Smitfraud C. Koowo and much more

grancher · Aug 18, 2008

I've had quite a bit of nasty stuff on this computer for a while now. A Spybot S&D check came up with Smitfraud C. Koowo which referred me to this forum. I have tried fixing stuff with Hijack This, without the help of someone who knew what they were doing. I don't think I hurt anything important, but it didn't really make much difference either. Help would be much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:20, on 2008-8-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\search.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zsqf.dll
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wwinsystem - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

--
End of file - 6448 bytes

Shaba · Aug 20, 2008

Hi grancher

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

grancher · Aug 20, 2008

Well... It looks like my attempt to install the Recovery Console didn't work. When I dropped WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe into Combofix.exe I got several pop-up messages:

I closed the first one without looking at it before I even considered what I was doing. The second one said:
nircmd.com on the top and said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.
the 3nd 4rd and 5th pop-up messages said ComboFix.exe at the top and repeated the same message.

I probably should have stopped there but I tried running Combofix, the first time I got a message saying some files could not be created and instructing me to close all applications and restart Windows, I think I forgot to disabe all of my anti-virus software, I got the same pop-up messages, the first one said Combofix.exe on the top 2nd said nircmd.com 3rd, 4th and 5th said Combofix.exe. After that Combofix seemed to do what the instructions said it would.
Here are the reports:

ComboFix 08-08-19.02 - Administrator 2008-08-20 23:57:52.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.249 [GMT 8:00]
執行位置: C:\Documents and Settings\Administrator\桌面\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0290\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\Guest\Favorites\链接
C:\Documents and Settings\马日文\Favorites\链接
C:\WINDOWS\Fonts\fonts.exe
C:\WINDOWS\Fonts\syn00-11-2F-1B-4B-0C\system
C:\WINDOWS\Fonts\syn00-11-2F-1B-4B-0C\system\SYSTEM128.vxd
C:\WINDOWS\RSBDBACKUP.DLL
C:\WINDOWS\system32\bjrvm.cfg
C:\WINDOWS\system32\bootvidgj.nls
C:\WINDOWS\system32\c0866ebe2d.dll
C:\WINDOWS\system32\crugd.cfg
C:\WINDOWS\system32\discard.ini
C:\WINDOWS\system32\drivers\8xqd3.sys
C:\WINDOWS\system32\drivers\r072b.sys
C:\WINDOWS\system32\ektvm.cfg
C:\WINDOWS\system32\fxzxbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\havser.ini
C:\WINDOWS\system32\hfjg.cfg
C:\WINDOWS\system32\ijatnaw.cfg
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\kbdswjr.nls
C:\WINDOWS\system32\ladyapaw.sys
C:\WINDOWS\system32\lariytrz.cfg
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\msobjstl.nls
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\oqrthc.cfg
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\sufost.ini
C:\WINDOWS\system32\Update.dat
C:\WINDOWS\system32\url1.exe
C:\WINDOWS\system32\xclf5o.dll
C:\WINDOWS\system32\xgnfn.cfg
C:\WINDOWS\temp\perflib_perfdata_1cc.dat
D:\Personal\Favorites\链接

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FPIDS32
-------\Legacy_HBKERNEL
-------\Legacy_R072B
-------\Legacy_SEICTRL
-------\Service_8xqd3
-------\Service_HBKernel
-------\Service_mnsf
-------\Service_Nessery
-------\Service_r072b
-------\Service_seictrl

(((((((((((((((((((((((((((( 2008-07-20 - 2008-08-20 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-08-14 10:58 . 2008-08-14 10:58 <DIR> d--hs---- C:\FOUND.001
2008-08-14 01:23 . 2008-08-14 01:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2008-08-14 01:00 . 2008-08-14 01:00 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-08-14 01:00 . 2008-08-19 18:06 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-08-14 01:00 . 2008-08-14 01:01 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-08-13 08:40 . 2008-08-13 08:40 <DIR> d--hs---- C:\FOUND.000
2008-08-10 02:46 . 2008-08-10 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2008-08-10 01:35 . 2008-08-10 01:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\safenetdrm
2008-08-10 01:34 . 2008-08-10 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CCTV
2008-07-30 15:48 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-30 15:48 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-30 15:48 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-30 15:48 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-30 15:47 . 2008-07-30 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-07-28 09:26 . 2008-07-28 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-26 12:20 . 2008-07-26 12:50 24,376 --a------ C:\WINDOWS\system32\QQBox.bmp
2008-07-26 12:19 . 2008-07-26 12:19 108 --a------ C:\emsf.bat
2008-07-24 17:06 . 2008-07-24 17:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 04:00 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL
2008-11-12 04:00 7,168 ----a-w C:\WINDOWS\system32\MSPRPCHS.DLL
2008-11-12 04:00 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
2008-11-12 04:00 36,864 ----a-w C:\WINDOWS\system32\MFC42CHS.DLL
2008-11-12 04:00 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL
2008-11-12 04:00 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
2008-11-12 04:00 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
2008-08-13 09:41 57,837 ----a-w C:\WINDOWS\Tasks\sky.exe
2008-08-13 09:41 115,200 ----a-w C:\WINDOWS\Fonts\winntls.exe
2008-07-28 06:24 237,168 ------w C:\WINDOWS\system32\bsmain.exe
2008-07-28 06:24 10,736 ------w C:\WINDOWS\system32\drivers\RsNTGdi.sys
2008-07-28 06:22 62,576 ------w C:\WINDOWS\system32\drivers\HookNtos.sys
2008-07-28 06:22 38,256 ------w C:\WINDOWS\system32\drivers\HOOKREG.sys
2008-07-28 06:22 13,808 ------w C:\WINDOWS\system32\drivers\HookCont.sys
2008-07-28 06:21 30,704 ------w C:\WINDOWS\system32\drivers\HookHelp.sys
2008-07-28 06:21 164,848 ------w C:\WINDOWS\system32\drivers\HookSys.sys
2008-07-28 06:21 113,264 ------w C:\WINDOWS\system32\RavExt.dll
2008-07-23 05:17 94,720 ----a-w C:\WINDOWS\Fonts\smcw.exe
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 02:14 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:39 240,640 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:39 240,640 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 15:09 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 07:22 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:59 269,824 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2004-08-08 05:15 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
2004-08-08 05:15 482,824 --sh--w C:\WINDOWS\system32\ypcqhhlp.dll
2004-08-08 05:28 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"BigDog305"="C:\WINDOWS\VM305_STI.EXE" [2007-01-05 13:37 61440]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\「开始」菜单\程序\启动\
服务管理器.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-04-09 00:08:44 69632]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnEixt"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "C:\WINDOWS\system32\RavExt.dll" [2008-07-28 14:21 113264]
"{90AF1289-F140-A140-D012-C1458759FC09}"= "C:\WINDOWS\system32\ypcqhhlp.dll" [2004-08-08 13:15 482824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zsqf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\WINDOWS\system32\l3codeca.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrvAnti.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebscd.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavXP.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderml.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spidernt.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderui.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spml_set.exe]
"debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgswitch]
--a------ 2004-02-22 16:01 19520 C:\WINDOWS\system32\bgswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
--------- 2007-01-05 13:37 61440 C:\WINDOWS\VM305_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMIG40W]
--a------ 2003-12-05 15:39 24576 C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WangWang]
--a------ 2008-04-04 15:07 3772416 D:\Program Files\Alisoft\WangWang\WangWang.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"D:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"D:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"D:\\Program Files\\KuGoo3\\KuGoo.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\电影\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Tencent\\QQGAME\\QQGameDl.exe"=
"D:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 RsNTGDI;RsNTGDI;C:\WINDOWS\system32\Drivers\RsNTGdi.sys [2008-07-28 14:24]
R1 HookCont;HookCont;C:\WINDOWS\system32\drivers\HookCont.sys [2008-07-28 14:22]
R1 HookNtos;HookNtos;C:\WINDOWS\system32\drivers\HookNtos.sys [2008-07-28 14:22]
R1 HookReg;HookReg;C:\WINDOWS\system32\drivers\HookReg.sys [2008-07-28 14:22]
R1 HookSys;HookSys;C:\WINDOWS\system32\drivers\HookSys.sys [2008-07-28 14:21]
R2 RsCCenter;Rising Process Communication Center;d:\Program Files\Rising\Rav\CCenter.exe [2008-07-28 14:22]
R3 vvftav;vvftav;C:\WINDOWS\system32\drivers\vvftav.sys [2007-02-02 21:38]
R3 ZSMC0305;USB PC Camera VC305;C:\WINDOWS\system32\Drivers\usbVM305.sys [2007-03-08 19:05]
S0 jg00x8iyjr;jg00x8iyj;C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys []
S0 vydhnvzh;vydhnvzh;C:\WINDOWS\system32\drivers\vydhnvzh.sys []
S0 wdtsr;wdts;C:\WINDOWS\system32\drivers\wdtsr.sys []
S0 z7xq6c1ddy;z7xq6c1dd;C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys []
S2 RsRavMon;Rising RealTime Monitor;D:\PROGRAM FILES\RISING\RAV\Ravmond.exe [2008-07-28 14:21]
S2 wwinsystem;wwinsystem;C:\WINDOWS\system32\tcpip.exe []
S3 awrjd;awrjd;D:\Personal\Temp\_tmp.bat []
S3 ayzpqa;ayzpqa;C:\WINDOWS\system32\drivers\ayzpqa.sys []
S3 cabyopr;cabyopr;C:\WINDOWS\system32\drivers\cabyopr.sys []
S3 npkycryp;npkycryp;D:\Program Files\Tencent\QQ\npkycryp.sys []
S3 pabzaxy;pabzaxy;C:\WINDOWS\system32\drivers\pabzaxy.sys []
S3 qprbzqx;qprbzqx;C:\WINDOWS\system32\drivers\qprbzqx.sys []
S3 qrabpqx;qrabpqx;C:\WINDOWS\system32\drivers\qrabpqx.sys []
S3 TSKSP;TSKSP;D:\Program Files\Tencent\QQDoctor\TSKSP.sys [2008-06-06 17:10]
S3 xyzqcbo;xyzqcbo;C:\WINDOWS\system32\drivers\xyzqcbo.sys []
S3 zpqaxb;zpqaxb;C:\WINDOWS\system32\drivers\zpqaxb.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e113631-ea94-11da-a379-806d6172696f}]
\Shell\AutoRun\command - I:\AUTORUN.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
HKU-Default-Run-ctfmon.exe - C:\WINDOWS\system32\CTFMON.EXE
ShellExecuteHooks-{5ac6d3c3-f564-407e-9c4b-ce4b6cd3f9ac} - C:\WINDOWS\system32\ttQACQAC1032.dll
ShellExecuteHooks-{C629FF4F-ACDB-5C90-A098-FACB3456A26C} - C:\WINDOWS\system32\hdf453d1.dll
ShellExecuteHooks-{8FD45A54-9875-698F-E56E-65102358FDF8} - C:\WINDOWS\system32\apsghjba.dll
MSConfigStartUp-ctfmon - C:\WINDOWS\system32\ctfmon.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gg9aw1lj.default\
.
.
------- File Associations (Beta) -------
.
chm.file="hh.exe" %1
txtfile=C:\WINDOWS\notepad.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 00:04:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序 ...

掃描隱藏的進程 ...

掃描隱藏的檔案 ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\awrjd]
"ImagePath"="\??\D:\Personal\Temp\_tmp.bat"
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:12, on 2008-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\search.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wwinsystem - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

--
End of file - 5674 bytes

grancher · Aug 20, 2008

Thank you very much for your reply too by the way.

Shaba · Aug 20, 2008

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

grancher · Aug 21, 2008

File: sky.exe
Status:
INFECTED/MALWARE
MD5: 2a58458e81228b6bc717afdbccab0258
Packers detected:
FSG
Scanner results
Scan taken on 21 Aug 2008 02:05:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.SYBd.BB17D840 (probable variant)
ClamAV
Found Trojan.Small-3632
CPsecure
Found nothing
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably a variant of Win32/TrojanDownloader.VB.NPP (probable variant)
Norman Virus Control
Found Suspicious_F.gen
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/TibsPk-A
VirusBuster
Found nothing
VBA32
Found Embedded.Trojan-Spy.Win32.Agent.ccb (probable variant)

File: winntls.exe
Status:
INFECTED/MALWARE
MD5: 1054a473f60f3906216a71370a0f2ca4
Packers detected:
-
Scanner results
Scan taken on 21 Aug 2008 02:11:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found Dropper.Generic.OPH
BitDefender
Found Virtool.11364
ClamAV
Found Trojan.Small-3632
CPsecure
Found RiskTool.W32.HideProc.C
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found W32/HackTool.CTH
F-Secure Anti-Virus
Found Trojan.Win32.Inject.ffb
Fortinet
Found W32/QHost.O!tr (probable variant)
Ikarus
Found not-a-virus:RiskTool.Win32.HideProc.c
Kaspersky Anti-Virus
Found Trojan.Win32.Inject.ffb
NOD32
Found Win32/HideProc.D application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Qhost-O
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Small.ybu

File: smcw.exe
Status:
INFECTED/MALWARE
MD5: e7231c04cbbe6786088c47ca4f06dee7
Packers detected:
-
Scanner results
Scan taken on 21 Aug 2008 02:13:49 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found Dropper.Generic.OPH
BitDefender
Found Virtool.11866
ClamAV
Found Trojan.Small-3632
CPsecure
Found RiskTool.W32.HideProc.C
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found W32/HackTool.CTH
F-Secure Anti-Virus
Found nothing
Fortinet
Found W32/QHost.O!tr (probable variant)
Ikarus
Found not-a-virus:RiskTool.Win32.HideProc.c
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/HideProc.D application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Qhost-O
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Small.ybu

Shaba · Aug 21, 2008

Yes all are bad and we need samples:

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that, reply here and we'll continue

grancher · Aug 21, 2008

Files posted

Shaba · Aug 21, 2008

Thank you

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe
C:\WINDOWS\system32\drivers\xyzqcbo.sys
C:\WINDOWS\system32\drivers\zpqaxb.sys
C:\WINDOWS\system32\drivers\pabzaxy.sys
C:\WINDOWS\system32\drivers\qprbzqx.sys 
C:\WINDOWS\system32\drivers\qrabpqx.sys
C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys 
C:\WINDOWS\system32\drivers\vydhnvzh.sys
C:\WINDOWS\system32\drivers\wdtsr.sys 
C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys 
D:\Personal\Temp\_tmp.bat 
C:\WINDOWS\system32\drivers\ayzpqa.sys 
C:\WINDOWS\system32\drivers\cabyopr.sys 

Driver::
jg00x8iyjr
vydhnvzh
wdtsr
z7xq6c1ddy
wwinsystem
awrjd;
ayzpqa
cabyopr
pabzaxy
qprbzqx
qrabpqx
xyzqcbo
zpqaxb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

grancher · Aug 22, 2008

When I tried to drop CFScript.txt into Combofix I got the same five error messages I got when I tried to drop Windows Restore into Combofix, after the error messages nothing happened, Combofix did not start.

I have also been unable to use ctrl. alt. del. for quite some time. So I'm not sure I would be able to end any processes that might be interfering with anything.

The Error messages.

1st: In the title heading said: Combofix.exe
In the content area it said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.

2nd: nircmd.com in the title heading
In the content area it said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.

the 3nd 4rd and 5th error messages said ComboFix.exe in the title heading and repeated the same message.

Shaba · Aug 22, 2008

Please try again in safe mode then

grancher · Aug 22, 2008

The same thing happened in safe mode.

Shaba · Aug 22, 2008

Then we use this:

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
- In the Files Created Within group click 30 days
- In the Files Modified Within group select 30 days
- In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

grancher · Aug 22, 2008

Code:

OTScanIt logfile created on: 2008-08-23 00:48:16
OTScanIt by OldTimer - Version 1.0.16.2     Folder = C:\Documents and Settings\Administrator\桌面\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000804 | Country: 中国 | Language: CHS | Date Format: yyyy-MM-dd
 
510.73 Mb Total Physical Memory | 311.43 Mb Available Physical Memory | 60.98% Memory free
1.59 Gb Paging File | 1.09 Gb Available in Paging File | 68.10% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 8.03 Gb Total Space | 1.47 Gb Free Space | 18.26% Space Free | Partition Type: FAT32
Drive D: | 24.19 Gb Total Space | 16.82 Gb Free Space | 69.54% Space Free | Partition Type: FAT32
Drive E: | 24.19 Gb Total Space | 22.79 Gb Free Space | 94.20% Space Free | Partition Type: FAT32
Drive F: | 18.08 Gb Total Space | 3.97 Gb Free Space | 21.95% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HTTP-A25E8A1211
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccenter.exe -> d:\Program Files\Rising\Rav\CCenter.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.33 | Size = 162416 bytes | Modified Date = 2008-07-28 14:22:52 | Attr =    ]
ravmond.exe -> D:\PROGRAM FILES\RISING\RAV\ravmond.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.80 | Size = 395888 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
ravstub.exe -> D:\PROGRAM FILES\RISING\RAV\RavStub.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.10 | Size = 133744 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
pctsauxs.exe -> D:\Program Files\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 2008-06-13 15:29:14 | Attr =    ]
pctssvc.exe -> D:\Program Files\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 2008-08-10 00:24:52 | Attr =    ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 2006-08-03 05:12:36 | Attr =    ]
vm305_sti.exe -> %SystemRoot%\VM305_STI.EXE -> Vimicro [Ver = 4, 3, 625, 61 | Size = 61440 bytes | Modified Date = 2007-01-05 13:37:00 | Attr =    ]
pctstray.exe -> D:\Program Files\Spyware Doctor\pctsTray.exe -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 2008-07-16 09:16:20 | Attr =    ]
ravmon.exe -> D:\PROGRAM FILES\RISING\RAV\RavMon.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.01.24 | Size = 424560 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
navigator.exe -> %ProgramFiles%\Netscape\Navigator 9\navigator.exe -> Netscape [Ver = Personal | Size = 8253440 bytes | Modified Date = 2008-02-20 01:16:58 | Attr =    ]
otscanit.exe -> %UserProfile%\桌面\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 2008-07-12 09:29:54 | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\System32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 223744 bytes | Modified Date = 2006-05-23 11:10:36 | Attr =    ]
(RsCCenter) Rising Process Communication Center [Win32_Own | Auto | Running] -> d:\Program Files\Rising\Rav\CCenter.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.33 | Size = 162416 bytes | Modified Date = 2008-07-28 14:22:52 | Attr =    ]
(RsRavMon) Rising RealTime Monitor [Win32_Own | Auto | Stopped] -> D:\PROGRAM FILES\RISING\RAV\Ravmond.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.80 | Size = 395888 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Running] -> D:\Program Files\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 2008-06-13 15:29:14 | Attr =    ]
(sdCoreService) PC Tools Security Service [Win32_Own | Auto | Running] -> D:\Program Files\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 2008-08-10 00:24:52 | Attr =    ]
(wwinsystem) wwinsystem [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\tcpip.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 2008-01-11 22:16:38 | Attr =    ]
BigDog305 -> %SystemRoot%\VM305_STI.EXE [C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)] -> Vimicro [Ver = 4, 3, 625, 61 | Size = 61440 bytes | Modified Date = 2007-01-05 13:37:00 | Attr =    ]
ISTray -> D:\Program Files\Spyware Doctor\pctsTray.exe ["D:\Program Files\Spyware Doctor\pctsTray.exe"] -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 2008-07-16 09:16:20 | Attr =    ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 2006-08-03 05:12:36 | Attr =    ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
ctfmon.exe -> %SystemRoot%\system32\ctfmon.exe [C:\WINDOWS\system32\ctfmon.exe] -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{32CD708B-60A7-4C00-9377-D73EAA495F0F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\RavExt.dll [Rising Execute File Exts hook] -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.18 | Size = 113264 bytes | Modified Date = 2008-07-28 14:21:42 | Attr =    ]
{5ac6d3c3-f564-407e-9c4b-ce4b6cd3f9ac} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ttQACQAC1032.dll [ttQACQAC1032.dll] -> File not found
{8FD45A54-9875-698F-E56E-65102358FDF8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\apsghjba.dll [apsghjba.dll] -> File not found
{90AF1289-F140-A140-D012-C1458759FC09} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ypcqhhlp.dll [ypcqhhlp.dll] ->  [Ver =  | Size = 482824 bytes | Modified Date = 2004-08-08 13:15:58 | Attr =  HS]
{C629FF4F-ACDB-5C90-A098-FACB3456A26C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\hdf453d1.dll [hdf453d1.dll] -> File not found
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_qfe.070613-1311) | Size = 977920 bytes | Modified Date = 2007-06-13 21:10:16 | Attr =    ]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23552 bytes | Modified Date = 2006-05-23 11:10:36 | Attr =    ]
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 513024 bytes | Modified Date = 2006-05-23 11:10:36 | Attr =    ]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_qfe.071025-1245) | Size = 8317952 bytes | Modified Date = 2007-10-26 00:43:28 | Attr =    ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 283648 bytes | Modified Date = 2006-05-23 11:10:36 | Attr =    ]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoLowDiskSpaceChecks -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup -> 
SCSI miniport ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 2006-05-23 11:10:36 | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 -> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable -> 
NEC     MBR-7    ->  -> File not found
NEC     MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomTSSTcorp_DVD-ROM_TS-H352A_______________TS01____\5&234b4860&0&0.0.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 -> 
< Drives - Autoruns > ->  -> 
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ FAT32 ] ->  [Ver =  | Size = 0 bytes | Modified Date = 2006-05-23 20:06:42 | Attr = RHS]
< HOSTS File > (260077 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4771 domain(s) found. -> 
45 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7085 domain(s) found. -> 
cctv.com .[*] -> 可信站点 -> 
kdy8.com .[*] -> 可信站点 -> 
yahoo.cn .[*] -> 可信站点 -> 
yahoo.com .[*] -> 可信站点 -> 
51 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{01443AEC-0FD1-40fd-9C87-E93D1494C233} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll [ThunderAtOnce Class] -> Thunder Networking Technologies,LTD [Ver = 1.0.5.29 | Size = 177616 bytes | Modified Date = 2008-06-13 09:43:58 | Attr =    ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 2006-10-22 23:08:42 | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:34 | Attr =    ]
{889D2FEB-5411-4565-8998-1DD2C5261283} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll [Thunder Browser Helper] -> Thunder Networking Technologies,LTD [Ver = 5, 0, 8, 96 | Size = 198096 bytes | Modified Date = 2008-06-13 09:43:58 | Attr =    ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 2007-09-25 01:11:34 | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:34 | Attr =    ]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}:Exec -> D:\Program Files\Thunder Network\Thunder\Thunder.exe [启动迅雷5] -> Thunder Networking Technologies,LTD [Ver = 5, 6, 8, 19 | Size = 45056 bytes | Modified Date = 2008-07-10 21:15:00 | Attr =    ]
{95B3F550-91C4-4627-BCC4-521288C52977}:Exec -> E:\电影\PPLive\PPLive.exe [PPLive] ->  [Ver =  | Size = 190072 bytes | Modified Date = 2007-03-16 13:46:10 | Attr =    ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\Thunder.exe [启动迅雷5] -> Thunder Networking Technologies,LTD [Ver = 5, 6, 8, 19 | Size = 45056 bytes | Modified Date = 2008-07-10 21:15:00 | Attr =    ]
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157b} [HKEY_LOCAL_MACHINE] ->  [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
使用迅雷下载 -> D:\Program Files\Thunder Network\Thunder\Program\geturl.htm ->  [Ver =  | Size = 3946 bytes | Modified Date = 2008-06-13 09:55:40 | Attr =    ]
使用迅雷下载全部链接 -> D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm ->  [Ver =  | Size = 1673 bytes | Modified Date = 2008-06-13 09:55:40 | Attr =    ]
添加到QQ表情 -> D:\Program Files\Tencent\QQ\AddEmotion.htm ->  [Ver =  | Size = 893 bytes | Modified Date = 2008-01-04 09:17:28 | Attr =    ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{8CBAFD0C-D76A-4872-9C4F-3C2A0A5A9538} ->    () -> 
{8F214FBA-83EF-4239-8B83-A6448847A2F4} ->    (VIA Compatable Fast Ethernet Adapter) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
KuGoo3:{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} [HKEY_LOCAL_MACHINE] -> D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX[] ->  [Ver =  | Size = 505856 bytes | Modified Date = 2006-11-16 10:10:02 | Attr =    ]
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 2007-06-27 04:22:36 | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{215B8138-A3CF-44C5-803F-8226143CFC0A}[HKEY_LOCAL_MACHINE] -> http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab[Trend Micro ActiveX Scan Agent 6.6] -> 
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[Symantec AntiVirus scanner] -> 
{644E432F-49D3-41A1-8DD5-E099162EEEC5}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[Symantec RuFSI Utility Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab[Java Plug-in 1.6.0_03] -> 
{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}[HKEY_LOCAL_MACHINE] -> http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll[CCTVUpdateInstall] -> 
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\\.Owner -> {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\\.Owner -> {215B8138-A3CF-44C5-803F-8226143CFC0A} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\\.Owner -> {644E432F-49D3-41A1-8DD5-E099162EEEC5} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\\{644E432F-49D3-41A1-8DD5-E099162EEEC5} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} ->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\.Owner -> Unknown Owner -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} ->  -> 



[Files/Folders - Created Within 30 days]
FOUND.000 -> %SystemDrive%\FOUND.000 ->  [Folder | Created Date = 2008-08-13 08:40:42 | Attr =  HS]
FOUND.001 -> %SystemDrive%\FOUND.001 ->  [Folder | Created Date = 2008-08-14 10:58:36 | Attr =  HS]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 2008-08-20 23:56:22 | Attr =    ]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW ->  [Folder | Created Date = 2008-08-22 15:26:36 | Attr =    ]
emsf.bat -> %SystemDrive%\emsf.bat ->  [Ver =  | Size = 108 bytes | Created Date = 2008-07-26 12:19:42 | Attr =    ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 2008-08-20 23:56:17 | Attr =    ]
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Created Date = 2008-07-30 15:48:24 | Attr =    ]
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1033 | Size = 81288 bytes | Created Date = 2008-07-30 15:48:24 | Attr =    ]
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Created Date = 2008-07-30 15:48:24 | Attr =    ]
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1042 built by: WinDDK | Size = 42376 bytes | Created Date = 2008-07-30 15:48:24 | Attr =    ]
xlhcc.dat -> %SystemRoot%\System32\xlhcc.dat ->  [Ver =  | Size = 26 bytes | Created Date = 2008-08-14 01:00:59 | Attr =    ]
VBACHS32.OLB -> %SystemRoot%\System32\VBACHS32.OLB ->  [Ver =  | Size = 24336 bytes | Created Date = 2008-11-12 12:00:00 | Attr =    ]
VSFLEX3.OCX -> %SystemRoot%\System32\VSFLEX3.OCX -> VideoSoft [Ver = 3.00.036 | Size = 225280 bytes | Created Date = 2008-11-12 12:00:00 | Attr =    ]
LogFiles -> %SystemRoot%\System32\LogFiles ->  [Folder | Created Date = 2008-07-24 17:06:48 | Attr =    ]
QQBox.bmp -> %SystemRoot%\System32\QQBox.bmp ->  [Ver =  | Size = 24376 bytes | Created Date = 2008-07-26 12:20:11 | Attr =    ]
pub_store.dat -> %SystemRoot%\System32\pub_store.dat ->  [Ver =  | Size = 20 bytes | Created Date = 2008-08-14 01:00:59 | Attr =    ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
swsc.exe -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Created Date = 2008-08-21 00:01:34 | Attr =    ]
sed.exe -> %SystemRoot%\sed.exe ->  [Ver =  | Size = 98816 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
VFind.exe -> %SystemRoot%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
zip.exe -> %SystemRoot%\zip.exe ->  [Ver =  | Size = 68096 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
swreg.exe -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 2008-08-20 23:57:27 | Attr =    ]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 2008-08-20 23:56:20 | Attr =    ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL ->  [Ver =  | Size = 162 bytes | Created Date = 2008-08-21 00:13:47 | Attr =    ]
sky.exe -> %SystemRoot%\tasks\sky.exe ->  [Ver =  | Size = 57837 bytes | Created Date = 2008-08-13 17:41:10 | Attr =    ]

[Files/Folders - Modified Within 30 days]
FOUND.000 -> %SystemDrive%\FOUND.000 ->  [Folder | Modified Date = 2008-08-13 08:40:42 | Attr =  HS]
FOUND.001 -> %SystemDrive%\FOUND.001 ->  [Folder | Modified Date = 2008-08-14 10:58:36 | Attr =  HS]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-21 00:04:52 | Attr =  H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-21 00:04:52 | Attr =  H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-21 09:37:58 | Attr =  H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-21 09:37:58 | Attr =  H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-21 22:59:40 | Attr =  H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-21 22:59:40 | Attr =  H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-22 13:32:30 | Attr =  H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-22 13:32:30 | Attr =  H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-22 21:00:26 | Attr =  H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-22 21:00:26 | Attr =  H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-22 21:22:26 | Attr =  H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-22 21:22:26 | Attr =  H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-15 13:37:52 | Attr =  H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-15 13:37:52 | Attr =  H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-16 12:47:12 | Attr =  H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-16 12:47:12 | Attr =  H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-16 22:46:28 | Attr =  H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-16 22:46:28 | Attr =  H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-17 15:11:52 | Attr =  H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-17 15:11:52 | Attr =  H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-18 09:45:34 | Attr =  H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-18 09:45:34 | Attr =  H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-18 10:10:24 | Attr =  H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-18 10:10:24 | Attr =  H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-18 16:10:30 | Attr =  H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-18 16:10:30 | Attr =  H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-18 18:22:02 | Attr =  H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-18 18:22:02 | Attr =  H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-18 22:34:26 | Attr =  H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-18 22:34:26 | Attr =  H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-19 10:12:08 | Attr =  H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-19 10:12:08 | Attr =  H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-19 14:21:56 | Attr =  H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-19 14:21:56 | Attr =  H ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 2008-08-20 23:56:24 | Attr =    ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-20 11:15:30 | Attr =  H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-20 11:15:30 | Attr =  H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-20 22:35:28 | Attr =  H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-20 22:35:28 | Attr =  H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 2008-08-20 23:54:40 | Attr =  H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 2008-08-20 23:54:40 | Attr =  H ]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW ->  [Folder | Modified Date = 2008-08-18 15:24:12 | Attr =    ]
emsf.bat -> %SystemDrive%\emsf.bat ->  [Ver =  | Size = 108 bytes | Modified Date = 2008-07-26 12:19:44 | Attr =    ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 2008-08-20 23:56:18 | Attr =    ]
RsNTGdi.sys -> %SystemRoot%\System32\drivers\RsNTGdi.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 20, 0, 0, 3 | Size = 10736 bytes | Modified Date = 2008-07-28 14:24:18 | Attr =    ]
HookHelp.sys -> %SystemRoot%\System32\drivers\HookHelp.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 15 | Size = 30704 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
HookSys.sys -> %SystemRoot%\System32\drivers\HookSys.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 54 | Size = 164848 bytes | Modified Date = 2008-07-28 14:21:48 | Attr =    ]
HookCont.sys -> %SystemRoot%\System32\drivers\HookCont.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 7 | Size = 13808 bytes | Modified Date = 2008-07-28 14:22:30 | Attr =    ]
HOOKREG.sys -> %SystemRoot%\System32\drivers\HOOKREG.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 28 | Size = 38256 bytes | Modified Date = 2008-07-28 14:22:08 | Attr =    ]
HookNtos.sys -> %SystemRoot%\System32\drivers\HookNtos.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 50 | Size = 62576 bytes | Modified Date = 2008-07-28 14:22:08 | Attr =    ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 2008-08-22 21:22:30 | Attr =    ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 54692 bytes | Modified Date = 2008-07-30 15:50:32 | Attr =    ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 348776 bytes | Modified Date = 2008-07-30 15:50:32 | Attr =    ]
prfc0804.dat -> %SystemRoot%\System32\prfc0804.dat ->  [Ver =  | Size = 55410 bytes | Modified Date = 2008-07-30 15:50:32 | Attr =    ]
prfh0804.dat -> %SystemRoot%\System32\prfh0804.dat ->  [Ver =  | Size = 155848 bytes | Modified Date = 2008-07-30 15:50:32 | Attr =    ]
tmmr.rem -> %SystemRoot%\System32\tmmr.rem ->  [Ver =  | Size = 6160 bytes | Modified Date = 2008-08-18 15:21:50 | Attr =    ]
xlhcc.dat -> %SystemRoot%\System32\xlhcc.dat ->  [Ver =  | Size = 26 bytes | Modified Date = 2008-08-19 18:06:22 | Attr =    ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 138848 bytes | Modified Date = 2008-08-14 22:58:14 | Attr =    ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver =  | Size = 624494 bytes | Modified Date = 2008-07-30 15:50:32 | Attr =    ]
RavExt.dll -> %SystemRoot%\System32\RavExt.dll -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.18 | Size = 113264 bytes | Modified Date = 2008-07-28 14:21:42 | Attr =    ]
VBACHS32.OLB -> %SystemRoot%\System32\VBACHS32.OLB ->  [Ver =  | Size = 24336 bytes | Modified Date = 2008-11-12 12:00:00 | Attr =    ]
VSFLEX3.OCX -> %SystemRoot%\System32\VSFLEX3.OCX -> VideoSoft [Ver = 3.00.036 | Size = 225280 bytes | Modified Date = 2008-11-12 12:00:00 | Attr =    ]
cid_store.dat -> %SystemRoot%\System32\cid_store.dat ->  [Ver =  | Size = 4579 bytes | Modified Date = 2008-08-18 17:31:00 | Attr =    ]
LogFiles -> %SystemRoot%\System32\LogFiles ->  [Folder | Modified Date = 2008-07-24 17:06:50 | Attr =    ]
QQBox.bmp -> %SystemRoot%\System32\QQBox.bmp ->  [Ver =  | Size = 24376 bytes | Modified Date = 2008-07-26 12:50:16 | Attr =    ]
pub_store.dat -> %SystemRoot%\System32\pub_store.dat ->  [Ver =  | Size = 20 bytes | Modified Date = 2008-08-14 01:01:00 | Attr =    ]
bsmain.exe -> %SystemRoot%\System32\bsmain.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20, 0, 0, 4 | Size = 237168 bytes | Modified Date = 2008-07-28 14:24:18 | Attr =    ]
BsMain.ini -> %SystemRoot%\System32\BsMain.ini ->  [Ver =  | Size = 160 bytes | Modified Date = 2008-08-20 16:31:44 | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 2008-08-21 00:04:16 | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 823 bytes | Modified Date = 2008-08-22 23:05:22 | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2008-08-22 21:20:46 | Attr =   S]
Rav.ini -> %SystemRoot%\Rav.ini ->  [Ver =  | Size = 62 bytes | Modified Date = 2008-08-22 13:33:10 | Attr =    ]
Rav.inf -> %SystemRoot%\Rav.inf ->  [Ver =  | Size = 451 bytes | Modified Date = 2008-08-20 16:31:46 | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 2008-08-18 16:00:28 | Attr =    ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Modified Date = 2008-08-21 00:01:36 | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 2008-08-20 23:57:28 | Attr =    ]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL ->  [Ver =  | Size = 162 bytes | Modified Date = 2008-08-22 13:34:10 | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2008-08-22 21:20:56 | Attr =  H ]
sky.exe -> %SystemRoot%\tasks\sky.exe ->  [Ver =  | Size = 57837 bytes | Modified Date = 2008-08-13 17:41:12 | Attr =    ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ->  [Folder | Modified Date = 2006-05-23 20:07:12 | Attr =    ]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat ->  [Ver =  | Size = 40594 bytes | Modified Date = 2008-07-18 10:33:22 | Attr =    ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader ->  [Folder | Modified Date = 2006-10-11 19:58:24 | Attr =    ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 5518 bytes | Modified Date = 2008-07-14 20:52:26 | Attr =    ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 5518 bytes | Modified Date = 2008-07-14 20:52:26 | Attr =    ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA ->  [Folder | Modified Date = 2007-01-23 20:55:34 | Attr =    ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 2007-01-23 20:57:34 | Attr =    ]
D:\Personal\Temp\ -> D:\Personal\Temp ->  [Folder | Modified Date = 2004-11-07 22:14:20 | Attr =    ]
Perflib_Perfdata_f20.dat -> D:\Personal\Temp\Perflib_Perfdata_f20.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-21 00:46:28 | Attr =    ]
Perflib_Perfdata_a50.dat -> D:\Personal\Temp\Perflib_Perfdata_a50.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-21 22:55:42 | Attr =    ]
Perflib_Perfdata_a2c.dat -> D:\Personal\Temp\Perflib_Perfdata_a2c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-22 13:32:10 | Attr =    ]
Perflib_Perfdata_aac.dat -> D:\Personal\Temp\Perflib_Perfdata_aac.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-22 21:22:26 | Attr =    ]
30 D:\Personal\Temp\*.tmp files -> D:\Personal\Temp\*.tmp -> 
D:\Personal\Temp\ -> D:\Personal\Temp ->  [Folder | Modified Date = 2004-11-07 22:14:20 | Attr =    ]
ppludt.ini -> D:\Personal\Temp\ppludt.ini ->  [Ver =  | Size = 716 bytes | Modified Date = 2008-08-22 21:58:14 | Attr =    ]
30 D:\Personal\Temp\*.tmp files -> D:\Personal\Temp\*.tmp -> 
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp ->  [Folder | Modified Date = 2006-05-23 19:45:32 | Attr =    ]
Perflib_Perfdata_d4.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_d4.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-21 00:03:20 | Attr =    ]
Perflib_Perfdata_678.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_678.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-21 09:36:30 | Attr =    ]
Perflib_Perfdata_608.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_608.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-21 22:52:54 | Attr =    ]
Perflib_Perfdata_61c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-22 13:29:16 | Attr =    ]
Perflib_Perfdata_600.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_600.dat ->  [Ver =  | Size = 16384 bytes | Modified Date = 2008-08-22 21:21:00 | Attr =    ]
6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 

< End of report >

Shaba · Aug 22, 2008

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe
C:\WINDOWS\system32\drivers\xyzqcbo.sys
C:\WINDOWS\system32\drivers\zpqaxb.sys
C:\WINDOWS\system32\drivers\pabzaxy.sys
C:\WINDOWS\system32\drivers\qprbzqx.sys 
C:\WINDOWS\system32\drivers\qrabpqx.sys
C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys 
C:\WINDOWS\system32\drivers\vydhnvzh.sys
C:\WINDOWS\system32\drivers\wdtsr.sys 
C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys 
D:\Personal\Temp\_tmp.bat 
C:\WINDOWS\system32\drivers\ayzpqa.sys 
C:\WINDOWS\system32\drivers\cabyopr.sys

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

grancher · Aug 23, 2008

C:\WINDOWS\Tasks\sky.exe moved successfully.
C:\WINDOWS\Fonts\winntls.exe moved successfully.
C:\WINDOWS\Fonts\smcw.exe moved successfully.
File/Folder C:\WINDOWS\system32\drivers\xyzqcbo.sys not found.
File/Folder C:\WINDOWS\system32\drivers\zpqaxb.sys not found.
File/Folder C:\WINDOWS\system32\drivers\pabzaxy.sys not found.
File/Folder C:\WINDOWS\system32\drivers\qprbzqx.sys not found.
File/Folder C:\WINDOWS\system32\drivers\qrabpqx.sys not found.
File/Folder C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys not found.
File/Folder C:\WINDOWS\system32\drivers\vydhnvzh.sys not found.
File/Folder C:\WINDOWS\system32\drivers\wdtsr.sys not found.
File/Folder C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys not found.
File/Folder D:\Personal\Temp\_tmp.bat not found.
File/Folder C:\WINDOWS\system32\drivers\ayzpqa.sys not found.
File/Folder C:\WINDOWS\system32\drivers\cabyopr.sys not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_235031

Shaba · Aug 23, 2008

That looks fine.

Let me know if you can run ComboFix normally (without CFScript)

grancher · Aug 24, 2008

It seems I can't use Combofix at all now, I just get the same five errors and than nothing happens.

Shaba · Aug 24, 2008

Thanks for info.

Create a Startup List

Open HiJackThis
Click Open the Misc tools section
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

grancher · Aug 24, 2008

I think search.exe under Running processes is HighJackThis I renamed it because it wouldn't run under the original name.

StartupList report, 2008-08-24, 17:56:51
StartupList version: 1.52.2
Started from : D:\search.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\search.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,169 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Smitfraud C. Koowo and much more

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member