Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smitfraud-c.coreservice


  • This topic is locked This topic is locked
11 replies to this topic

#1 soken

soken

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 17 September 2008 - 01:14 PM

How do i remove this trojans..
Please help Thanks




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:29 AM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - Winlogon Notify: qoMeFwXQ - qoMeFwXQ.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6760 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 24 September 2008 - 08:49 PM

Hello, soken.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 soken

soken
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 25 September 2008 - 11:37 AM

Hi Billy

I just want to get rid of this annoy pop up on my computer

thanks for the help

here is the log




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:24 AM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotDeletingA6660] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3491] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6920] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2481] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1827] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4340] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7273] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3172] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - Winlogon Notify: qoMeFwXQ - qoMeFwXQ.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7752 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 25 September 2008 - 03:58 PM

Hello, soken.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 soken

soken
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 25 September 2008 - 05:17 PM

Hello Billy
here is the log:



ComboFix 08-09-25.03 - Compaq_Owner 2008-09-25 14:52:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1033.18.1585 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM37edf479.txt
C:\WINDOWS\BM37edf479.xml
C:\WINDOWS\IA
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\usbprintt.sys
C:\WINDOWS\system32\jwedsfdo0.dll
C:\WINDOWS\system32\jwedsfdo1.dll
C:\WINDOWS\system32\jwedsfdo2.dll
C:\WINDOWS\system32\kxvo0.dll
C:\WINDOWS\system32\kxvo1.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
D:\x.cmd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBPRINTT
-------\Service_usbprintt


((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-18 11:22 . 2008-09-18 11:22 <DIR> d-------- C:\Program Files\Real
2008-09-18 11:22 . 2008-09-18 11:22 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-16 15:46 . 2008-09-16 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 13:34 . 2008-09-16 13:34 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-16 13:34 . 2008-09-16 13:35 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ventrilo
2008-09-16 11:27 . 2005-01-28 21:45 <DIR> d-------- C:\Documents and Settings\Administrator.SAM\Application Data\InterMute
2008-09-16 11:27 . 2008-09-16 12:42 <DIR> d---s---- C:\Documents and Settings\Administrator.SAM
2008-09-15 15:53 . 2008-09-15 15:53 <DIR> d-------- C:\Program Files\ESET
2008-09-15 13:49 . 2008-09-23 14:41 165 --a------ C:\WINDOWS\wininit.ini
2008-09-15 12:59 . 2008-09-16 12:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-15 12:59 . 2008-09-25 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 12:45 . 2008-09-15 12:45 <DIR> d-------- C:\Program Files\CCleaner
2008-09-15 11:38 . 2008-09-15 12:28 <DIR> d-------- C:\Program Files\True Sword 5
2008-09-15 10:24 . 2008-09-15 10:24 <DIR> d-------- C:\Program Files\Avira
2008-09-15 10:24 . 2008-09-15 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-15 10:00 . 2005-01-28 21:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-09-15 10:00 . 2008-09-15 10:23 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-09-15 09:50 . 2008-09-15 09:50 108 --ahs---- C:\WINDOWS\klif.spi
2008-09-15 09:45 . 2008-09-15 09:53 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-15 09:45 . 2008-09-15 09:45 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-15 09:44 . 2008-09-15 09:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-09-15 09:44 . 2008-09-15 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-15 09:44 . 2008-09-15 09:54 989,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-15 09:44 . 2008-09-15 09:54 352,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-15 09:44 . 2008-09-15 09:54 8,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-15 09:44 . 2008-09-15 09:54 2,284 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-12 13:36 . 2008-09-12 13:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ESET
2008-09-12 13:35 . 2008-09-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-12 13:32 . 2008-09-12 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-12 11:48 . 2008-09-15 12:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-12 11:48 . 2008-09-15 12:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 13:18 . 2008-09-11 13:18 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\True Sword
2008-09-11 13:10 . 2008-09-12 12:02 1,191,543 --ahs---- C:\WINDOWS\system32\nkjkkodr.ini
2008-09-11 13:08 . 2008-09-11 13:08 119,808 --a------ C:\WINDOWS\system32\dekfhejn.dll
2008-09-11 11:05 . 2008-09-11 11:05 <DIR> d-------- C:\Program Files\uTorrent
2008-09-11 11:05 . 2008-09-25 10:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-09-11 11:04 . 2008-09-11 12:25 1,187,002 --ahs---- C:\WINDOWS\system32\sccqgvkp.ini
2008-09-11 11:04 . 2008-09-11 11:04 119,808 --a------ C:\WINDOWS\system32\wtrtbs.dll
2008-09-11 11:04 . 2008-09-11 11:04 119,808 --a------ C:\WINDOWS\system32\pwhikmlx.dll
2008-09-11 11:04 . 2008-09-11 11:04 82,944 --a------ C:\WINDOWS\system32\pkvgqccs.dll
2008-09-11 11:03 . 2008-09-12 12:23 610 --ahs---- C:\WINDOWS\system32\SsYJRqru.ini2
2008-09-11 11:03 . 2008-09-12 12:23 610 --ahs---- C:\WINDOWS\system32\SsYJRqru.ini
2008-09-11 10:58 . 2008-09-11 10:58 <DIR> d-------- C:\WINDOWS\system32\winz
2008-09-11 10:58 . 2008-09-11 13:33 <DIR> d-------- C:\WINDOWS\system32\tnp
2008-09-11 10:58 . 2008-09-12 15:42 <DIR> d-------- C:\WINDOWS\system32\nas
2008-09-11 10:58 . 2008-09-12 15:32 <DIR> d-------- C:\WINDOWS\system32\mC19
2008-09-11 10:58 . 2008-09-16 17:19 <DIR> d-------- C:\WINDOWS\system32\ihcp
2008-09-11 10:58 . 2008-09-11 10:58 <DIR> d-------- C:\temp\mtc2
2008-09-05 16:03 . 2008-09-05 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-03 13:48 . 2008-09-03 13:53 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PPStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 18:22 --------- d-----w C:\Program Files\Common Files\Real
2008-09-15 17:22 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-13 00:40 --------- d-----w C:\Program Files\Symantec
2008-09-13 00:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 19:25 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-19 19:22 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-19 00:38 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-30 21:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Tencent
2008-07-30 21:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\QQMusicUpdate
2008-07-30 21:07 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\QQ
2008-07-30 03:20 24,774 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-07-28 18:15 53,760 ----a-w C:\WINDOWS\system32\drivers\SSHDRV76.sys
2008-07-28 17:57 --------- d-----w C:\Program Files\Ascaron Entertainment
2008-07-17 21:16 0 --sha-r C:\62oop0ak.bat
2007-06-30 01:00 36,544 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-01-28 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-14 1410304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.adv1"= ADV601.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=

R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2008-07-28 53760]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{000EA678-D7A2-456A-AE04-EB9ABF822FE4} - (no file)
ShellExecuteHooks-{C5F43BEF-CE2F-46D8-AFE6-A647BACD1F09} - (no file)
Notify-qoMeFwXQ - qoMeFwXQ.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 -: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 -: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 -: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 -: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 -: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 -: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 -: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 -: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE -
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=C:\WINDOWS\notepad.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 14:56:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-09-25 15:02:34 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-09-25 22:02:28

Pre-Run: 62,536,986,624 bytes free
Post-Run: 62,460,043,264 bytes free

199 --- E O F --- 2008-08-14 00:48:51

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 25 September 2008 - 07:42 PM

Hello, soken.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
    C:\WINDOWS\system32\nkjkkodr.ini
    C:\WINDOWS\system32\dekfhejn.dll
    C:\WINDOWS\system32\sccqgvkp.ini
    C:\WINDOWS\system32\wtrtbs.dll
    C:\WINDOWS\system32\pwhikmlx.dll
    C:\WINDOWS\system32\pkvgqccs.dll
    C:\WINDOWS\system32\SsYJRqru.ini
    C:\WINDOWS\system32\SsYJRqru.ini2
    C:\62oop0ak.bat
    
    folder::
    C:\WINDOWS\system32\winz
    C:\WINDOWS\system32\tnp
    C:\WINDOWS\system32\nas
    C:\WINDOWS\system32\mC19
    C:\WINDOWS\system32\ihcp
    C:\temp\mtc2
    
    filelook::
    C:\WINDOWS\system32\drivers\SSHDRV76.sys
    
    dirlook::
    C:\Documents and Settings\Compaq_Owner\Application Data\PPStream
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 soken

soken
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 25 September 2008 - 08:01 PM

Hello, Billy

Here is the Combofix log:


ComboFix 08-09-25.03 - Compaq_Owner 2008-09-25 17:54:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1033.18.1594 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\62oop0ak.bat
C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
C:\WINDOWS\system32\dekfhejn.dll
C:\WINDOWS\system32\nkjkkodr.ini
C:\WINDOWS\system32\pkvgqccs.dll
C:\WINDOWS\system32\pwhikmlx.dll
C:\WINDOWS\system32\sccqgvkp.ini
C:\WINDOWS\system32\SsYJRqru.ini
C:\WINDOWS\system32\SsYJRqru.ini2
C:\WINDOWS\system32\wtrtbs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\62oop0ak.bat
C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
C:\temp\mtc2
C:\temp\mtc2\h5v.log
C:\WINDOWS\system32\dekfhejn.dll
C:\WINDOWS\system32\ihcp
C:\WINDOWS\system32\mC19
C:\WINDOWS\system32\nas
C:\WINDOWS\system32\nkjkkodr.ini
C:\WINDOWS\system32\pkvgqccs.dll
C:\WINDOWS\system32\pwhikmlx.dll
C:\WINDOWS\system32\sccqgvkp.ini
C:\WINDOWS\system32\SsYJRqru.ini
C:\WINDOWS\system32\SsYJRqru.ini2
C:\WINDOWS\system32\tnp
C:\WINDOWS\system32\winz
C:\WINDOWS\system32\winz\BODR31v44.exe
C:\WINDOWS\system32\wtrtbs.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-18 11:22 . 2008-09-18 11:22 <DIR> d-------- C:\Program Files\Real
2008-09-18 11:22 . 2008-09-18 11:22 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-16 15:46 . 2008-09-16 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 13:34 . 2008-09-16 13:34 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-16 13:34 . 2008-09-16 13:35 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ventrilo
2008-09-16 11:27 . 2005-01-28 21:45 <DIR> d-------- C:\Documents and Settings\Administrator.SAM\Application Data\InterMute
2008-09-16 11:27 . 2008-09-16 12:42 <DIR> d---s---- C:\Documents and Settings\Administrator.SAM
2008-09-15 15:53 . 2008-09-15 15:53 <DIR> d-------- C:\Program Files\ESET
2008-09-15 13:49 . 2008-09-23 14:41 165 --a------ C:\WINDOWS\wininit.ini
2008-09-15 12:59 . 2008-09-16 12:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-15 12:59 . 2008-09-25 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 12:45 . 2008-09-15 12:45 <DIR> d-------- C:\Program Files\CCleaner
2008-09-15 11:38 . 2008-09-15 12:28 <DIR> d-------- C:\Program Files\True Sword 5
2008-09-15 10:24 . 2008-09-15 10:24 <DIR> d-------- C:\Program Files\Avira
2008-09-15 10:24 . 2008-09-15 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-15 10:00 . 2005-01-28 21:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterMute
2008-09-15 10:00 . 2008-09-15 10:23 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-09-15 09:50 . 2008-09-15 09:50 108 --ahs---- C:\WINDOWS\klif.spi
2008-09-15 09:45 . 2008-09-15 09:53 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-15 09:45 . 2008-09-15 09:45 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-15 09:44 . 2008-09-15 09:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-09-15 09:44 . 2008-09-15 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-15 09:44 . 2008-09-15 09:54 989,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-15 09:44 . 2008-09-15 09:54 352,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-15 09:44 . 2008-09-15 09:54 8,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-15 09:44 . 2008-09-15 09:54 2,284 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-12 13:36 . 2008-09-12 13:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ESET
2008-09-12 13:35 . 2008-09-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-12 13:32 . 2008-09-12 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-12 11:48 . 2008-09-15 12:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-12 11:48 . 2008-09-15 12:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 13:18 . 2008-09-11 13:18 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\True Sword
2008-09-11 11:05 . 2008-09-11 11:05 <DIR> d-------- C:\Program Files\uTorrent
2008-09-11 11:05 . 2008-09-25 10:28 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-09-05 16:03 . 2008-09-05 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-03 13:48 . 2008-09-03 13:53 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PPStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 18:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-09-18 18:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-18 18:22 --------- d-----w C:\Program Files\Common Files\Real
2008-09-15 17:22 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-09-13 00:40 --------- d-----w C:\Program Files\Symantec
2008-09-13 00:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-19 19:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 19:25 --------- d-----w C:\Program Files\Alcohol Soft
2008-08-19 19:22 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-19 00:38 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-30 21:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Tencent
2008-07-30 21:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\QQMusicUpdate
2008-07-30 21:07 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\QQ
2008-07-30 03:21 218,376 ----a-w C:\WINDOWS\system32\klogon(2).dll
2008-07-30 03:20 24,774 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-07-28 18:15 53,760 ----a-w C:\WINDOWS\system32\drivers\SSHDRV76.sys
2008-07-28 17:57 --------- d-----w C:\Program Files\Ascaron Entertainment
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\SSHDRV76.sys -- Not a PE file.
MD5: ef3504dd32e2ea222be0cbc9a0895f89

---- Directory of C:\Documents and Settings\Compaq_Owner\Application Data\PPStream ----

2008-09-03 13:52 3993 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\banner\br_msg.zip
2008-09-03 13:45 45727 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ads.xml
2008-09-03 13:45 17169 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\banner\br_msg.xml
2008-09-02 22:45 9667 --------- C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ads.zip
2008-09-02 11:49 96534 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_efdfac2625216746bc5e7afca119ea0a.swf
2008-09-02 11:00 87 --------- C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\notice\msg.xml
2008-09-02 07:15 11008 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_6ab71c4bcde519eda8a8085c1ddfbe30.swf
2008-09-01 10:51 59732 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_5787f7573b8ebaaebe8f51869947f34e.swf
2008-09-01 03:55 65355 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_d004692e6df96250c723d1129c6af6c9.swf
2008-08-31 16:40 31990 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_7bbfcbf91c5918f8ff10b7cc20eeac4d.swf
2008-08-28 08:43 337311 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_e1835d7e31892753930e71558bf7a547.swf
2008-08-28 08:38 421052 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_bb3fcc06098f7eab219be4feeeaeb470.swf
2008-08-27 10:52 44927 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_74fd58153f3fd01492ce6402cacf4a75.swf
2008-08-07 08:21 746724 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_173cb3f5520c5b6a5ab908072bb53da4.swf
2008-08-07 08:12 75321 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\player2_8.swf
2008-08-04 12:10 75318 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\player1_8.swf
2008-08-04 12:10 75238 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\player2_7.swf
2008-08-04 12:10 75229 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\player1_7.swf
2008-07-31 04:24 1504048 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\PPStream\adsys\ad_f39016fe46a442ca3134c1326037c959.swf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-01-28 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-14 1410304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-18 185896]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.adv1"= ADV601.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=

R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2008-07-28 53760]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 17:55:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-25 17:57:48
ComboFix-quarantined-files.txt 2008-09-26 00:57:13
ComboFix2.txt 2008-09-25 22:02:36

Pre-Run: 62,454,099,968 bytes free
Post-Run: 62,440,718,336 bytes free

198 --- E O F --- 2008-08-14 00:48:51





Here is the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:38 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6343 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 25 September 2008 - 08:08 PM

Hello, soken.
You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
I recomend you remove either Nod32, Kaspersky, or Avira (Leave one and remove the others).

Unless otherwise listed below, you can remove these AV programs from Add/Remove Programs.



From the scanners you have, I'd recomend leaving ESET there :thumbsup:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3

Edited by Billy O'Neal, 25 September 2008 - 08:09 PM.
TPYO

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 soken

soken
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 26 September 2008 - 01:06 PM

Hello, Billy

thanks for the advice but I could not remove Avira, there is some kind of error when I try to remove it and I did remove Kaspersky but somehow it still shows in the system. Anyway, here is the log

thanks for the help



ESET OnlineScan's Log:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3474 (20080926)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a8324a1ae9238b428aefc600dcf27668
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-26 06:00:05
# local_time=2008-09-26 11:00:05 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=367021
# found=2
# scan_time=3143
# nod_component=V3 Build:0x30000000 ()
C:\QooBox\Quarantine\C\WINDOWS\system32\winz\BODR31v44.exe.vir a variant of Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\winz\BODR31v44.exe.vir ?NSIS ?€ a variant of Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000






Here is a new HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:13 AM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 氝樓善QQ桶 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6632 bytes

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 26 September 2008 - 03:12 PM

Hello, soken.

So long as Avira's "Guard" is off then it shouldn't cause a problem. If you want us to forcefully remove it we can ;)

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3

Edited by Billy O'Neal, 26 September 2008 - 03:13 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 soken

soken
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 26 September 2008 - 06:10 PM

Hi Billy

Thank you very much

I dont see anymore pop up finally !!!

thanks for your help :thumbsup:

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:19 PM

Posted 26 September 2008 - 06:26 PM

Hello, soken.

You are very welcome :D

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3

Edited by Billy O'Neal, 26 September 2008 - 06:26 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users