Now the best part of the day ----- Your log now appears clean

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

#26
Essexboy

Posted 28 January 2008 - 01:22 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.