Infected by trojans and virusq

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

6 Pages

< 1 2 3 4 5 > »

Infected by trojans and virusq

Options

Buckeye_Sam View Member Profile	Nov 15 2008, 12:35 PM Post #31
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Please post the contents of the log from DrWeb and a new combofix log in your next reply. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 16 2008, 08:22 AM Post #32
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	I am sorry. When the Dr web software asked me for installation, I pressed the button and a message "The archive is either in unknown format or damaged" is shown. Therefore I can't use Dr.Web. ComboFix 08-11-12.02 - Ken 2008-11-16 20:54:32.10 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1028.18.553 [GMT 8:00] 執行位置: c:\documents and settings\Ken\桌面\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Ken\Application Data\dach100.dll c:\windows\IE4 Error Log.txt . ((((((((((((((((((((((((( 2008-10-16 至 2008-11-16 的新的檔案 ))))))))))))))))))))))))))))))) . 2008-11-15 21:05 . 2008-11-16 20:46 66 --a------ c:\windows\anticrash.dat 2008-11-15 21:05 . 2008-11-16 20:46 61 --a------ c:\windows\hare.dat 2008-11-15 21:05 . 2008-11-16 20:46 60 --a------ c:\windows\zoom.dat 2008-11-15 09:43 . 2008-11-15 09:43 <DIR> d-------- C:\_OTMoveIt 2008-11-11 23:25 . 2008-11-11 23:25 <DIR> d-------- c:\windows\ERUNT 2008-11-11 23:19 . 2008-11-11 23:44 <DIR> d-------- C:\SDFix 2008-11-10 23:54 . 2008-11-10 23:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-10 23:54 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-10 23:54 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-10 23:23 . 2008-11-10 23:23 <DIR> d-------- c:\documents and settings\Ken\Application Data\Malwarebytes 2008-11-10 23:23 . 2008-11-10 23:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-09 00:27 . 2008-11-16 19:26 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-09 00:27 . 2008-11-09 00:27 1,409 --a------ c:\windows\QTFont.for 2008-11-01 06:40 . 2008-11-01 06:40 <DIR> d-------- c:\windows\dell 2008-11-01 06:40 . 2008-11-10 23:26 1,071,837,184 --a------ c:\windows\MEMORY.DMP 2008-11-01 00:10 . 2008-11-01 00:10 <DIR> d-------- c:\documents and settings\Ken\Application Data\Talkback 2008-10-31 23:35 . 2008-11-01 00:35 <DIR> d-------- c:\documents and settings\Lee Chi Ho 2008-10-31 23:24 . 2004-08-12 18:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll 2008-10-31 23:24 . 2004-08-12 18:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys 2008-10-31 23:22 . 2004-08-12 18:00 111,104 --a--c--- c:\windows\system32\dllcache\mtstocom.exe 2008-10-31 23:21 . 2004-08-12 18:00 331,264 --a--c--- c:\windows\system32\dllcache\aqueue.dll 2008-10-31 23:20 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll 2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\WindowsShell.Manifest 2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest 2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\sapi.cpl.manifest 2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\ncpa.cpl.manifest 2008-10-31 23:18 . 2008-10-31 23:18 488 -rah----- c:\windows\system32\logonui.exe.manifest 2008-10-31 23:17 . 2004-08-12 18:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe . (((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-15 16:09 --------- d-----w c:\program files\Common Files\Adobe 2008-11-14 14:30 --------- d-----w c:\program files\ESET 2008-10-31 16:20 --------- d-----w c:\program files\Spyware Doctor 2008-10-03 18:18 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-07-27 16:50 0 ----a-w c:\documents and settings\Ken\jagex_runescape_preferences.dat 2007-03-03 16:45 686 ----a-w c:\documents and settings\Ken\清除系統LJ.bat . ((((((((((((((((((((((((((((( snapshot_2008-11-01_ 0.31.32.60 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-07 07:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE + 2008-11-11 15:25:46 10,629,120 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-11-11 15:25:47 3,067,904 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-08-07 07:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-11-11 15:25:27 10,629,120 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-11-11 15:25:28 3,067,904 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2008-06-03 19:29:55 29,926 ----a-r c:\windows\Installer\{6560D90C-5223-49A3-B78C-A48C31EAEC56}\MsblIco.Exe + 2008-11-01 14:27:04 29,926 ----a-r c:\windows\Installer\{6560D90C-5223-49A3-B78C-A48C31EAEC56}\MsblIco.Exe + 2008-11-15 16:10:27 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1028-7B44-A81300000003}\SC_Reader.exe - 2006-07-04 13:07:00 3,522 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin + 2008-11-05 12:25:58 3,702 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin + 2008-11-16 12:44:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2ec.dat . ((((((((((((((((((((((((((((((((((((( 重要登入點 )))))))))))))))))))))))))))))))))))))))))))))))))) . . 注意空白與合法缺省登錄將不會被顯示 REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-15 1695232] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-14 180269] "Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 90112] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2007-08-30 205480] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-02-04 949376] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544] c:\documents and settings\Ken\「開始」功能表\程式集\啟動\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] AntiCrash.lnk - c:\program files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 2301798] Hare.lnk - c:\program files\Dachshund Software\Hare\Hare.exe [2002-09-21 1874381] OAhotkey.lnk - c:\epdoa\OAHotkey.EXE [2007-07-26 491008] Zoom.lnk - c:\program files\Dachshund Software\Zoom\Zoom.exe [2002-09-21 1446302] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"= "c:\\Program Files\\Kingsoft\\PowerWord 2006\\XDICT.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\YouBe Casual Network\\YouBe.exe"= "c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"= "c:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 myxlljjp;myxlljjp;c:\windows\system32\DRIVERS\myxlljjp.sys [2007-06-19 11192] R0 vzchp;vzchp;c:\windows\system32\drivers\vzchp.sys [2008-04-15 28384] R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2007-06-05 34304] S3 CENIXFMC;Cenix Digicom Digital Voice Recorder Service;c:\windows\system32\Drivers\CENIXFMC.sys [2002-10-07 18660] S3 hid7906;hid7906;c:\windows\system32\drivers\hid7906.sys [2006-06-28 53793] S3 IPvE;IPvE Adapter Driver;c:\windows\system32\DRIVERS\IPvE.sys [2008-06-29 14144] S3 p2pgasvc;Peer Networking Group Authentication;c:\windows\system32\svchost.exe [2004-08-12 14336] S3 p2pimsvc;Peer Networking Identity Manager;c:\windows\system32\svchost.exe [2004-08-12 14336] S3 p2psvc;Peer Networking;c:\windows\system32\svchost.exe [2004-08-12 14336] S3 PNRPSvc;Peer Name Resolution Protocol;c:\windows\system32\svchost.exe [2004-08-12 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc . ‘計劃任務’ 文件夾裡的內容 2008-11-16 c:\windows\Tasks\查看 Windows Live Toolbar 的更新資訊.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] . . ------- 而外的掃描 ------- . FireFox -: Profile - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\a4sjxaq1.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com.hk/ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-16 20:59:01 Windows 5.1.2600 Service Pack 2 NTFS 掃描被隱藏的進程。。。 ... 掃描被隱藏的啟動組。。。掃描被隱藏的文件。。。掃描完成被隱藏的檔案: 0 ********************************************************************** . --------------------- 運行進程下的動態鏈接庫 --------------------- PROCESS: c:\windows\system32\lsass.exe -> c:\program files\Eset\pr_imon.dll . 完成時間: 2008-11-16 21:00:58 ComboFix-quarantined-files.txt 2008-11-16 13:00:12 ComboFix2.txt 2008-11-14 14:27:22 ComboFix3.txt 2008-11-10 15:49:30 ComboFix4.txt 2008-11-04 14:54:10 ComboFix5.txt 2008-11-16 12:53:59 Pre-Run: 104,036,626,432 位元組可用 Post-Run: 104,027,226,112 位元組可用 163 --- E O F --- 2008-10-24 12:58:10 This post has been edited by Paul61112002**: Nov 16 2008, 08:24 AM

Buckeye_Sam View Member Profile	Nov 16 2008, 12:47 PM Post #33
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	That typically means the file was corrupted during the download. Just delete it and try downloading it again. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 17 2008, 06:43 AM Post #34
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	Problem still exists when I deleted and downloaded it again. What can I do next?

Buckeye_Sam View Member Profile	Nov 17 2008, 08:15 AM Post #35
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Reboot into safe mode and try to run it from there. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 19 2008, 10:24 AM Post #36
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	I have tried to run it in safe mode, but the error still exits. I think there is download problem as the file size is only 587 KB compared to the original one(11MB).

Buckeye_Sam View Member Profile	Nov 19 2008, 10:31 AM Post #37
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Definitely a problem getting it downloaded completely. Try it again, but this time when you save it, save it as paul.exe Let's see if something is blocking it. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 19 2008, 11:18 AM Post #38
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	I think there is problem getting it downloaded the file. How can I download the file except using the firefox? This post has been edited by Paul61112002: Nov 19 2008, 11:19 AM

Buckeye_Sam View Member Profile	Nov 19 2008, 07:31 PM Post #39
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	You can always use Internet Explorer. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 20 2008, 11:15 AM Post #40
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	But the homepage of the internet explorer is kidnapped. When I entered the url, I can't access to it and two blank browsers are given.

Buckeye_Sam View Member Profile	Nov 20 2008, 11:18 AM Post #41
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Do you have access to another computer where you can download it, save it to a disc or usb stick, and then transfer over the infected computer? -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 20 2008, 11:21 AM Post #42
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	Would you like sending the file through Email? I don't have usb.

Buckeye_Sam View Member Profile	Nov 20 2008, 11:25 AM Post #43
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Sure, we can try that. Send me a PM with your email address. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Paul61112002 View Member Profile	Nov 20 2008, 11:32 AM Post #44
Member Group: Members Posts: 44 Joined: 1-November 08 Member No.: 251,993	I have sent you a PM.

Buckeye_Sam View Member Profile	Nov 20 2008, 12:29 PM Post #45
Malware Expert Group: HJT Team Posts: 15,582 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	We're going to have to try something else. That attachment is just too big for Yahoo to receive. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Open the extracted SDFix folder and double click RunThis.bat to start the script. Type 3 to Download/Run SAV32CLI from Sophos. Follow the on screen prompts and extract the Sophos files to C:\SAV32CLI When the main scanning screen is displayed type 6 to run a Full scan SAV32CLI will start and scan the system for infected files Please be patient as this scan may take some time When the scan has finished post back the SophosReport.txt from the SDFix folder -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

6 Pages

< 1 2 3 4 5 > »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 05:12 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides