BleepingComputer.com: Infected by trojans and virusq

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, in the menu, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.

Please post the contents of the log from DrWeb and a new combofix log in your next reply.

I am sorry. When the Dr web software asked me for installation,
I pressed the button and a message "The archive is either in unknown format or damaged" is shown.
Therefore I can't use Dr.Web.

ComboFix 08-11-12.02 - Ken 2008-11-16 20:54:32.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1028.18.553 [GMT 8:00]
執行位置: c:\documents and settings\Ken\桌面\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ken\Application Data\dach100.dll
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( 2008-10-16 至 2008-11-16 的新的檔案 )))))))))))))))))))))))))))))))
.

2008-11-15 21:05 . 2008-11-16 20:46 66 --a------ c:\windows\anticrash.dat
2008-11-15 21:05 . 2008-11-16 20:46 61 --a------ c:\windows\hare.dat
2008-11-15 21:05 . 2008-11-16 20:46 60 --a------ c:\windows\zoom.dat
2008-11-15 09:43 . 2008-11-15 09:43 <DIR> d-------- C:\_OTMoveIt
2008-11-11 23:25 . 2008-11-11 23:25 <DIR> d-------- c:\windows\ERUNT
2008-11-11 23:19 . 2008-11-11 23:44 <DIR> d-------- C:\SDFix
2008-11-10 23:54 . 2008-11-10 23:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 23:54 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-10 23:54 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-10 23:23 . 2008-11-10 23:23 <DIR> d-------- c:\documents and settings\Ken\Application Data\Malwarebytes
2008-11-10 23:23 . 2008-11-10 23:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-09 00:27 . 2008-11-16 19:26 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-09 00:27 . 2008-11-09 00:27 1,409 --a------ c:\windows\QTFont.for
2008-11-01 06:40 . 2008-11-01 06:40 <DIR> d-------- c:\windows\dell
2008-11-01 06:40 . 2008-11-10 23:26 1,071,837,184 --a------ c:\windows\MEMORY.DMP
2008-11-01 00:10 . 2008-11-01 00:10 <DIR> d-------- c:\documents and settings\Ken\Application Data\Talkback
2008-10-31 23:35 . 2008-11-01 00:35 <DIR> d-------- c:\documents and settings\Lee Chi Ho
2008-10-31 23:24 . 2004-08-12 18:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2008-10-31 23:24 . 2004-08-12 18:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2008-10-31 23:22 . 2004-08-12 18:00 111,104 --a--c--- c:\windows\system32\dllcache\mtstocom.exe
2008-10-31 23:21 . 2004-08-12 18:00 331,264 --a--c--- c:\windows\system32\dllcache\aqueue.dll
2008-10-31 23:20 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\WindowsShell.Manifest
2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-10-31 23:18 . 2008-10-31 23:18 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-10-31 23:18 . 2008-10-31 23:18 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-10-31 23:17 . 2004-08-12 18:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 16:09 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 14:30 --------- d-----w c:\program files\ESET
2008-10-31 16:20 --------- d-----w c:\program files\Spyware Doctor
2008-10-03 18:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-07-27 16:50 0 ----a-w c:\documents and settings\Ken\jagex_runescape_preferences.dat
2007-03-03 16:45 686 ----a-w c:\documents and settings\Ken\清除系統LJ.bat
.

((((((((((((((((((((((((((((( snapshot_2008-11-01_ 0.31.32.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 07:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-11 15:25:46 10,629,120 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-11 15:25:47 3,067,904 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 07:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-11 15:25:27 10,629,120 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-11 15:25:28 3,067,904 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-06-03 19:29:55 29,926 ----a-r c:\windows\Installer\{6560D90C-5223-49A3-B78C-A48C31EAEC56}\MsblIco.Exe
+ 2008-11-01 14:27:04 29,926 ----a-r c:\windows\Installer\{6560D90C-5223-49A3-B78C-A48C31EAEC56}\MsblIco.Exe
+ 2008-11-15 16:10:27 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1028-7B44-A81300000003}\SC_Reader.exe
- 2006-07-04 13:07:00 3,522 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-11-05 12:25:58 3,702 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-11-16 12:44:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-15 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-14 180269]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2007-08-30 205480]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-02-04 949376]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]

c:\documents and settings\Ken\「開始」功能表\程式集\啟動\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
AntiCrash.lnk - c:\program files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 2301798]
Hare.lnk - c:\program files\Dachshund Software\Hare\Hare.exe [2002-09-21 1874381]
OAhotkey.lnk - c:\epdoa\OAHotkey.EXE [2007-07-26 491008]
Zoom.lnk - c:\program files\Dachshund Software\Zoom\Zoom.exe [2002-09-21 1446302]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"c:\\Program Files\\Kingsoft\\PowerWord 2006\\XDICT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\YouBe Casual Network\\YouBe.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 myxlljjp;myxlljjp;c:\windows\system32\DRIVERS\myxlljjp.sys [2007-06-19 11192]
R0 vzchp;vzchp;c:\windows\system32\drivers\vzchp.sys [2008-04-15 28384]
R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2007-06-05 34304]
S3 CENIXFMC;Cenix Digicom Digital Voice Recorder Service;c:\windows\system32\Drivers\CENIXFMC.sys [2002-10-07 18660]
S3 hid7906;hid7906;c:\windows\system32\drivers\hid7906.sys [2006-06-28 53793]
S3 IPvE;IPvE Adapter Driver;c:\windows\system32\DRIVERS\IPvE.sys [2008-06-29 14144]
S3 p2pgasvc;Peer Networking Group Authentication;c:\windows\system32\svchost.exe [2004-08-12 14336]
S3 p2pimsvc;Peer Networking Identity Manager;c:\windows\system32\svchost.exe [2004-08-12 14336]
S3 p2psvc;Peer Networking;c:\windows\system32\svchost.exe [2004-08-12 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;c:\windows\system32\svchost.exe [2004-08-12 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
‘計劃任務’ 文件夾 裡的內容

2008-11-16 c:\windows\Tasks\查看 Windows Live Toolbar 的更新資訊.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- 而外的掃描 -------
.
FireFox -: Profile - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\a4sjxaq1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com.hk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 20:59:01
Windows 5.1.2600 Service Pack 2 NTFS

掃描被隱藏的進程。。。 ...

掃描被隱藏的啟動組。。。

掃描被隱藏的文件。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- 運行進程下的動態鏈接庫 ---------------------

PROCESS: c:\windows\system32\lsass.exe
-> c:\program files\Eset\pr_imon.dll
.
完成時間: 2008-11-16 21:00:58
ComboFix-quarantined-files.txt 2008-11-16 13:00:12
ComboFix2.txt 2008-11-14 14:27:22
ComboFix3.txt 2008-11-10 15:49:30
ComboFix4.txt 2008-11-04 14:54:10
ComboFix5.txt 2008-11-16 12:53:59

Pre-Run: 104,036,626,432 位元組可用
Post-Run: 104,027,226,112 位元組可用

163 --- E O F --- 2008-10-24 12:58:10

This post has been edited by Paul61112002: 16 November 2008 - 08:24 AM

That typically means the file was corrupted during the download. Just delete it and try downloading it again.

Problem still exists when I deleted and downloaded it again.
What can I do next?

Reboot into safe mode and try to run it from there.

I have tried to run it in safe mode, but the error still exits.
I think there is download problem as the file size is only 587 KB compared to the original one(11MB).

Definitely a problem getting it downloaded completely.
Try it again, but this time when you save it, save it as paul.exe

Let's see if something is blocking it.

I think there is problem getting it downloaded the file.
How can I download the file except using the firefox?

This post has been edited by Paul61112002: 19 November 2008 - 11:19 AM

You can always use Internet Explorer.

But the homepage of the internet explorer is kidnapped.
When I entered the url, I can't access to it and two blank browsers are given.

Do you have access to another computer where you can download it, save it to a disc or usb stick, and then transfer over the infected computer?

Would you like sending the file through Email?
I don't have usb.

Sure, we can try that.
Send me a PM with your email address.

I have sent you a PM.

We're going to have to try something else. That attachment is just too big for Yahoo to receive.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type 3 to Download/Run SAV32CLI from Sophos.
  
• Follow the on screen prompts and extract the Sophos files to C:\SAV32CLI
  
• When the main scanning screen is displayed type 6 to run a Full scan
  
• SAV32CLI will start and scan the system for infected files
  
• Please be patient as this scan may take some time
  
• When the scan has finished post back the SophosReport.txt from the SDFix folder