Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adware popups, forced restarts and system restore disabled


  • This topic is locked This topic is locked
11 replies to this topic

#1 terungaa

terungaa

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 27 November 2008 - 08:40 PM

Hello! i've got a problem and was referred here. My brother's 12 and so is not fully aware of the dangers of the internet, let alone how to take preventative measures. as a result, he's visited a malicious website and it has given me some adware/spyware/malware. The problems i notice are popups in firefox (ver. 3.0.4), and also frequent crashes. Oh, i'm running winxp Pro sp1. also, when i initially attempted to scan for the problem with ad-aware, my computer restarted. after giving up on adaware, i decided to try it again, and it worked, but didn't fix the problem. When it came time to restore my settings, i found that i could not go back further than this month (i could not view the calendar for october or september, etc.). restoring the settings to the beginning of this month (i think the bug came on last month) has not fixed the problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:39 PM, on 11/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\System32\rundll32.exe
D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeter.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\DOCUME~1\trung\LOCALS~1\Temp\Rar$EX00.289\utorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 67.223.225.199 irc.ntorrents.net
O1 - Hosts: 88.131.101.106 ntorrents.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {264427a1-3211-4811-8d9b-e56a44f7b9c7} - D:\WINDOWS\System32\gehiraso.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Messenger] D:\WINDOWS\msmsgs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zazesizidu] Rundll32.exe "D:\WINDOWS\System32\pigopimu.dll",s
O4 - HKLM\..\Run: [3058bc54] rundll32.exe "D:\WINDOWS\System32\bajobifa.dll",b
O4 - HKLM\..\Run: [CPMa3e10c8b] Rundll32.exe "d:\windows\system32\supotala.dll",a
O4 - HKCU\..\Run: [WhatPulse] D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [zazesizidu] Rundll32.exe "D:\WINDOWS\System32\pigopimu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zazesizidu] Rundll32.exe "D:\WINDOWS\System32\pigopimu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Documents and Settings\trung\Desktop\Stuff\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFD0EB4-BD45-453F-B796-BEC695D1A2BD}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: D:\WINDOWS\System32\vororeni.dll d:\windows\system32\wadejino.dll d:\windows\system32\supotala.dll d:\windows\system32\bazabezi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\supotala.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\supotala.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6378 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 28 November 2008 - 04:15 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 terungaa

terungaa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 02 December 2008 - 01:35 AM

Yeh, ok, i understand. here's Avira's report:

Avira AntiVir Personal
Report file date: Sunday, November 30, 2008 12:19

Scanning for 1369550 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: DESKTOP

Version information:
BUILD.DAT : 8.2.0.334 16933 Bytes 10/16/2008 14:55:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/25/2008 23:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/25/2008 22:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 03:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/25/2008 22:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 01:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 04:54:15
ANTIVIR2.VDF : 7.0.5.20 142336 Bytes 6/30/2008 20:20:53
ANTIVIR3.VDF : 7.0.5.23 17408 Bytes 6/30/2008 00:24:47
Engineversion : 8.2.0.4
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 01:05:56
AESCRIPT.DLL : 8.1.1.8 319866 Bytes 10/16/2008 02:43:34
AESCN.DLL : 8.1.1.3 123252 Bytes 10/14/2008 01:05:56
AERDL.DLL : 8.1.1.2 438644 Bytes 9/11/2008 21:06:02
AEPACK.DLL : 8.1.2.4 369014 Bytes 10/14/2008 01:05:56
AEOFFICE.DLL : 8.1.0.28 196987 Bytes 10/14/2008 01:05:56
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 9/18/2008 00:07:50
AEHELP.DLL : 8.1.1.2 115062 Bytes 10/14/2008 01:05:56
AEGEN.DLL : 8.1.0.41 319861 Bytes 10/14/2008 01:05:56
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 01:05:56
AECORE.DLL : 8.1.2.6 172406 Bytes 10/14/2008 01:05:56
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 01:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/8/2008 23:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 00:28:01
AVREP.DLL : 7.0.0.1 155688 Bytes 6/30/2008 05:35:20
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 02:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/11/2008 23:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 03:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 08:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 03:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 03:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 04:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 04:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: d:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, P:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, November 30, 2008 12:19

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'utorrent.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'DUMeterSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WhatPulse.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'fpdisp3.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'P:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\trung\Local Settings\Temporary Internet Files\Content.IE5\53T7U5UY\swflash[1].cab
[0] Archive type: CAB (Microsoft)
--> FP_AX_CAB_INSTALLER.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'D:\'
D:\hiberfil.sys
[WARNING] The file could not be opened!
D:\pagefile.sys
[WARNING] The file could not be opened!
D:\Documents and Settings\khoa\Incomplete\Preview-T-5745425-moment in the sun.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[WARNING] The file was ignored!
D:\Documents and Settings\khoa\Incomplete\T-5745425-moment in the sun.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[WARNING] The file was ignored!
D:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP237\A0248749.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4964061e.qua'!
D:\WINDOWS\system32\ynhqttqd.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Pcclient.adk back-door program
[NOTE] The file was moved to '499a17c5.qua'!
Begin scan in 'P:\' <Dsik>
P:\autorun.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49a63b28.qua'!
P:\RECYCLER\RECYCLER\autorun.exe
[0] Archive type: OVL
--> Object
[DETECTION] Contains recognition pattern of the DR/PcClient.Gen dropper
[NOTE] The file was moved to '49a63bed.qua'!
P:\Seeds\Xilisoft Video Converter Ultimate - Win + keygen\x-video-converter-ultimate.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49a83c00.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP219\A0226192.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c09.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP221\A0229230.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c0c.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP226\A0236316.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c0d.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP227\A0236389.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c0f.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP228\A0236418.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c10.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP228\A0236446.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c12.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP229\A0237477.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c14.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP230\A0242494.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c15.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP231\A0242556.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c16.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP231\A0243539.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c18.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP234\A0245643.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c19.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP241\A0252117.inf
[DETECTION] Is the TR/Autorun.EM Trojan
[NOTE] The file was moved to '49643c1a.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP241\A0252118.exe
[0] Archive type: OVL
--> Object
[DETECTION] Contains recognition pattern of the DR/PcClient.Gen dropper
[NOTE] The file was moved to '49643c1c.qua'!
P:\System Volume Information\_restore{35794430-9371-4CA9-BB68-9742655AEEBC}\RP241\A0252119.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49643c1e.qua'!


End of the scan: Sunday, November 30, 2008 18:08
Used time: 5:49:03 Hour(s)

The scan has been done completely.

9510 Scanning directories
455266 Files were scanned
21 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
19 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
455243 Files not concerned
5462 Archives were scanned
5 Warnings
19 Notes

and here's a new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:55 PM, on 12/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
D:\DOCUME~1\trung\LOCALS~1\Temp\Rar$EX02.675\utorrent.exe
D:\Program Files\Mozilla Firefox\firefox.exe
d:\program files\avira\antivir personaledition classic\avcenter.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: 67.223.225.199 irc.ntorrents.net
O1 - Hosts: 88.131.101.106 ntorrents.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {264427a1-3211-4811-8d9b-e56a44f7b9c7} - D:\WINDOWS\System32\nisawoyi.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Messenger] D:\WINDOWS\msmsgs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [3058bc54] rundll32.exe "D:\WINDOWS\System32\hiwumeku.dll",b
O4 - HKLM\..\Run: [CPMa3e10c8b] Rundll32.exe "d:\windows\system32\zitosaba.dll",a
O4 - HKLM\..\Run: [zazesizidu] Rundll32.exe "D:\WINDOWS\System32\vativise.dll",s
O4 - HKCU\..\Run: [WhatPulse] D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Documents and Settings\trung\Desktop\Stuff\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFD0EB4-BD45-453F-B796-BEC695D1A2BD}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: d:\windows\system32\zitosaba.dll,D:\WINDOWS\System32\zevehahu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\zitosaba.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\zitosaba.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6617 bytes
thanks for your help.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 02 December 2008 - 07:08 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 terungaa

terungaa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 03 December 2008 - 05:57 AM

Hello,
Here's the combofix log:

ComboFix 08-12-01.03 - trung 2008-12-03 21:25:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.312 [GMT 11:00]
Running from: d:\documents and settings\trung\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\abovituw.ini
d:\windows\system32\afibojab.ini
d:\windows\system32\bazabezi.dll
d:\windows\system32\daluwimo.dll
d:\windows\system32\dimulozi.dll
d:\windows\system32\ehiledik.ini
d:\windows\system32\ehusufow.ini
d:\windows\system32\epilehov.ini
d:\windows\system32\fatopoze.dll
d:\windows\system32\fivipute.dll
d:\windows\system32\genakoso.dll
d:\windows\system32\guhukene.dll
d:\windows\system32\havomuzo.dll
d:\windows\system32\hikepohe.dll
d:\windows\system32\ibosahom.ini
d:\windows\system32\igoyinib.ini
d:\windows\system32\ijafoyeb.ini
d:\windows\system32\izolumid.ini
d:\windows\system32\jutepeso.dll
d:\windows\system32\kekuhiwu.dll
d:\windows\system32\kelewaba.dll
d:\windows\system32\kozezupo.dll
d:\windows\System32\ligijupu.dll
d:\windows\system32\mohasobi.dll
d:\windows\system32\namiviko.dll
d:\windows\System32\nisawoyi.dll
d:\windows\system32\nuvoyijo.dll
d:\windows\system32\obavunah.ini
d:\windows\system32\ojiyovun.ini
d:\windows\system32\ozumovah.ini
d:\windows\system32\rivenape.dll
d:\windows\system32\supotala.dll
d:\windows\system32\tigefeki.dll
d:\windows\system32\udajiwiw.ini
d:\windows\system32\ugijarot.ini
d:\windows\system32\ugodohum.ini
d:\windows\system32\ukefeyar.ini
d:\windows\system32\ukemuwih.ini
d:\windows\system32\upujigil.ini
d:\windows\system32\uyomayes.ini
d:\windows\system32\uzogemof.ini
d:\windows\System32\vativise.dll
d:\windows\system32\vohelipe.dll
d:\windows\system32\wadejino.dll
d:\windows\system32\wamejawe.dll
d:\windows\system32\wofusuhe.dll
d:\windows\system32\worusego.dll
d:\windows\system32\wutivoba.dll
d:\windows\system32\yofiyuya.dll
d:\windows\system32\zevehahu.dll
d:\windows\system32\zitosaba.dll
d:\windows\system32\zohewigu.dll
p:\recycler\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-11-29 14:10 . 2008-11-29 14:10 <DIR> d-------- d:\program files\Avira
2008-11-29 14:10 . 2008-11-29 14:10 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avira
2008-11-28 12:25 . 2008-11-28 12:25 <DIR> d-------- d:\program files\Trend Micro
2008-11-28 09:41 . 2008-11-28 09:41 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-11-28 09:41 . 2008-11-28 09:41 <DIR> d-------- d:\program files\Common Files\Ahead
2008-11-24 15:58 . 2008-11-28 09:42 <DIR> d-------- d:\documents and settings\trung\Application Data\FinePrint
2008-11-24 08:13 . 2008-11-24 09:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 14:52 . 2008-11-28 18:37 <DIR> d-------- d:\program files\LimeWire
2008-11-15 16:58 . 2008-11-24 16:52 69 --a------ d:\windows\NeroDigital.ini
2008-11-13 16:49 . 2008-11-28 09:23 <DIR> d-------- d:\program files\Ahead
2008-11-13 16:49 . 2004-07-26 17:16 1,568,768 --------- d:\windows\system32\ImagX7.dll
2008-11-13 16:49 . 2004-07-26 17:16 476,320 --------- d:\windows\system32\ImagXpr7.dll
2008-11-13 16:49 . 2004-07-26 17:16 471,040 --------- d:\windows\system32\ImagXRA7.dll
2008-11-13 16:49 . 2004-07-09 09:43 364,544 --------- d:\windows\system32\TwnLib4.dll
2008-11-13 16:49 . 2004-07-26 17:16 262,144 --------- d:\windows\system32\ImagXR7.dll
2008-11-13 16:49 . 2001-07-09 11:50 155,648 --a------ d:\windows\system32\NeroCheck.exe
2008-11-13 16:49 . 2005-09-01 12:03 127,488 --------- d:\windows\system32\drivers\imagesrv.sys
2008-11-13 16:49 . 2000-06-26 11:45 106,496 --a------ d:\windows\system32\TwnLib20.dll
2008-11-13 16:49 . 2005-09-01 12:03 5,888 --------- d:\windows\system32\drivers\imagedrv.sys
2008-11-09 14:40 . 2002-08-29 01:48 14,208 --a------ d:\windows\system32\drivers\usbscan.sys
2008-11-09 14:40 . 2002-08-29 01:48 14,208 --a--c--- d:\windows\system32\dllcache\usbscan.sys
2008-11-06 19:18 . 2008-11-22 13:28 <DIR> d-------- d:\program files\Counter-Strike 1.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 10:13 --------- d-----w d:\documents and settings\trung\Application Data\uTorrent
2008-12-03 08:33 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2008-12-02 10:00 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-11-08 08:09 --------- d-----w d:\documents and settings\trung\Application Data\FileZilla
2008-10-30 05:57 --------- d-----w d:\documents and settings\trung\Application Data\Canon
2008-10-25 04:21 --------- d-----w d:\program files\Canon
2008-10-25 04:20 --------- d--h--w d:\program files\CanonBJ
2008-10-25 04:20 --------- d--h--w d:\documents and settings\All Users\Application Data\CanonBJ
2008-10-25 03:29 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-25 03:29 --------- d-----w d:\program files\Common Files\InstallShield
2008-10-23 08:03 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-23 07:19 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-10-23 06:55 --------- d-----w d:\documents and settings\trung\Application Data\Xilisoft Corporation
2008-10-07 06:11 --------- d-----w d:\program files\Common Files\Adobe
2008-09-21 12:24 23,032 ----a-w d:\documents and settings\trung\Application Data\GDIPFONTCACHEV1.DAT
2002-08-29 09:05 101,376 ----a-w d:\program files\hal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="d:\documents and settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe" [2006-08-22 665600]
"CTSyncU.exe"="d:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-13 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="d:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-29 185896]
"OpwareSE4"="d:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-12 75304]
"FinePrint Dispatcher"="d:\windows\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe" [1999-07-31 220160]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CanonMyPrinter"="d:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R0 avgntmgr;avgntmgr;d:\windows\System32\DRIVERS\avgntmgr.sys [2008-11-29 22336]
R1 avgntdd;avgntdd;d:\windows\System32\DRIVERS\avgntdd.sys [2008-11-29 45376]
R2 DUMeterSvc;DU Meter Service;d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService [2008-04-25 1382672]
S3 ynhqttqd;ynhqttqd;\??\d:\windows\System32\drivers\ynhqttqd.sys []
S4 hpt3xx;hpt3xx; []
.
- - - - ORPHANS REMOVED - - - -

BHO-{264427a1-3211-4811-8d9b-e56a44f7b9c7} - d:\windows\System32\nisawoyi.dll
HKLM-Run-Windows Messenger - d:\windows\msmsgs.exe
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\trung\Application Data\Mozilla\Firefox\Profiles\lj3n1sdq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - d:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 21:52:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DUMeterSvc]
"ImagePath"="d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
d:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(820)
d:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\documents and settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
d:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-03 21:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 10:54:24

Pre-Run: 10,929,291,264 bytes free
Post-Run: 10,936,041,472 bytes free

180


and here's the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:53 PM, on 12/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WhatPulse] D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Documents and Settings\trung\Desktop\Stuff\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFD0EB4-BD45-453F-B796-BEC695D1A2BD}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6184 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 03 December 2008 - 06:07 AM

Hi,

Not sure why there's a hal.dll file present in your Program Files folder while it has to be in your system32 folder. Did you ever have a problem with hal.dll in the past (error during boot so your computer didn't boot anymore)? And tried to replace it from a cd and put it in the wrong folder?
In anyway, the legitimate hal.dll present in the system32 folder will be present anyway, otherwise you wouldn't be able to boot.

Anyway, do next please...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Filelook::
d:\program files\hal.dll
Driver::
ynhqttqd
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 terungaa

terungaa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 04 December 2008 - 01:25 AM

hello again. here's the new combofix log:

ComboFix 08-12-02.02 - trung 2008-12-04 17:15:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.322 [GMT 11:00]
Running from: d:\documents and settings\trung\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\trung\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YNHQTTQD
-------\Service_ynhqttqd


((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-11-29 14:10 . 2008-11-29 14:10 <DIR> d-------- d:\program files\Avira
2008-11-29 14:10 . 2008-11-29 14:10 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avira
2008-11-28 12:25 . 2008-11-28 12:25 <DIR> d-------- d:\program files\Trend Micro
2008-11-28 09:41 . 2008-11-28 09:41 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-11-28 09:41 . 2008-11-28 09:41 <DIR> d-------- d:\program files\Common Files\Ahead
2008-11-24 15:58 . 2008-11-28 09:42 <DIR> d-------- d:\documents and settings\trung\Application Data\FinePrint
2008-11-24 08:13 . 2008-11-24 09:05 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 14:52 . 2008-11-28 18:37 <DIR> d-------- d:\program files\LimeWire
2008-11-15 16:58 . 2008-11-24 16:52 69 --a------ d:\windows\NeroDigital.ini
2008-11-13 16:49 . 2008-11-28 09:23 <DIR> d-------- d:\program files\Ahead
2008-11-13 16:49 . 2004-07-26 17:16 1,568,768 --------- d:\windows\system32\ImagX7.dll
2008-11-13 16:49 . 2004-07-26 17:16 476,320 --------- d:\windows\system32\ImagXpr7.dll
2008-11-13 16:49 . 2004-07-26 17:16 471,040 --------- d:\windows\system32\ImagXRA7.dll
2008-11-13 16:49 . 2004-07-09 09:43 364,544 --------- d:\windows\system32\TwnLib4.dll
2008-11-13 16:49 . 2004-07-26 17:16 262,144 --------- d:\windows\system32\ImagXR7.dll
2008-11-13 16:49 . 2001-07-09 11:50 155,648 --a------ d:\windows\system32\NeroCheck.exe
2008-11-13 16:49 . 2005-09-01 12:03 127,488 --------- d:\windows\system32\drivers\imagesrv.sys
2008-11-13 16:49 . 2000-06-26 11:45 106,496 --a------ d:\windows\system32\TwnLib20.dll
2008-11-13 16:49 . 2005-09-01 12:03 5,888 --------- d:\windows\system32\drivers\imagedrv.sys
2008-11-09 14:40 . 2002-08-29 01:48 14,208 --a------ d:\windows\system32\drivers\usbscan.sys
2008-11-09 14:40 . 2002-08-29 01:48 14,208 --a--c--- d:\windows\system32\dllcache\usbscan.sys
2008-11-06 19:18 . 2008-11-22 13:28 <DIR> d-------- d:\program files\Counter-Strike 1.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 11:23 --------- d-----w d:\documents and settings\trung\Application Data\uTorrent
2008-12-03 08:33 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2008-12-02 10:00 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-11-08 08:09 --------- d-----w d:\documents and settings\trung\Application Data\FileZilla
2008-10-30 05:57 --------- d-----w d:\documents and settings\trung\Application Data\Canon
2008-10-25 04:21 --------- d-----w d:\program files\Canon
2008-10-25 04:20 --------- d--h--w d:\program files\CanonBJ
2008-10-25 04:20 --------- d--h--w d:\documents and settings\All Users\Application Data\CanonBJ
2008-10-25 03:29 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-25 03:29 --------- d-----w d:\program files\Common Files\InstallShield
2008-10-23 08:03 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-23 07:19 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-10-23 06:55 --------- d-----w d:\documents and settings\trung\Application Data\Xilisoft Corporation
2008-10-07 06:11 --------- d-----w d:\program files\Common Files\Adobe
2008-09-21 12:24 23,032 ----a-w d:\documents and settings\trung\Application Data\GDIPFONTCACHEV1.DAT
2002-08-29 09:05 101,376 ----a-w d:\program files\hal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- d:\program files\hal.dll ----
Company: Microsoft Corporation
File Description: Hardware Abstraction Layer DLL
File Version: 5.1.2600.1106 (xpsp1.020828-1920)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: hal.dll
MD5: 14899fb16e1263bdc6e17aec0a69bb97


((((((((((((((((((((((((((((( snapshot@2008-12-03_21.53.44.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-03 10:30:29 32,768 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-04 06:05:36 32,768 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-03 10:30:29 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 06:05:36 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-03 10:30:29 163,840 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-04 06:05:36 163,840 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-03 10:25:05 270,336 ----a-w d:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-12-04 06:15:20 270,336 ----a-w d:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="d:\documents and settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe" [2006-08-22 665600]
"CTSyncU.exe"="d:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-13 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="d:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-29 185896]
"OpwareSE4"="d:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-12 75304]
"FinePrint Dispatcher"="d:\windows\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe" [1999-07-31 220160]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CanonMyPrinter"="d:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

R0 avgntmgr;avgntmgr;d:\windows\System32\DRIVERS\avgntmgr.sys [2008-11-29 22336]
R1 avgntdd;avgntdd;d:\windows\System32\DRIVERS\avgntdd.sys [2008-11-29 45376]
R2 DUMeterSvc;DU Meter Service;d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService [2008-04-25 1382672]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 17:19:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DUMeterSvc]
"ImagePath"="d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
d:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(820)
d:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\documents and settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
d:\documents and settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
d:\windows\system32\wdfmgr.exe
d:\program files\Avira\AntiVir PersonalEdition Classic\update.exe
.
**************************************************************************
.
Completion time: 2008-12-04 17:21:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 06:21:30
ComboFix2.txt 2008-12-03 10:54:45

Pre-Run: 11,964,235,776 bytes free
Post-Run: 11,954,024,448 bytes free

140
and the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:03 PM, on 12/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WhatPulse] D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Documents and Settings\trung\Desktop\Stuff\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFD0EB4-BD45-453F-B796-BEC695D1A2BD}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6244 bytes


what have you gathered from this? have you seen a problem yet, or is it trial and error at this stage? thanks for your time.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 04 December 2008 - 01:32 AM

what have you gathered from this? have you seen a problem yet, or is it trial and error at this stage? thanks for your time.

Not sure if you have noticed that Combofix and Avira already deleted the malware.

You are using Download Accelerator - DAP Be informed that it delivers popup/popunder ads, and tracks your internet usage. You can find safer alternatives here: http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I suggest you remove it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove it

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O8 - Extra context menu item: &Clean Traces - D:\Documents and Settings\trung\Desktop\Stuff\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Documents and Settings\trung\Desktop\Stuff\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 07 December 2008 - 04:39 AM

Let me know in your next reply how things are now.

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 terungaa

terungaa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 07 December 2008 - 06:02 AM

Yep, sorry, a little busy at the moment. The popups are gone, DAP and ComboFix have been removed and java has been updated. Here's the hijackthis log to confirm:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:24 PM, on 12/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WhatPulse] D:\Documents and Settings\trung\Desktop\Stuff\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BFD0EB4-BD45-453F-B796-BEC695D1A2BD}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Documents and Settings\trung\Desktop\Stuff\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - D:\Documents and Settings\trung\Desktop\Stuff\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5643 bytes


I thank you for all the time and effort you've sent my way.

trung.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 07 December 2008 - 06:15 AM

Hi,

This looks OK again.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:19 PM

Posted 15 December 2008 - 06:40 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users