Jump to content

I think my computer is infected


Recommended Posts

Well, I'm suspicious that my computer was kind of slow. I also deleted a few viruses when I first used MalwareBytes. I also used other programs, sorry I forgot the name, but I also deleted a few using that other software. Also, I can't install Windows Defender. Please help me solve this problem. Please let me know what I can do. Thank you for your time for helping me.

Malwarebytes' Anti-Malware 1.28

Database version: 1267

Windows 5.1.2600 Service Pack 2

2008-10-14 18:48:01

mbam-log-2008-10-14 (18-48-01).txt

Scan type: Quick Scan

Objects scanned: 72764

Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:16:00, on 2008-10-14

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

c:\program files\rising\rfw\RfwMain.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\FirstClass\fcc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 8003 bytes

Panda Scan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-10-14 20:12:50

PROTECTIONS: 1

MALWARE: 29

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Rising Antivirus <NULL> Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@doubleclick[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@atdmt[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@fastclick[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Anson Lee\Cookies\anson_lee@tribalfusion[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@mediaplex[1].txt

00145770 Cookie/CentrPort TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@centrport[1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@belnk[1].txt

00152401 Cookie/Belnk TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@belnk[1].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@revenue[1].txt

00162730 Cookie/Belnk TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@dist.belnk[2].txt

00162730 Cookie/Belnk TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@dist.belnk[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Anson Lee\Cookies\anson_lee@com[1].txt

00167733 Cookie/Adserver TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@z1.adserver[1].txt

00167733 Cookie/Adserver TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@z1.adserver[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@ad.yieldmanager[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@ad.yieldmanager[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@burstnet[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@serving-sys[2].txt

00168101 Cookie/Falkag TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@as-us.falkag[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@advertising[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Samuel Lee\Cookies\samuel_lee@media.adrevolver[3].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@adrevolver[3].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Anson Lee\Cookies\anson_lee@ads.pointroll[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@ads.pointroll[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@zedo[1].txt

00179779 Cookie/Errorguard TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@errorguard[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No E:\Backup\Samuel Lee\Cookies\samuel lee@adrevolver[2].txt

00199983 Cookie/Valueclick TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@valueclick[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@atwola[2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No E:\Backup\Josephine Kwong\Cookies\josephine kwong@ads.addynamix[1].txt

01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\All Users\Application Data\Apple\Installer Cache\Apple Mobile Device Support 2.1.0.25\AppleMobileDeviceSupport.msi[unk_0051][EventFixer.exe]

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Hi Kenyas and welcome to Malwarebytes. Please give full details in your explanations. What was "that other sofware" ? Are you getting error messages for Defender? It's really not such a great program for protection or removal. Update MBAM and do another quick scan post that log please and a new HJT log.

Link to post
Share on other sites

Hi Kenyas and welcome to Malwarebytes. Please give full details in your explanations. What was "that other sofware" ? Are you getting error messages for Defender? It's really not such a great program for protection or removal. Update MBAM and do another quick scan post that log please and a new HJT log.

Hi Jean

I found out that the other software that I used was Sunbelt Counterspy 2.0 trial version. Are keep on getting error messages for installing defender saying that I can not open key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurentVersion\Explorer\ShellExecuteHooks. Verify that you have sufficient access to that key, or contact your support personnel". I also can't update my Adobe Reader to version 9 because of this similar message, but in a different registry. Also, I used Ad-Aware 2008 Trial version, listed more than 1800 threats in the registry, i quarantined it, scanned again, and all the infection was still listed. If Defender is not a great program for protection or removal, would you kindly tell me what other softwares I should use. Thank you.

MBAM Log:

Malwarebytes' Anti-Malware 1.28

Database version: 1271

Windows 5.1.2600 Service Pack 2

2008-10-15 16:47:44

mbam-log-2008-10-15 (16-47-44).txt

Scan type: Quick Scan

Objects scanned: 73939

Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:48:24, on 2008-10-15

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\Explorer.EXE

c:\program files\rising\rfw\RfwMain.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\FirstClass\fcc32.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 8078 bytes

Link to post
Share on other sites

Hi again I need you to find a file for me please and submit it as a sample.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Please find this file C:\Program Files\Thunder Network\Thunder\Thunder.exe and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

Run HJT again and remove this item O20 - AppInit_DLLs: kmon.dll, reboot, update MBAM and run a quick scan, post that log and a new HJT log please. Be sure you have your permissions set as Administrator when your trying to install the programs that are failing. Also you may have system damage that is causing this error.

Link to post
Share on other sites

Hi Jean

Sorry, I can't upload thunder.exe for some reasons. Here are the logs.

Malwarebytes' Anti-Malware 1.28

Database version: 1274

Windows 5.1.2600 Service Pack 2

2008-10-16 16:48:06

mbam-log-2008-10-16 (16-48-06).txt

Scan type: Quick Scan

Objects scanned: 69615

Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:49:47, on 2008-10-16

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

c:\program files\rising\rfw\RfwMain.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\FirstClass\fcc32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 8060 bytes

Link to post
Share on other sites

Why couldn't you upload it? I have been missing the root of our infections O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

Bit torrent is so risky and most likely how you got infected. It's also illegal to download software, music, or video without paying for them.

Link to post
Share on other sites

Why couldn't you upload it? I have been missing the root of our infections O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

Bit torrent is so risky and most likely how you got infected. It's also illegal to download software, music, or video without paying for them.

Hi Jean

I don't mean that I won't upload the file. But, when I upload the file, the Attachment system won't let me attach these kinds of file. But, I found out that a zip file of this program can be uploaded. Will that be ok? If not, I can't upload the file in other formants, like: rar and 7z. Sorry for the inconvenience.

logs:

Malwarebytes' Anti-Malware 1.29

Database version: 1276

Windows 5.1.2600 Service Pack 2

2008-10-17 18:08:42

mbam-log-2008-10-17 (18-08-42).txt

Scan type: Quick Scan

Objects scanned: 71854

Time elapsed: 10 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Thunder Network\Thunder\Thunder.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:17:45, on 2008-10-17

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

c:\program files\rising\rfw\RfwMain.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (file missing)

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (file missing)

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll

O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: ipp - (no CLSID) - (no file)

O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll

O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll

O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll

O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll

O18 - Protocol: msdaipp - (no CLSID) - (no file)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll

O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll

O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 10531 bytes

Link to post
Share on other sites

I instructed you to upload the file in a zipped folder in my instructions. No forum will allow exe files to be uploaded if they have a clue.

Please get this file scanned at Virustotal.com http://www.malwarebytes.org/forums/index.p...amp;#entry31125 Post the log results here for me.

Run HJT in scan only and remove these lines below by placing a check nest to them and clicking fix.

O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (file missing)

O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe (file missing)

O18 - Protocol: ipp - (no CLSID) - (no file)

O20 - AppInit_DLLs: kmon.dll

Reboot and update MBAM.

Please run a quick scan and post that log and a new HJT along with your log from Virus Total.

Link to post
Share on other sites

Hi Jean

I found something wierd while doing a quick scan. When I finished scanning, it says I have a Trojen.Agent with nothing else for the file and reference, so I cleaned it and the log says no infections found. Do you think it's a bug or the work of another malware? Also, I did a VirusTotal as you told me and one of the the scanner found a virus in the file. Should I delete? If not, what should I do about the file?

Thank you.

Logs: Malwarebytes' Anti-Malware 1.29

Database version: 1288

Windows 5.1.2600 Service Pack 2

2008-10-19 17:40:30

mbam-log-2008-10-19 (17-40-30).txt

Scan type: Quick Scan

Objects scanned: 77961

Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:47:59, on 2008-10-19

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

c:\program files\rising\rfw\RfwMain.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 7811 bytes

VirusTotal:

File Thunder.zip received on 10.19.2008 09:39:31 (CET)

Current status: finished

Result: 1/35 (2.86%)

Compact

Print results

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.10.18.0 2008.10.18 -

AntiVir 7.9.0.5 2008.10.17 -

Authentium 5.1.0.4 2008.10.19 -

Avast 4.8.1248.0 2008.10.15 -

AVG 8.0.0.161 2008.10.18 -

BitDefender 7.2 2008.10.19 -

CAT-QuickHeal 9.50 2008.10.18 -

ClamAV 0.93.1 2008.10.19 -

DrWeb 4.44.0.09170 2008.10.19 -

eSafe 7.0.17.0 2008.10.16 -

eTrust-Vet 31.6.6154 2008.10.17 -

Ewido 4.0 2008.10.18 -

F-Prot 4.4.4.56 2008.10.19 -

F-Secure 8.0.14332.0 2008.10.19 -

Fortinet 3.113.0.0 2008.10.18 -

GData 19 2008.10.19 -

Ikarus T3.1.1.44.0 2008.10.19 -

K7AntiVirus 7.10.498 2008.10.18 Trojan.Win32.Malware.2

Kaspersky 7.0.0.125 2008.10.19 -

McAfee 5408 2008.10.17 -

Microsoft 1.4005 2008.10.19 -

NOD32 3535 2008.10.18 -

Norman 5.80.02 2008.10.17 -

Panda 9.0.0.4 2008.10.18 -

PCTools 4.4.2.0 2008.10.18 -

Prevx1 V2 2008.10.19 -

Rising 20.66.61.00 2008.10.19 -

SecureWeb-Gateway 6.7.6 2008.10.18 -

Sophos 4.34.0 2008.10.19 -

Sunbelt 3.1.1732.1 2008.10.18 -

Symantec 10 2008.10.19 -

TheHacker 6.3.1.0.119 2008.10.18 -

TrendMicro 8.700.0.1004 2008.10.17 -

ViRobot 2008.10.18.1426 2008.10.18 -

VirusBuster 4.5.11.0 2008.10.18 -

Additional information

File size: 12165 bytes

MD5...: c04ff6f88328182fc65ad58eed840af0

SHA1..: 58e5e7331a9ad08fedae81f315843ec835a100a4

SHA256: 69f58301ee57d6530d9cc2097a78ba56835dd8ea1d57a9f02eae7624f5e47e69

SHA512: 0dd221b8ec80ad872bd7c11df8aed6da140823cd70441330ec9ef3c2632d9a15

63537806b5600c0f2dcf0b987db6453be09d8cb82d45f3deb643377e845c5ed6

PEiD..: -

TrID..: File type identification

ZIP compressed archive (100.0%)

PEInfo: -

post-4467-1224409858_thumb.jpg

post-4467-1224409858_thumb.jpg

Link to post
Share on other sites

Yes delete what MBAM finds.

Run HJT again and remove this line as before

O20 - AppInit_DLLs: kmon.dll

Reboot, update MBAM scan again post that log and if nothing found that's good if you remove again a new HJT please. I need some sleep.... I'll check back later.

Link to post
Share on other sites

Hi Jean

I'm sure I selected O20 - AppInit_DLLs: kmon.dll and pressed Fix Check, but when I scan again, O20 - AppInit_DLLs: kmon.dll is still there. Do you think it's a malware? Also, when I found a Trojan.Agent using MBAM, there is always an error that pops out. When I click the "remove selected" button, it doesn't show the virus and the action taken in the log. Also, while I found the Trojan.Agent, MBAM doesn't show the file name and reference. When I use MBAM quick scan, it shows the same thing, Trojan.Agent without the file name and reference. Also, when I go to the quaratine section, it pops out another error message. I already upload a screenshot from my last post. I wonder if you can check the picutre out and my logs from my last post. For the error code that keeps popping out while I found a virus is "error code: 731 (0,6); and the error code for the quarantine section is "724 (0, 6). By the way, a few days ago, while I open MBAm, there was a error message that says "failure to upload database" and I couldn't open the program. So I uninstalled it and install another one.

Thank you for your time.

Logs:

Malwarebytes' Anti-Malware 1.29

Database version: 1299

Windows 5.1.2600 Service Pack 2

2008-10-21 17:09:50

mbam-log-2008-10-21 (17-09-50).txt

Scan type: Quick Scan

Objects scanned: 82040

Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:10:32, on 2008-10-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Rising\Rav\CCenter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRAM FILES\RISING\RAV\ravmond.exe

c:\program files\rising\rfw\rfwsrv.exe

c:\program files\rising\rfw\rfwproxy.exe

c:\program files\rising\rfw\rfwstub.exe

C:\PROGRAM FILES\RISING\RAV\RavStub.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\program files\rising\rfw\RfwMain.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE

C:\Program Files\Rising\Rav\RavTask.exe

C:\Program Files\Rising\Rav\Ravmon.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BitTorrent_DNA\dna.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\FirstClass\fcc32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"

O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup

O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system

O4 - HKLM\..\Run: [MenuOrder] C:\Program Files\ICBCPe~1\ICBC\Gemplus(Personal)\MenuOrder\MenuOrder.exe

O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /M "Stylus Photo R310" /EF "HKCU"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm

O8 - Extra context menu item: 使用快车(Flas&hGet)下载 - C:\Program Files\FlashGet\ComDlls\Bholink.htm

O8 - Extra context menu item: 使用快车(Flash&Get)下载全部链接 - C:\Program Files\FlashGet\ComDlls\Bhoall.htm

O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - AppInit_DLLs: kmon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe

O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe

O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe

O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--

End of file - 7759 bytes

Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.