Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Chinese Web Page Hijacker


  • This topic is locked This topic is locked
2 replies to this topic

#1 dburn

dburn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 16 December 2008 - 12:22 AM

I have a browser hijacker that keeps setting my home page to a Chinese site. It also opens additional windows bringing up more Chinese web sites. I am running Windows XP SP3, IE7, Norton AntiVirus. Norton has not detected that there is a problem. I have run Malwarebytes Anti-Malware, Spybot (although initially my computer would crash with a blue screen and reboot during the scan, it now will complete the scan OK), Super-Anti Spyware, CCleaner, and ComboFix and I still don't even know the name of the hijacker. I have run Hijack This and have the log. There are some supsicious looking items on it but I need someone with greater expertise to take a look. I have also run Kaspersky and will paste the log from that below. I have also run DDS and will paste the files from that below. I am now getting RUNDLL32.EXE errors on bootup and I am also getting an error on shutdown but I could not get that one written down yet. These were not initially happening. I did delete a couple of suspicious files but I cannot correlate the occurrence of these errors with any specific actions. I also found at one point that my privileges to access security events in the Event Viewer were restricted even though I am the system administrator (and the only user of this computer). I was able to change this but found this to be very odd. Nothing has worked to identify what kind of infection I have yet let alone remove it. I noticed however that Kaspersky has identified a number of infections. Please help! It's only been a few months since I re-installed everything on a new hard drive. I really don't want to start over again!

DDS (Version 1.0.1) - NTFSx86
Run by Dale B at 23:45:42.89 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.452 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SVCHOST.exe -kcctvnews
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WINPAKPRO\NCIArchive.exe
C:\Program Files\WINPAKPRO\NCICore.exe
C:\Program Files\WINPAKPRO\WP GuardTour Service.exe
C:\Program Files\WINPAKPRO\WP Schedule Service.exe
C:\Program Files\WINPAKPRO\WP CmdFile Service.exe
C:\Program Files\WINPAKPRO\WP Communications Server.exe
C:\Program Files\WINPAKPRO\WP Muster Service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\svhcsots.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dale B\Local Settings\Temporary Internet Files\Content.IE5\WXMY1MA2\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dxcpm.com/?16_20081213
mStart Page = hxxp://class.caiyi8.com/1.asp
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Nero PhotoShow Media Manager] c:\progra~1\nero\neroph~1\data\xtras\mssysmgr.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lasassf] c:\svhcsots.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\daleb~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\daleb~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: winkill - winkill.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 cctvnews;cctvnews;c:\windows\system32\SVCHOST.exe -kcctvnews []
R2 GuardTourService;WIN-PAK Guard Tour Server;c:\program files\winpakpro\WP GuardTour Service.exe [2008-10-28 315392]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 ScheduleService;WIN-PAK Schedule Service;c:\program files\winpakpro\WP Schedule Service.exe [2008-10-28 552960]
R2 WPCommandFileService;WIN-PAK Command File Service;c:\program files\winpakpro\WP CmdFile Service.exe [2008-10-28 294912]
R2 WPCommunicationsService;WIN-PAK Communication Server;c:\program files\winpakpro\WP Communications Server.exe [2008-10-28 1085440]
R2 WPDatabaseArchiveService;WIN-PAK Archive Database Server;c:\program files\winpakpro\NCIArchive.exe [2008-10-28 847872]
R2 WPDatabaseService;WIN-PAK Database Server;c:\program files\winpakpro\NCICore.exe [2008-10-28 847872]
R2 WPMusterService;WIN-PAK Muster Server;c:\program files\winpakpro\WP Muster Service.exe [2008-10-28 241664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
S2 vcxrdf cfrblie;vcxrdf cfrblie;c:\windows\system32\vcxrdf cfrblie.exe [2008-12-12 297984]
S2 Connection Wizard;Connection Wizard;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 LiveServer;Windows Live Safety Center;c:\program files\outlook express\oemiglib.exe []
S2 pubwins;pubwin服务管理系统;c:\windows\system32\SVCHOST.exe -k pubwins [2004-8-4 14336]
S2 qdfriwr krfgvce;qdfriwr krfgvce;c:\windows\system32\qdfriwr krfgvce.exe [2008-12-8 297472]
S2 qikstvis server;qikstvis server ;c:\windows\system32\qikstvis.exe [2008-11-26 263900]
S2 Windows Internet Exp1orer;Windows Internet Exp1orer;c:\program files\internet explorer\signup\instal [2008-12-13 571392]
S2 wstdin servoi yhne-ktsvcis.exe;wstdin servoi;c:\windows\system32\yihne-tsvcis.exe [2008-11-15 263168]
S2 ycypimnk;ycypimnk;\??\c:\windows\system32\drivers\wqnnst.sys []
S2 yzruicuc;yzruicuc;\??\c:\windows\system32\drivers\zprxqu.sys []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081215.004\NAVENG.SYS [2008-12-15 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081215.004\NAVEX15.SYS [2008-12-15 876112]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-7-22 1245064]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2008-12-13 16:39 11,254 a------- c:\windows\system32\locate.com
2008-12-13 16:38 64,771 a------- C:\MGlogs.zip
2008-12-13 16:38 <DIR> --d----- C:\MGtools
2008-12-13 16:12 <DIR> a-dshr-- C:\cmdcons
2008-12-13 16:10 161,792 a------- c:\windows\SWREG.exe
2008-12-13 16:10 98,816 a------- c:\windows\sed.exe
2008-12-13 04:22 127 a------- c:\windows\system32\MRT.INI
2008-12-12 22:02 297,984 a------- c:\windows\system32\vcxrdf cfrblie.exe
2008-12-12 18:40 78 a------- c:\windows\system32\dboy1.sys
2008-12-12 14:31 1,312,755 a------- C:\MGtools.exe
2008-12-12 14:17 <DIR> --d----- c:\program files\CCleaner
2008-12-12 13:43 <DIR> --d----- c:\windows\pss
2008-12-12 01:27 <DIR> --d----- c:\windows\ERUNT
2008-12-12 01:27 <DIR> --d----- C:\!FixIEDef
2008-12-12 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-12 00:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-12 00:12 <DIR> --d----- c:\docume~1\daleb~1\applic~1\SUPERAntiSpyware.com
2008-12-12 00:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-10 14:23 <DIR> --d----- c:\docume~1\daleb~1\applic~1\Malwarebytes
2008-12-10 14:23 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-10 14:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 14:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 14:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-08 23:41 11,620 a------- c:\windows\system32\wyayzc.key
2008-12-08 22:05 1 a------- c:\windows\system32\0003fd4a.ini
2008-12-08 20:48 34,304 a------- c:\windows\system32\ntsvc.ocx
2008-12-08 20:48 <DIR> --d----- c:\windows\system32\winrm
2008-12-08 20:48 297,472 ---shr-- c:\windows\system32\qdfriwr krfgvce.exe
2008-12-08 19:46 <DIR> --d----- c:\program files\IObit
2008-12-08 19:33 <DIR> --d----- C:\Computer Utilities
2008-12-08 19:24 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2008-12-08 19:24 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-07 23:08 254,741 a------- c:\windows\system32\Down(1).exe
2008-12-07 16:14 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-07 02:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-07 02:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-07 02:20 <DIR> --d----- c:\program files\Trend Micro
2008-12-06 01:46 215,552 -c-shr-- c:\windows\system32\dllcache\termsrvhack.dll
2008-12-06 01:46 215,552 ---shr-- c:\windows\system32\termsrvhack.dll
2008-12-02 02:13 1 a------- c:\windows\system32\00053634.ini
2008-12-02 01:52 15,872 a------- c:\windows\system32\Down(8).exe
2008-12-02 01:52 15,872 a------- c:\windows\system32\Down(7).exe
2008-12-02 01:44 15,872 a------- c:\windows\system32\Down(6).exe
2008-12-02 01:37 15,872 a------- c:\windows\system32\Down(5).exe
2008-12-02 01:33 193,536 a------- c:\windows\system32\Down(3).exe
2008-12-01 00:03 81 a------- c:\windows\system32\sysme.bat
2008-12-01 00:03 74 a------- c:\windows\system32\tencent.sys
2008-11-26 21:14 263,900 ---shr-- c:\windows\system32\qikstvis.exe
2008-11-20 18:48 <DIR> --d----- c:\documents and settings\dale b\.housecall6.6
2008-11-20 18:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-20 18:42 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-19 00:06 45,453 a------- c:\windows\system32\xxlgxb.cpl
2008-11-16 14:14 127 a------- c:\windows\system32\x.bat
2008-11-16 02:03 19,456 ---shr-- c:\windows\system32\winkill.dll

==================== Find3M ====================

2008-12-09 02:05 263,168 ---shr-- c:\windows\system32\yihne-tsvcis.exe
2008-11-13 22:39 471,040 a------- c:\windows\system32\xxlgxb.exe
2008-11-13 14:35 15,683 a------- c:\windows\system32\test1.exe
2008-11-12 11:42 32,768 ---shr-- C:\svhcsots.exe
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-21 11:11 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 23:46:08.45 ===============

DDS (Version 1.0.1) - NTFSx86
Run by Dale B at 23:45:42.89 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.452 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SVCHOST.exe -kcctvnews
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WINPAKPRO\NCIArchive.exe
C:\Program Files\WINPAKPRO\NCICore.exe
C:\Program Files\WINPAKPRO\WP GuardTour Service.exe
C:\Program Files\WINPAKPRO\WP Schedule Service.exe
C:\Program Files\WINPAKPRO\WP CmdFile Service.exe
C:\Program Files\WINPAKPRO\WP Communications Server.exe
C:\Program Files\WINPAKPRO\WP Muster Service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\svhcsots.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dale B\Local Settings\Temporary Internet Files\Content.IE5\WXMY1MA2\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dxcpm.com/?16_20081213
mStart Page = hxxp://class.caiyi8.com/1.asp
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Nero PhotoShow Media Manager] c:\progra~1\nero\neroph~1\data\xtras\mssysmgr.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lasassf] c:\svhcsots.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\daleb~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\daleb~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: winkill - winkill.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 cctvnews;cctvnews;c:\windows\system32\SVCHOST.exe -kcctvnews []
R2 GuardTourService;WIN-PAK Guard Tour Server;c:\program files\winpakpro\WP GuardTour Service.exe [2008-10-28 315392]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-25 149352]
R2 ScheduleService;WIN-PAK Schedule Service;c:\program files\winpakpro\WP Schedule Service.exe [2008-10-28 552960]
R2 WPCommandFileService;WIN-PAK Command File Service;c:\program files\winpakpro\WP CmdFile Service.exe [2008-10-28 294912]
R2 WPCommunicationsService;WIN-PAK Communication Server;c:\program files\winpakpro\WP Communications Server.exe [2008-10-28 1085440]
R2 WPDatabaseArchiveService;WIN-PAK Archive Database Server;c:\program files\winpakpro\NCIArchive.exe [2008-10-28 847872]
R2 WPDatabaseService;WIN-PAK Database Server;c:\program files\winpakpro\NCICore.exe [2008-10-28 847872]
R2 WPMusterService;WIN-PAK Muster Server;c:\program files\winpakpro\WP Muster Service.exe [2008-10-28 241664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
S2 vcxrdf cfrblie;vcxrdf cfrblie;c:\windows\system32\vcxrdf cfrblie.exe [2008-12-12 297984]
S2 Connection Wizard;Connection Wizard;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 LiveServer;Windows Live Safety Center;c:\program files\outlook express\oemiglib.exe []
S2 pubwins;pubwin服务管理系统;c:\windows\system32\SVCHOST.exe -k pubwins [2004-8-4 14336]
S2 qdfriwr krfgvce;qdfriwr krfgvce;c:\windows\system32\qdfriwr krfgvce.exe [2008-12-8 297472]
S2 qikstvis server;qikstvis server ;c:\windows\system32\qikstvis.exe [2008-11-26 263900]
S2 Windows Internet Exp1orer;Windows Internet Exp1orer;c:\program files\internet explorer\signup\instal [2008-12-13 571392]
S2 wstdin servoi yhne-ktsvcis.exe;wstdin servoi;c:\windows\system32\yihne-tsvcis.exe [2008-11-15 263168]
S2 ycypimnk;ycypimnk;\??\c:\windows\system32\drivers\wqnnst.sys []
S2 yzruicuc;yzruicuc;\??\c:\windows\system32\drivers\zprxqu.sys []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081215.004\NAVENG.SYS [2008-12-15 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081215.004\NAVEX15.SYS [2008-12-15 876112]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-7-22 1245064]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2008-12-13 16:39 11,254 a------- c:\windows\system32\locate.com
2008-12-13 16:38 64,771 a------- C:\MGlogs.zip
2008-12-13 16:38 <DIR> --d----- C:\MGtools
2008-12-13 16:12 <DIR> a-dshr-- C:\cmdcons
2008-12-13 16:10 161,792 a------- c:\windows\SWREG.exe
2008-12-13 16:10 98,816 a------- c:\windows\sed.exe
2008-12-13 04:22 127 a------- c:\windows\system32\MRT.INI
2008-12-12 22:02 297,984 a------- c:\windows\system32\vcxrdf cfrblie.exe
2008-12-12 18:40 78 a------- c:\windows\system32\dboy1.sys
2008-12-12 14:31 1,312,755 a------- C:\MGtools.exe
2008-12-12 14:17 <DIR> --d----- c:\program files\CCleaner
2008-12-12 13:43 <DIR> --d----- c:\windows\pss
2008-12-12 01:27 <DIR> --d----- c:\windows\ERUNT
2008-12-12 01:27 <DIR> --d----- C:\!FixIEDef
2008-12-12 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-12 00:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-12 00:12 <DIR> --d----- c:\docume~1\daleb~1\applic~1\SUPERAntiSpyware.com
2008-12-12 00:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-10 14:23 <DIR> --d----- c:\docume~1\daleb~1\applic~1\Malwarebytes
2008-12-10 14:23 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-10 14:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 14:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 14:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-08 23:41 11,620 a------- c:\windows\system32\wyayzc.key
2008-12-08 22:05 1 a------- c:\windows\system32\0003fd4a.ini
2008-12-08 20:48 34,304 a------- c:\windows\system32\ntsvc.ocx
2008-12-08 20:48 <DIR> --d----- c:\windows\system32\winrm
2008-12-08 20:48 297,472 ---shr-- c:\windows\system32\qdfriwr krfgvce.exe
2008-12-08 19:46 <DIR> --d----- c:\program files\IObit
2008-12-08 19:33 <DIR> --d----- C:\Computer Utilities
2008-12-08 19:24 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2008-12-08 19:24 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-07 23:08 254,741 a------- c:\windows\system32\Down(1).exe
2008-12-07 16:14 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-07 02:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-07 02:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-07 02:20 <DIR> --d----- c:\program files\Trend Micro
2008-12-06 01:46 215,552 -c-shr-- c:\windows\system32\dllcache\termsrvhack.dll
2008-12-06 01:46 215,552 ---shr-- c:\windows\system32\termsrvhack.dll
2008-12-02 02:13 1 a------- c:\windows\system32\00053634.ini
2008-12-02 01:52 15,872 a------- c:\windows\system32\Down(8).exe
2008-12-02 01:52 15,872 a------- c:\windows\system32\Down(7).exe
2008-12-02 01:44 15,872 a------- c:\windows\system32\Down(6).exe
2008-12-02 01:37 15,872 a------- c:\windows\system32\Down(5).exe
2008-12-02 01:33 193,536 a------- c:\windows\system32\Down(3).exe
2008-12-01 00:03 81 a------- c:\windows\system32\sysme.bat
2008-12-01 00:03 74 a------- c:\windows\system32\tencent.sys
2008-11-26 21:14 263,900 ---shr-- c:\windows\system32\qikstvis.exe
2008-11-20 18:48 <DIR> --d----- c:\documents and settings\dale b\.housecall6.6
2008-11-20 18:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-20 18:42 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-19 00:06 45,453 a------- c:\windows\system32\xxlgxb.cpl
2008-11-16 14:14 127 a------- c:\windows\system32\x.bat
2008-11-16 02:03 19,456 ---shr-- c:\windows\system32\winkill.dll

==================== Find3M ====================

2008-12-09 02:05 263,168 ---shr-- c:\windows\system32\yihne-tsvcis.exe
2008-11-13 22:39 471,040 a------- c:\windows\system32\xxlgxb.exe
2008-11-13 14:35 15,683 a------- c:\windows\system32\test1.exe
2008-11-12 11:42 32,768 ---shr-- C:\svhcsots.exe
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-21 11:11 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 23:46:08.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dburn

dburn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 17 December 2008 - 06:07 PM

With help I received elsewhere, I think I have this issue resolved. I believe the primary culprit was a backdoor called "Backdoor.WIN32.Hupigon.a". The Kaspersky online scan was the only scan that I could see that came up with a name for the virus associated with the suspect files. This one seemed to be particularly hard to detect and identify. Can anyone recommend some anti-virus software that works better than Norton? I had a number of malware infections that Norton was oblivious to.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 PM

Posted 24 December 2008 - 12:34 PM

Hello.

With help I received elsewhere, I think I have this issue resolved.

Since the problem seems to be resolved, this topic is now closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

Can anyone recommend some anti-virus software that works better than Norton? I had a number of malware infections that Norton was oblivious to.

Please take a look at this forum for some security programs. If you want you can start a new topic there and people will aid/suggest you with any security programs that they like/dislike.

Since this is not related to any malware issues anymore it is Closed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users