What could be the problems??

[punkmaedel]

Hi! I think I'm having a serious computer problem.

I have two user accounts, one is admin, another is guest. When I use my admin account, 90% of time I cannot open any folder, or the comp would just crash down. But I never have such a prob when I use my guest account. Plus, when it crashed, I logged out, then during it, it showed black screen.

Another weird thing is that sometimes on startup, there'd be an extra iron along with msn messenger iron, which is black and in shape of a paper file, when I close it, msn is closed, too!

I really hope there's some solution without reinstallation!

I'd appreciate if there's someone to help me! Thanks!

 

[cohen]

If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click Here to download HJTsetup.exe


* Save HJTsetup.exe to your desktop.
* Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
* Click Save to save the log file and then the log will open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.

Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!

 

[punkmaedel]

Ok, I'll do as you said and will let you know later. Thank you!

 

[punkmaedel]

Ok, so, here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:49, on 25.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\Rising\Rfw\rfwProxy.exe
C:\Program Files\Rising\Rfw\rfwstub.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\360safe\safemon\360Tray.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\360Safebox\safeboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\POP Peeper\POPPeeper.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\TheWorld 2.0\TheWorld.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\eMule\emule.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\LingoPad\LingoPad.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LuckyStar\桌面\HiJackThis.exe

R3 - URLSearchHook: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} -

C:\Program Files\Deutschland_Radio\tbDeu1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} - C:\Program

Files\Deutschland_Radio\tbDeu1.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program

Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1

\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program

Files\360safe\safemon\safemon.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program

Files\FlashGet\getflash.dll
O3 - Toolbar: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} -

C:\Program Files\Deutschland_Radio\tbDeu1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1

\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3

\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\safeboxTray.exe" /r
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1

\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe"

/RANDOM
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2529868661-3747249569-342887970-501\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZJman000
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program

Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program

Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program

Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program

Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program

Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1

\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program

Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4

-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6

\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6\ICQ.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://www4.snapfish.de/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1205473541390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) -

http://punkmaedel.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -

http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A984A6-3031-4E10-9968-C0627F22C958}: NameServer =

202.109.15.135 202.96.209.134
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1

\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology

Co., Ltd. - C:\Program Files\Rising\Rfw\rfwProxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information

Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information

Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology

Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 10937 bytes


Hm, there're some Chinese words I think I'd better translate?
桌面 = Desktop
下载 = Download
下载全部链接 = Download all the links
导出到 = Export to
添加到QQ表情 = Add QQ Smileys


I'd appreciate your help!!

 

[punkmaedel]

Ok, so, here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:49, on 25.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\Rising\Rfw\rfwProxy.exe
C:\Program Files\Rising\Rfw\rfwstub.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\360safe\safemon\360Tray.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\360Safebox\safeboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\POP Peeper\POPPeeper.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\TheWorld 2.0\TheWorld.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\eMule\emule.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\LingoPad\LingoPad.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LuckyStar\桌面\HiJackThis.exe

R3 - URLSearchHook: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} -

C:\Program Files\Deutschland_Radio\tbDeu1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} - C:\Program

Files\Deutschland_Radio\tbDeu1.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program

Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1

\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program

Files\360safe\safemon\safemon.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program

Files\FlashGet\getflash.dll
O3 - Toolbar: Deutschland Radio Toolbar - {2069a8c8-fad1-424b-b76c-d7f33d77dc4c} -

C:\Program Files\Deutschland_Radio\tbDeu1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1

\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [360Safetray] C:\Program Files\360safe\safemon\360Tray.exe /start
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3

\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\safeboxTray.exe" /r
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1

\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe"

/RANDOM
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2529868661-3747249569-342887970-501\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32

\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZJman000
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program

Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program

Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program

Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program

Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program

Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1

\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java ??? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program

Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4

-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6

\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6\ICQ.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://www4.snapfish.de/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1205473541390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) -

http://punkmaedel.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -

http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A984A6-3031-4E10-9968-C0627F22C958}: NameServer =

202.109.15.135 202.96.209.134
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1

\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Information Technology

Co., Ltd. - C:\Program Files\Rising\Rfw\rfwProxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information

Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information

Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology

Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 10937 bytes


Hm, there're some Chinese words I think I'd better translate?
桌面 = Desktop
下载 = Download
下载全部链接 = Download all the links
导出到 = Export to
添加到QQ表情 = Add QQ Smileys


I'd appreciate your help!!

 

[cohen]

Hello,

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file from one of the three below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.forospyware.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

• Post the combo fix log
• Post a Fresh Hijackthis log

Thankyou

 

[ceewi1]

Before posting any further logs please turn off Word Wrap in Notepad by clicking on the Format menu and unchecking Word Wrap. Logs with Word Wrap on are very difficult to read.