Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced Virus Remover deleted but still hijacking Google


  • This topic is locked This topic is locked
28 replies to this topic

#1 snowoncedars

snowoncedars

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 17 November 2009 - 10:44 PM

Hello,

Yesterday when browsing on Google Chrome I somehow triggered the Advanced Virus Remover trojan, which rendered Google unopenable, and severely hobbed IE. It also made it impossible to open the Task Manager or run Regedit.

I installed Spyware Doctor and paid for a subscription, and it cleaned some related files, but the stupid "Infected" alert balloons continued, and Chrome, Task Manager and Regedit still didn't work.

I then installed RegCure, and was able to render inactive the remaining elements of the trojan by disabling some parts of the registry and restarting. Then I could use Chrome etc. again. Next, after some research online I realised I needed to delete the element Windows86.exe or something like that from the registry, and when I did so, the intrusive balloons stopped even after I restored the rest of the registry.

However, Google remains hijacked -- some menus don't work, and when I try to do a search or use Google News, the search is directed to the site 10Click. Spyware Doctor recognises the presence of "Spyware Possible Website Hack", and the "Host Entry" for this lists 23 Google sites (www.google.com plus international variants) and three Yahoo search sites. But Spyware Doctor says it was unable to clean this spyware.

I tried uninstalling and reinstalling Chrome, but that didn't help, which I guess isn't surprising. (Google is still affected in IE.)

I would very much appreciate advice on how to rescue Google, as I have reached the limits of my meager skills.

Below is the DDS log. The Attach and Ark files are attached.

Thank you in advance.

Richard Donovan



DDS (Ver_09-10-26.01) - FAT32x86
Run by Richard at 12:01:03.01 on 2009/11/18
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1041.18.1015.301 [GMT 9:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\AsScrPro.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CNAB2RPK.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\EMOBILE HW Utility\EMOBILE HW Utility.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.asus.com
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live サインイン ヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Mobile Partner] "c:\program files\emobile hw utility\EMOBILE HW Utility.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ACMON] "c:\program files\asus\splendid\ACMON.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMJPMIG9.0] c:\progra~1\common~1\micros~1\ime\imjp9\IMJPMIG.EXE /Preload /Migration32
mRun: [LanguageShortcut] "c:\program files\asustek\asusdvd\language\Language.exe"
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\richard\ベター~1\プロバ~1\ベター~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\ベター~1\プロバ~1\ベター~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Microsoft Excel にエクスポート(&X) - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper86.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {86693F68-DAC4-4BCE-93C3-A1FCF7FDDF45} = 117.55.64.154 60.254.209.158
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-18 206256]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-18 348824]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\progra~1\asus\atkhot~1\ASNDIS5.SYS [2004-5-27 16269]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-4-8 57408]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-6 6656]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-6-25 39072]

=============== Created Last 30 ================

2009-11-18 02:42:07 0 d-----w- c:\program files\Trend Micro
2009-11-18 01:14:25 45056 ----a-w- c:\windows\system32\acovcnt.exe
2009-11-17 21:07:00 0 d-----w- c:\windows\pss
2009-11-17 20:27:45 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2009-11-17 19:17:01 32786 ----a-w- c:\windows\system32\19169.exe
2009-11-17 18:56:52 32786 ----a-w- c:\windows\system32\26500.exe
2009-11-17 17:51:06 0 ----a-w- c:\windows\system32\AVR10.exe
2009-11-17 15:23:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-17 15:23:25 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-17 15:23:25 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-17 15:23:25 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-17 15:23:08 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-17 15:22:45 0 d-----w- c:\program files\Spyware Doctor
2009-11-17 15:22:45 0 d-----w- c:\docume~1\richard\applic~1\PC Tools
2009-11-17 15:22:45 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-17 15:07:40 32786 ----a-w- c:\windows\system32\6334.exe
2009-11-17 15:02:21 0 d-----w- c:\program files\common files\PC Tools
2009-11-17 14:49:03 0 d-----w- c:\program files\Enigma Software Group
2009-11-17 14:47:33 32786 ----a-w- c:\windows\system32\18467.exe
2009-11-17 14:27:29 0 ----a-w- c:\windows\system32\41.exe
2009-11-17 14:27:11 23040 ----a-w- c:\windows\system32\winhelper86.dll
2009-11-17 14:22:47 24848 ----a-w- c:\windows\system32\winupdate86.exe

==================== Find3M ====================

2009-10-19 23:51:44 3091968 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-10 19:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:35:28 657408 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:35:28 657408 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:35:28 622592 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:35:28 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:35:24 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:35:24 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:17:02 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:17:02 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:40 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:40 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:00:24 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:24 247326 ------w- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 12:02:37.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 25 November 2009 - 02:40 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 28 November 2009 - 12:54 PM

snowoncedars? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 28 November 2009 - 09:33 PM

Hello, thanks for your reply. For some reason I didn't receive email notification of your first posting, which is why I didn't reply earlier.

Yes, I still need help. Google is still being hijacked, though that is the only symptom I'm aware of.

Below is the fresh DDS log.

Thanks for your help.
Richard



DDS (Ver_09-11-29.01) - FAT32x86
Run by Richard at 11:27:43.21 on 2009/11/29
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1041.18.1015.375 [GMT 9:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\CNAB2RPK.EXE
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\AsScrPro.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\EMOBILE HW Utility\EMOBILE HW Utility.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\My Documents\Downloads\dds (1).scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.asus.com
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live サインイン ヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Mobile Partner] "c:\program files\emobile hw utility\EMOBILE HW Utility.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ACMON] "c:\program files\asus\splendid\ACMON.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMJPMIG9.0] c:\progra~1\common~1\micros~1\ime\imjp9\IMJPMIG.EXE /Preload /Migration32
mRun: [LanguageShortcut] "c:\program files\asustek\asusdvd\language\Language.exe"
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\richard\ベター~1\プロバ~1\ベター~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\ベター~1\プロバ~1\ベター~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Microsoft Excel にエクスポート(&X) - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {86693F68-DAC4-4BCE-93C3-A1FCF7FDDF45} = 117.55.64.154 60.254.209.158
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 89.149.210.61 www.google.com
Hosts: 89.149.210.61 www.google.de
Hosts: 89.149.210.61 www.google.fr
Hosts: 89.149.210.61 www.google.co.uk
Hosts: 89.149.210.61 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-18 206256]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-18 348824]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-18 1097096]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-6 6656]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-6-25 39072]

=============== Created Last 30 ================

2009-11-28 07:10:01 1559685 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-11-27 16:08:43 0 d-----w- c:\windows\system32\XPSViewer
2009-11-27 16:07:41 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-27 16:07:41 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-27 16:07:41 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-27 16:07:41 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-27 16:07:41 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-27 16:07:40 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-27 16:07:40 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-27 16:07:40 0 d-----w- C:\20e407d7d87b8dabfc
2009-11-24 19:40:20 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-24 19:28:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-24 19:28:42 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:26:00 0 d-----w- c:\program files\Microsoft
2009-11-24 19:06:42 0 d-sh--w- C:\FOUND.001
2009-11-18 02:42:07 0 d-----w- c:\program files\Trend Micro
2009-11-17 21:07:00 0 d-----w- c:\windows\pss
2009-11-17 20:27:45 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2009-11-17 19:17:01 32786 ----a-w- c:\windows\system32\19169.exe
2009-11-17 18:56:52 32786 ----a-w- c:\windows\system32\26500.exe
2009-11-17 15:23:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-17 15:23:25 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-17 15:23:25 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-17 15:23:25 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-17 15:23:08 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-17 15:22:45 0 d-----w- c:\program files\Spyware Doctor
2009-11-17 15:22:45 0 d-----w- c:\docume~1\richard\applic~1\PC Tools
2009-11-17 15:22:45 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-17 15:07:40 32786 ----a-w- c:\windows\system32\6334.exe
2009-11-17 15:02:21 0 d-----w- c:\program files\common files\PC Tools
2009-11-17 14:49:03 0 d-----w- c:\program files\Enigma Software Group
2009-11-17 14:47:33 32786 ----a-w- c:\windows\system32\18467.exe
2009-11-17 14:27:29 0 ----a-w- c:\windows\system32\41.exe

==================== Find3M ====================

2009-11-28 15:25:48 71388 ----a-w- c:\windows\system32\perfc011.dat
2009-11-28 15:25:48 228186 ----a-w- c:\windows\system32\perfh011.dat
2009-10-19 23:51:44 3091968 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-10 19:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:35:28 657408 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:35:28 657408 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:35:28 622592 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:35:28 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:35:24 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:35:24 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:17:02 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:17:02 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:40 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:40 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

============= FINISH: 11:29:25.50 ===============

#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 29 November 2009 - 01:09 PM

Thanks for the DDS Log. :(

I need to look over the attach.txt you got when you last ran DDS and I also like to see a fresh RootRepeal Log as well.

Please post them both in your next post/reply.

Go ahead and post them normally, no need to attach them.

Use multiple posts if you can't fit everything into one post.

Edited by km2357, 29 November 2009 - 01:10 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 30 November 2009 - 10:37 AM

OK, here are the attach.txt and RootRepeal log.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2009/05/11 18:01:17
System Uptime: 2009/11/30 20:55:43 (4 hours ago)

Motherboard: ASUSTeK Computer Inc. | | N10Jc
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU 1 | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 87 GiB total, 69.172 GiB free.
D: is FIXED (FAT32) - 58 GiB total, 57.991 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM ドライブ
Device ID: USBSTOR\CDROM&VEN_HUAWEI&PROD_MASS_STORAGE&REV_2.31\7&E1ECC16&0&___________________&0
Manufacturer: (標準 CD-ROM ドライブ)
Name: HUAWEI Mass Storage USB Device
PNP Device ID: USBSTOR\CDROM&VEN_HUAWEI&PROD_MASS_STORAGE&REV_2.31\7&E1ECC16&0&___________________&0
Service: cdrom

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB 大容量記憶装置デバイス
Device ID: USB\VID_12D1&PID_1003&MI_03\6&2229CBC1&1&0003
Manufacturer: 互換性のある USB 大容量記憶装置デバイス
Name: USB 大容量記憶装置デバイス
PNP Device ID: USB\VID_12D1&PID_1003&MI_03\6&2229CBC1&1&0003
Service: USBSTOR

==== System Restore Points ===================

RP1: 2009/11/18 10:12:04 - システム チェックポイント
RP2: 2009/11/25 4:28:55 - インストールされている DirectX
RP3: 2009/11/26 0:55:18 - Software Distribution Service 3.0
RP4: 2009/11/28 1:00:09 - Software Distribution Service 3.0
RP5: 2009/11/29 0:20:05 - Software Distribution Service 3.0

==== Hosts File Hijack ======================

Hosts: 89.149.210.61 www.google.com
Hosts: 89.149.210.61 www.google.de
Hosts: 89.149.210.61 www.google.fr
Hosts: 89.149.210.61 www.google.co.uk
Hosts: 89.149.210.61 www.google.com.br
Hosts: 89.149.210.61 www.google.it
Hosts: 89.149.210.61 www.google.es
Hosts: 89.149.210.61 www.google.co.jp
Hosts: 89.149.210.61 www.google.com.mx
Hosts: 89.149.210.61 www.google.ca
Hosts: 89.149.210.61 www.google.com.au
Hosts: 89.149.210.61 www.google.nl
Hosts: 89.149.210.61 www.google.co.za
Hosts: 89.149.210.61 www.google.be
Hosts: 89.149.210.61 www.google.gr
Hosts: 89.149.210.61 www.google.at
Hosts: 89.149.210.61 www.google.se
Hosts: 89.149.210.61 www.google.ch
Hosts: 89.149.210.61 www.google.pt
Hosts: 89.149.210.61 www.google.dk
Hosts: 89.149.210.61 www.google.fi
Hosts: 89.149.210.61 www.google.ie
Hosts: 89.149.210.61 www.google.no
Hosts: 89.149.210.61 search.yahoo.com
Hosts: 89.149.210.61 us.search.yahoo.com
Hosts: 89.149.210.61 uk.search.yahoo.com

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2 - Japanese
Adobe Shockwave Player 11.5
ASUS Live Update
ASUS Splendid Video Enhancement Technology
ASUS Virtual Camera
ASUS Zoom In
ASUSDVD
Atheros Client Installation Program
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
Bluetooth Stack for Windows by Toshiba
Canon LBP3210
CyberLink LabelPrint
CyberLink Power2Go
EMOBILE HW Utility
Express Gate
Google Chrome
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 17
Junk Mail filter update
LifeFrame2
LightScribe System Software 1.14.17.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Multimedia Card Reader
NB Probe
NVIDIA Drivers
OpenOffice.org 3.1
Power4 Gear
Protector Suite QL 5.8
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RegCure 2.0.0.0
Segoe UI
Skype? 4.1
Spyware Doctor 6.1
Step by Step Interactive Training 用セキュリティ更新プログラム (KB923723)
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
USB 2.0 1.3M UVC WebCam
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Live アップロード ツール
Windows Live おすすめパック
Windows Live サインイン アシスタント
Windows Live フォト ギャラリー
Windows Live メール
Windows Media Format Runtime
Windows Media Player (KB952069) セキュリティ問題の修正プログラム
Windows Media Player (KB954155) セキュリティ問題の修正プログラム
Windows Media Player (KB968816) セキュリティ問題の修正プログラム
Windows Media Player (KB973540) セキュリティ問題の修正プログラム
Windows Media Player 10
Windows Media Player 10 (KB911565) セキュリティ問題の修正プログラム
Windows Media Player 10 (KB917734) セキュリティ問題の修正プログラム
Windows Media Player 10 (KB936782) セキュリティ問題の修正プログラム
Windows XP (KB923689) セキュリティ問題の修正プログラム
Windows XP (KB941569) セキュリティ問題の修正プログラム
Windows XP セキュリティ更新 (KB923561)
Windows XP セキュリティ更新 (KB938464-v2)
Windows XP セキュリティ更新 (KB946648)
Windows XP セキュリティ更新 (KB950760)
Windows XP セキュリティ更新 (KB950762)
Windows XP セキュリティ更新 (KB950974)
Windows XP セキュリティ更新 (KB951066)
Windows XP セキュリティ更新 (KB951376-v2)
Windows XP セキュリティ更新 (KB951748)
Windows XP セキュリティ更新 (KB952004)
Windows XP セキュリティ更新 (KB952954)
Windows XP セキュリティ更新 (KB954459)
Windows XP セキュリティ更新 (KB954600)
Windows XP セキュリティ更新 (KB955069)
Windows XP セキュリティ更新 (KB956572)
Windows XP セキュリティ更新 (KB956744)
Windows XP セキュリティ更新 (KB956802)
Windows XP セキュリティ更新 (KB956803)
Windows XP セキュリティ更新 (KB956844)
Windows XP セキュリティ更新 (KB957097)
Windows XP セキュリティ更新 (KB958644)
Windows XP セキュリティ更新 (KB958687)
Windows XP セキュリティ更新 (KB958690)
Windows XP セキュリティ更新 (KB958869)
Windows XP セキュリティ更新 (KB959426)
Windows XP セキュリティ更新 (KB960225)
Windows XP セキュリティ更新 (KB960715)
Windows XP セキュリティ更新 (KB960803)
Windows XP セキュリティ更新 (KB960859)
Windows XP セキュリティ更新 (KB961371-v2)
Windows XP セキュリティ更新 (KB961371)
Windows XP セキュリティ更新 (KB961373)
Windows XP セキュリティ更新 (KB961501)
Windows XP セキュリティ更新 (KB963027)
Windows XP セキュリティ更新 (KB968537)
Windows XP セキュリティ更新 (KB969059)
Windows XP セキュリティ更新 (KB969897)
Windows XP セキュリティ更新 (KB969898)
Windows XP セキュリティ更新 (KB969947)
Windows XP セキュリティ更新 (KB970238)
Windows XP セキュリティ更新 (KB971486)
Windows XP セキュリティ更新 (KB971557)
Windows XP セキュリティ更新 (KB971633)
Windows XP セキュリティ更新 (KB971657)
Windows XP セキュリティ更新 (KB971961)
Windows XP セキュリティ更新 (KB972260)
Windows XP セキュリティ更新 (KB973346)
Windows XP セキュリティ更新 (KB973354)
Windows XP セキュリティ更新 (KB973507)
Windows XP セキュリティ更新 (KB973525)
Windows XP セキュリティ更新 (KB973869)
Windows XP セキュリティ更新 (KB974112)
Windows XP セキュリティ更新 (KB974455)
Windows XP セキュリティ更新 (KB974571)
Windows XP セキュリティ更新 (KB975025)
Windows XP セキュリティ更新 (KB975467)
Windows XP ホットフィックス (KB952287)
Windows XP ホットフィックス (KB961118)
Windows XP ホットフィックス (KB970653-v3)
Windows XP ホットフィックス (KB976098-v2)
Windows XP 更新 (KB898461)
Windows XP 更新 (KB942763)
Windows XP 更新 (KB951978)
Windows XP 更新 (KB955839)
Windows XP 更新 (KB961503)
Windows XP 更新 (KB967715)
Windows XP 更新 (KB968389)
Windows XP 更新 (KB973687)
Windows XP 更新 (KB973815)
Windows XP 更新 (KB976749)
WinFlash
Wireless Console 2

==== End Of File ===========================


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 00:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9E79000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AA2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7ABC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7C45000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal1.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal1.sys
Address: 0xAA7A0000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf73d0d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73b19a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf73b1b98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf73d1568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73d1820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf73cfa80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf73d1c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73d1036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73b1656

==EOF==

#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 30 November 2009 - 02:42 PM

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 30 November 2009 - 07:00 PM

Here is Combofix.txt:

ComboFix 09-11-30.02 - Richard 2009/12/01 8:29.1.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1041.18.1015.481 [GMT 9:00]
Running from: c:\documents and settings\Richard\My Documents\Downloads\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Richard\LOCALS~1\Temp\install_flash_player.exe
c:\docume~1\Richard\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\ieuinit.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-27 16:08 . 2009-11-27 16:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-27 16:08 . 2009-11-27 16:08 -------- d-----w- c:\program files\MSBuild
2009-11-27 16:08 . 2009-11-27 16:08 -------- d-----w- c:\program files\Reference Assemblies
2009-11-27 16:07 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-27 16:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-27 16:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-27 16:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-27 16:07 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-27 16:07 . 2009-11-27 16:07 -------- d-----w- C:\20e407d7d87b8dabfc
2009-11-27 16:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-27 16:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-24 19:40 . 2009-11-24 19:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-24 19:40 . 2009-11-24 19:40 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-24 19:30 . 2009-11-24 19:30 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-24 19:28 . 2006-11-29 04:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-24 19:28 . 2009-11-24 19:28 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:26 . 2009-11-24 19:26 -------- d-----w- c:\program files\Microsoft
2009-11-24 19:06 . 2009-11-24 19:06 -------- d-----w- C:\FOUND.001
2009-11-18 02:42 . 2009-11-18 02:42 -------- d-----w- c:\program files\Trend Micro
2009-11-17 20:27 . 2009-11-17 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-11-17 20:27 . 2009-11-17 20:27 -------- d-----w- c:\program files\RegCure
2009-11-17 15:23 . 2008-12-10 23:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-17 15:23 . 2009-08-24 05:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-17 15:23 . 2009-08-19 02:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-17 15:23 . 2008-12-10 02:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-17 15:22 . 2009-11-17 15:22 -------- d-----w- c:\program files\Spyware Doctor
2009-11-17 15:22 . 2009-11-17 15:22 -------- d-----w- c:\documents and settings\Richard\Application Data\PC Tools
2009-11-17 15:22 . 2009-11-17 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-17 15:02 . 2009-11-17 15:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-17 14:49 . 2009-11-17 14:49 -------- d-----w- c:\program files\Enigma Software Group
2009-11-08 09:00 . 2009-11-08 09:00 -------- d-----w- c:\program files\Common Files\Skype
2009-11-03 23:56 . 2009-11-03 23:56 152576 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 15:25 . 2008-11-28 05:42 71388 ----a-w- c:\windows\system32\perfc011.dat
2009-11-28 15:25 . 2008-11-28 05:42 228186 ----a-w- c:\windows\system32\perfh011.dat
2009-11-28 07:02 . 2009-05-11 09:01 65040 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 04:51 . 2009-10-14 04:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-14 04:49 . 2009-10-14 04:49 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 04:09 . 2009-05-13 15:14 1 ----a-w- c:\documents and settings\Richard\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-10 19:17 . 2009-05-13 15:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:35 . 2008-11-28 05:42 657408 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2008-11-28 05:42 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:17 . 2008-11-28 05:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-11-28 05:42 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2008-06-19 02:47 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2008-06-19 02:47 4232968 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Mobile Partner"="c:\program files\EMOBILE HW Utility\EMOBILE HW Utility.exe" [2009-05-11 110592]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Google Update"="c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-18 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-22 1181064]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-01-15 851968]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-20 450649]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-11-30 51768]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-04-08 3054136]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-08-04 217088]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-18 104936]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-01-11 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-07 166424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-07 141848]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"LanguageShortcut"="c:\program files\ASUSTek\ASUSDVD\Language\Language.exe" [2008-02-22 62760]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 13541376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 86016]
"P2Go_Menu"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-07 137752]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2008-06-19 49928]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2008-04-02 87336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-11 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-07-25 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-15 16806400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" - c:\windows\system32\ctfmon.exe [2008-04-14 15360]

c:\documents and settings\Richard\スタート メニュー\プログラム\スタートアップ\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\スタート メニュー\プログラム\スタートアップ\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-8-2 2760704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-19 02:34 96008 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\System32\\CNAB2RPK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1090:UDP"= 1090:UDP:Windows Media Format SDK (chrome.exe)
"1091:UDP"= 1091:UDP:Windows Media Format SDK (chrome.exe)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009/11/18 0:23 206256]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009/11/18 0:22 348824]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008/04/06 23:00 6656]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008/06/25 13:05 39072]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-30 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2347011288-2647313946-3923590952-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
IE: Microsoft Excel にエクスポート(&X) - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {86693F68-DAC4-4BCE-93C3-A1FCF7FDDF45} = 117.55.64.154 60.254.209.158
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 08:54
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\*・^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\*・^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\*・^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-2347011288-2647313946-3923590952-1006\AppEvents\Schemes\Apps\Conf\*・^\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*ウ0・ン0・ヘ0・ネ0\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*ウ0・ン0・ヘ0・ネ0\CurVer]
@="BDATuner.コンポーネント.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\「0・、0・ケ0ネ0・・n0ミ0テ0ッ0「0テ0ラ0 *、0・・ク0]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="このバージョンの Windows をアンインストールして前のオペレーティング システムに戻る場合は、これらのファイルが必要です。"
"Display"="前のオペレーティング システムのバックアップ ファイル"
"IconPath"=expand:"%SystemRoot%\\system32\\osuninst.EXE,0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\qlbase.dll
c:\windows\system32\imjp9.ime
c:\windows\system32\imjp9k.dll
c:\program files\Protector Suite QL\otp.dll
c:\program files\Protector Suite QL\psqltray.dll

- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infql2.dll
.
Completion time: 2009-12-01 08:55
ComboFix-quarantined-files.txt 2009-11-30 23:55

Pre-Run: 75,154,391,040 バイトの空き領域
Post-Run: 77,022,396,416 バイトの空き領域

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 135F29A15D4A164092485A1AD30766B9

#9 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 30 November 2009 - 07:02 PM

By the way, for some reason I didn't get the opportunity to save Combofix to my desktop (maybe because of the way Chrome handles downloads), which is why it's in my Downloads folder. I hope that doesn't cause a problem.

#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 01 December 2009 - 01:16 AM

Registry Cleaners

Re. RegCure 2.0.0.0

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners:

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.


http://forums.whatthetech.com/Regcleaner_t42862.html

I recommend that you uninstall RegCure 2.0.0.0 from your computer.



Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 2 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


In your next post/reply, I need to see the following:

1. The MalwareBytes' Log
2. A fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 01 December 2009 - 06:57 AM

Thank you, it looks like you've helped me get rid of the malware.

The MBAM log shows no infections, and a quick check of Google seemed to show it working normally. The logs you requested are below.


Malwarebytes' Anti-Malware 1.41
Database version: 3267
Windows 5.1.2600 Service Pack 3

2009/12/01 20:47:33
mbam-log-2009-12-01 (20-47-33).txt

Scan type: Quick Scan
Objects scanned: 100995
Time elapsed: 19 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_09-12-01.01) - FAT32x86
Run by Richard at 20:52:33.12 on 2009/12/01
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1041.18.1015.205 [GMT 9:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CNAB2RPK.EXE
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\AsScrPro.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EMOBILE HW Utility\EMOBILE HW Utility.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\My Documents\Downloads\dds (3).scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live サインイン ヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Mobile Partner] "c:\program files\emobile hw utility\EMOBILE HW Utility.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ACMON] "c:\program files\asus\splendid\ACMON.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMJPMIG9.0] c:\progra~1\common~1\micros~1\ime\imjp9\IMJPMIG.EXE /Preload /Migration32
mRun: [LanguageShortcut] "c:\program files\asustek\asusdvd\language\Language.exe"
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\richard\ベター~1\プロバ~1\ベター~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\ベター~1\プロバ~1\ベター~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: Microsoft Excel にエクスポート(&X) - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {86693F68-DAC4-4BCE-93C3-A1FCF7FDDF45} = 117.55.64.154 60.254.209.158
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 89.149.210.61 www.google.com
Hosts: 89.149.210.61 www.google.de
Hosts: 89.149.210.61 www.google.fr
Hosts: 89.149.210.61 www.google.co.uk
Hosts: 89.149.210.61 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-18 206256]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-18 348824]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-18 1097096]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-1 38224]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-6 6656]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-6-25 39072]

=============== Created Last 30 ================

2009-12-01 11:26:19 0 d-----w- c:\docume~1\richard\applic~1\Malwarebytes
2009-12-01 11:26:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 11:26:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 11:26:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-01 11:26:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 00:52:10 0 d-sh--w- C:\FOUND.002
2009-11-30 23:27:19 0 d-sha-r- C:\cmdcons
2009-11-30 23:25:14 98816 ----a-w- c:\windows\sed.exe
2009-11-30 23:25:14 77312 ----a-w- c:\windows\MBR.exe
2009-11-30 23:25:14 260608 ----a-w- c:\windows\PEV.exe
2009-11-30 23:25:14 161792 ----a-w- c:\windows\SWREG.exe
2009-11-28 07:10:01 1559685 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-11-27 16:08:43 0 d-----w- c:\windows\system32\XPSViewer
2009-11-27 16:07:41 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-27 16:07:41 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-27 16:07:41 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-27 16:07:41 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-27 16:07:41 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-27 16:07:40 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-27 16:07:40 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-27 16:07:40 0 d-----w- C:\20e407d7d87b8dabfc
2009-11-24 19:40:20 0 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-24 19:28:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-24 19:28:42 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:26:00 0 d-----w- c:\program files\Microsoft
2009-11-24 19:06:42 0 d-----w- C:\FOUND.001
2009-11-18 02:42:07 0 d-----w- c:\program files\Trend Micro
2009-11-17 21:07:00 0 d-----w- c:\windows\pss
2009-11-17 20:27:45 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2009-11-17 15:23:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-17 15:23:25 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-17 15:23:25 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-17 15:23:25 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-17 15:23:08 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-17 15:22:45 0 d-----w- c:\program files\Spyware Doctor
2009-11-17 15:22:45 0 d-----w- c:\docume~1\richard\applic~1\PC Tools
2009-11-17 15:22:45 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-17 15:02:21 0 d-----w- c:\program files\common files\PC Tools
2009-11-17 14:49:03 0 d-----w- c:\program files\Enigma Software Group

==================== Find3M ====================

2009-11-28 15:25:48 71388 ----a-w- c:\windows\system32\perfc011.dat
2009-11-28 15:25:48 228186 ----a-w- c:\windows\system32\perfh011.dat
2009-10-19 23:51:44 3091968 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-10 19:17:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:35:28 657408 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:35:28 657408 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:35:28 622592 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:35:28 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:35:24 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:35:24 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:17:02 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:17:02 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:40 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:40 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

============= FINISH: 20:55:00.56 ===============

#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 01 December 2009 - 02:31 PM

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)
  • First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.2 - Japanese.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.2.0 is a large program and if you prefer a smaller program you can get Foxit 3.1.4 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.1.4 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay




Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. The Kaspersky Log
2. How is your computer doing, any other problems?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 02 December 2009 - 01:30 AM

1. The Kaspersky log is posted below, showing some infections including quarantined ones.
2. I thought that Google was no longer being hijacked, but it is. It still goes to a 10Click site. Apart from that, I'm not experiencing any problems with my pc.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 2, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 02, 2009 00:38:36
Records in database: 3320487
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 47008
Threats found: 4
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 02:41:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\18467.exe.vir Infected: Trojan.Win32.Qhost.mht 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\19169.exe.vir Infected: Trojan.Win32.Qhost.mht 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\26500.exe.vir Infected: Trojan.Win32.Qhost.mht 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6334.exe.vir Infected: Trojan.Win32.Qhost.mht 1
C:\Documents and Settings\Richard\Application Data\Sun\Java\Deployment\cache\6.0\51\372973-1e165a1d Infected: Trojan-Downloader.Java.Agent.ab 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP1\A0001387.dll Infected: Trojan.Win32.BHO.acco 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP1\A0001432.exe Infected: Trojan-Downloader.Win32.FraudLoad.fzf 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP6\A0009813.exe Infected: Trojan.Win32.Qhost.mht 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP6\A0009814.exe Infected: Trojan.Win32.Qhost.mht 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP6\A0009815.exe Infected: Trojan.Win32.Qhost.mht 1
C:\System Volume Information\_restore{BB423366-5760-46D1-BBD5-C0825B35DAF3}\RP6\A0009817.exe Infected: Trojan.Win32.Qhost.mht 1

Selected area has been scanned.

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:49 AM

Posted 02 December 2009 - 02:19 PM

Kaspersky found some files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those and ComboFix in an upcoming post. Kaspersky also found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set a new, clean one in an upcoming post.




Step # 1 Clear Java's Cache

Click Start > Control Panel
  • Double-click the Java icon in the control panel. (coffeecup icon)
  • Click Settings under Temporary Internet Files.

    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.

    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
  • Delete Files
  • View Applications
  • View Applets
Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics here



Step # 2 Download HostsXpert

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your Desktop.
  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually


After you've completed Step #2, reboot your computer. Once your computer has booted back up, let me know if Google still gets redirected to 10click.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 snowoncedars

snowoncedars
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 02 December 2009 - 08:37 PM

Google is not being redirected now. Everything appears to be back to normal.

Thank you very much for your help. I learnt a lot from the process. Is there anything left to do?

Richard




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users