Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Boran.g & Other Chinese Stuff


  • Please log in to reply
5 replies to this topic

#1 yuehan

yuehan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 September 2006 - 05:45 AM

Win XP Pro SP2

I am in China, and my someone tried to install QQ instant messenger when I wasn't here. The first thing I noticed is that my system fan goes to high speed soon after startup, and this only happens when a process is using a lot of CPU time.

I am running AVG Pro and Spybot S&D with Tea Timer, but these didn't protect me from this stuff.

Task manager shows me that cdnup.exe is using about 53% of CPU time, and crss.exe is using about 24%. I think both files have been messed with.

I was getting pop-up virus warnings from AVG; it would report healed successfully, but the next time I rebooted, the same things would be back.

I have gone through the entire process of "Preparation Guide for use before posting a HijackThis Log." I couldn't get Housecall Anti Virus, though. The only thing that seemed to make a difference was Bit Defender. After running it, I don't get the virus reports from AVG any more. I also didn't have the cdnup.exe and crss.exe problems after that, until I plugged the ethernet cable back in, then these problems came back.

IE6 settings have been changed, including default page and search pages. Explorer has been changed; I keep changing it so that I see all file extensions, but it keeps getting changed back so that I don't see file extensions.

IE keeps popping up Chinese websites with girlie pictures.

There's so much crap going on, I don't know what to do next.

I'll paste in the HijackThis log, followed by the other logs of the antivirus and spyware apps specified in "Preparation Guide for use before posting a HijackThis Log."

Sorry, now I can't switch to Windows Explorer or to any other task in the taskbar. I'll try to paste the HijackThis log in, then I'll try to leave another message later with the other logs.

Thanks,
John


Logfile of HijackThis v1.99.1
Scan saved at 6:08:53 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MAILLOOP6\Binn\sqlservr.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\System32\alg.exe
c:\windows\system32\inetsrv\csrss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\UPDATE2\Update.exe
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Root Storage\Downloads\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ld123.com/?p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ld123.com/?p
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ld123.com/?p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ld123.com/?p
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com;<local>;localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - C:\WINDOWS\system32\YHBO.dll
O2 - BHO: Spoolsv Class - {9C363D55-07D7-433d-A13E-D9C105202F6F} - C:\WINDOWS\system32\drivers\spoolsv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Macromedia. Flash8 Object - {C61A70F3-505E-4B90-916F-627A8706B4BC} - c:\WINDOWS\system32\FlashPlayer8OCX.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\kuzhan\kuzhan.dll
O2 - BHO: Microsoft Solo Browser Helper Object - {E3DB85B5-C559-4894-B474-42E89FAA1EFD} - C:\WINDOWS\system32\wuauclt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Marketing Tips Messenger] C:\WINDOWS\Marketing Tips Messenger.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\wd2_051117_WIS205_mini.exe] C:\WINDOWS\wd2_051117_WIS205_mini.exe
O4 - HKLM\..\Run: [C:\WINDOWS\110045setup.exe] C:\WINDOWS\110045setup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\bind_40254.exe] C:\WINDOWS\bind_40254.exe
O4 - HKLM\..\Run: [C:\WINDOWS\cocomusic51.exe] C:\WINDOWS\cocomusic51.exe
O4 - HKLM\..\Run: [C:\WINDOWS\tshz168.exe] C:\WINDOWS\tshz168.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDATE2\Update.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [spoolsv] C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer
O4 - HKLM\..\Run: [C:\WINDOWS\101628.exe] C:\WINDOWS\101628.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\John\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnnt] C:\WINDOWS\winampa.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk.disabled
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: WNW Tray Agent.lnk = C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\John\Desktop\New Folder\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ӵQQ - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ӵQQԶ - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: QQŷ͸ͼƬ - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: վ - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\kuzhan\kuzhan.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\Documents and Settings\All Users\Desktop\Glophone.lnk (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\quartz32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\quartz32.dll
O11 - Options group: [CDNCLIENT] Chinese Navigation
O11 - Options group: [TBH] ???????
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://autosupport.intuit.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/blue.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137276365281
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) - file://c:\Program Files\There\ThereClient\ThereVoiceTrainer.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://c:\Program Files\There\ThereClient\ThereLauncher.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: KB273100M.LOG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:39 AM

Posted 20 September 2006 - 06:23 AM

Hi yuehan, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 yuehan

yuehan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 September 2006 - 06:38 AM

Now I'm on my laptop with some further info.

First, every time I boot, I get a popup with a bunch of gibberish in it, that I assume would be Chinese characters on a Chinese system. It has "yes" and "no" buttons, but I don't know what the question is, so I haven't clicked on either. I just terminate the task. After I terminate, I get the message asking me if I want to tell Microsoft about this problem, and that message says the name of the program is "setstartpage.exe"

Another thing that happens every time I boot is that I get continuous "Registry Change Denied" messages from Spybot S&D Resident. Apparently, whatever is trying to change this is running in a loop, and will never stop trying to make the change.

Before I ran HijackThis and created the log in the previous message, I think I had killed both of the above tasks, so you might not see them in the log of running tasks.

In the following messages are the other logs. This is way to much for a single message here.

If anyone is able to help me, thanks in advance!

Best regards,
John


Here's the Stinger log; it's empty:


STINGER log

McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006 Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved. Virus data file v1000 created on Feb 2 2006. Ready to scan for 55 viruses, trojans and variants. Scan initiated on Tue Sep 19 17:09:27 2006 Number of clean files: 657589

#4 yuehan

yuehan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 September 2006 - 06:40 AM

The 3 Ad-Aware logs for 3 consecutive runs:


AD-AWARE log 1

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 17, 2006 3:05:12 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R123 14.09.2006


References detected during the scan:

Adware.Allsum(TAC index:3):7 total references
Adware.DuDu(TAC index:4):2 total references
MRU List(TAC index:0):13 total references
Other(TAC index:5):1 total references
OurXin(TAC index:3):2 total references


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-17-2006 3:05:12 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\John\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\adobe\adobe acrobat\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe acrobat


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-4029058516-3661508422-1393777180-1006\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 164
ThreadCreationTime : 9-17-2006 6:55:59 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 252
ThreadCreationTime : 9-17-2006 6:56:18 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 9-17-2006 6:56:21 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 320
ThreadCreationTime : 9-17-2006 6:56:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 9-17-2006 6:56:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 476
ThreadCreationTime : 9-17-2006 6:56:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 556
ThreadCreationTime : 9-17-2006 6:56:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 620
ThreadCreationTime : 9-17-2006 6:56:35 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 992
ThreadCreationTime : 9-17-2006 6:58:14 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1276
ThreadCreationTime : 9-17-2006 7:04:15 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 13


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 13


Started deep registry scan


Adware.DuDu Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment : "C:\WINDOWS\101628.exe"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : C:\WINDOWS\101628.exe

Adware.DuDu Object Recognized!
Type : File
Data : 101628.exe
TAC Rating : 4
Category : Adware
Comment :
Object : c:\windows\
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
ProductName : dmremotesetup
CompanyName : 1000 Oaks
FileDescription : dmremotesetup
InternalName : dmremotesetup
LegalCopyright : Copyright ? 2005
OriginalFilename : dmremotesetup.exe


Adware.Allsum Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment : "spoolsv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : spoolsv

Adware.Allsum Object Recognized!
Type : File
Data : spoolsv.exe
TAC Rating : 3
Category : Adware
Comment :
Object : c:\windows\system32\spoolsv\
FileVersion : 2, 0, 0, 3
ProductVersion : 2, 0, 0, 3
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : spoolsv.exe
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : spoolsv.exe
Comments : ?????????


Deep registry scan result:

New critical objects: 2
Objects found so far: 17


Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 17



Deep scanning and examining files (C:)


Adware.Allsum Object Recognized!
Type : File
Data : IEHelper_4896.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\
FileVersion : 1, 3, 3, 0
ProductVersion : 1, 3, 3, 0
ProductName : IEHelper Module
CompanyName : Microsoft Corporation
FileDescription : IEHelper Module
InternalName : IEHelper
LegalCopyright : Copyright 2005
OriginalFilename : IEHelper.DLL


Adware.Allsum Object Recognized!
Type : File
Data : IEHelper_5097.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\
FileVersion : 1, 3, 3, 0
ProductVersion : 1, 3, 3, 0
ProductName : IEHelper Module
CompanyName : Microsoft Corporation
FileDescription : IEHelper Module
InternalName : IEHelper
LegalCopyright : Copyright 2005
OriginalFilename : IEHelper.DLL


Adware.Allsum Object Recognized!
Type : File
Data : A0032381.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : bse.dll
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : bse.dll
Comments : ?????????


Adware.Allsum Object Recognized!
Type : File
Data : A0032383.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 1, 3, 3, 0
ProductVersion : 1, 3, 3, 0
ProductName : IEHelper Module
CompanyName : Microsoft Corporation
FileDescription : IEHelper Module
InternalName : IEHelper
LegalCopyright : Copyright 2005
OriginalFilename : IEHelper.DLL


OurXin Object Recognized!
Type : File
Data : ntjcn.emm
TAC Rating : 3
Category : Misc
Comment :
Object : C:\WINDOWS\system32\1116\ntjdo\
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : msibm.dll
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : msibm.dll
Comments : ?????????


Adware.Allsum Object Recognized!
Type : File
Data : tqppmtw.fyf
TAC Rating : 3
Category : Adware
Comment :
Object : C:\WINDOWS\system32\1116\tqppmtw\
FileVersion : 2, 0, 0, 3
ProductVersion : 2, 0, 0, 3
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : spoolsv.exe
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : spoolsv.exe
Comments : ?????????


OurXin Object Recognized!
Type : File
Data : msibm.dll
TAC Rating : 3
Category : Misc
Comment :
Object : C:\WINDOWS\system32\msicn\
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : msibm.dll
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : msibm.dll
Comments : ?????????


Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 24


Deep scanning and examining files (D:)


Disk Scan Result for D:\

New critical objects: 0
Objects found so far: 24


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".


Hosts file scan result:

1 entries scanned.
New critical objects:0
Objects found so far: 24




Performing conditional scans...


Other Object Recognized!
Type : File
Data : SPOOLSV.EXE-1441D015.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\



Conditional scan result:

New critical objects: 1
Objects found so far: 25

3:44:38 PM Scan Complete

Summary Of This Scan

Total scanning time:00:39:25.890
Objects scanned:346629
Objects identified:13
Objects ignored:0
New critical objects:13


AD-AWARE log 2


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 17, 2006 4:32:39 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R123 14.09.2006


References detected during the scan:

Adware.Allsum(TAC index:3):3 total references
Adware.DuDu(TAC index:4):1 total references
OurXin(TAC index:3):1 total references


Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R123 14.09.2006
Internal build : 151
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 780435 Bytes
Total size : 2528428 Bytes
Signature data size : 2479665 Bytes
Reference data size : 48251 Bytes
Signatures total : 68293
CSI Fingerprints total : 3774
CSI data size : 152723 Bytes
Target categories : 15
Target families : 971


Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:67 %
Total physical memory:523564 kb
Available physical memory:348180 kb
Total page file size:1275616 kb
Available on page file:1188020 kb
Total virtual memory:2097024 kb
Available virtual memory:2036204 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-17-2006 4:32:39 PM - Scan started. (Full System Scan)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 164
ThreadCreationTime : 9-17-2006 8:29:40 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 252
ThreadCreationTime : 9-17-2006 8:29:59 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 9-17-2006 8:30:02 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 320
ThreadCreationTime : 9-17-2006 8:30:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 9-17-2006 8:30:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 476
ThreadCreationTime : 9-17-2006 8:30:11 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 552
ThreadCreationTime : 9-17-2006 8:30:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 608
ThreadCreationTime : 9-17-2006 8:30:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 884
ThreadCreationTime : 9-17-2006 8:30:51 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1112
ThreadCreationTime : 9-17-2006 8:31:40 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 0



Deep scanning and examining files (C:)


Adware.DuDu Object Recognized!
Type : File
Data : A0032414.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
ProductName : dmremotesetup
CompanyName : 1000 Oaks
FileDescription : dmremotesetup
InternalName : dmremotesetup
LegalCopyright : Copyright ? 2005
OriginalFilename : dmremotesetup.exe


Adware.Allsum Object Recognized!
Type : File
Data : A0032415.exe
TAC Rating : 3
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 2, 0, 0, 3
ProductVersion : 2, 0, 0, 3
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : spoolsv.exe
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : spoolsv.exe
Comments : ?????????


Adware.Allsum Object Recognized!
Type : File
Data : A0032416.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 1, 3, 3, 0
ProductVersion : 1, 3, 3, 0
ProductName : IEHelper Module
CompanyName : Microsoft Corporation
FileDescription : IEHelper Module
InternalName : IEHelper
LegalCopyright : Copyright 2005
OriginalFilename : IEHelper.DLL


Adware.Allsum Object Recognized!
Type : File
Data : A0032417.dll
TAC Rating : 3
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 1, 3, 3, 0
ProductVersion : 1, 3, 3, 0
ProductName : IEHelper Module
CompanyName : Microsoft Corporation
FileDescription : IEHelper Module
InternalName : IEHelper
LegalCopyright : Copyright 2005
OriginalFilename : IEHelper.DLL


OurXin Object Recognized!
Type : File
Data : A0032418.dll
TAC Rating : 3
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP289\
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : ?????????
CompanyName : ????????????
FileDescription : ?????????
InternalName : msibm.dll
LegalCopyright : Copyright © 2006
LegalTrademarks : ??™
OriginalFilename : msibm.dll
Comments : ?????????


Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (D:)


Disk Scan Result for D:\

New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".


Hosts file scan result:

1 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...


Conditional scan result:

New critical objects: 0
Objects found so far: 5

5:12:34 PM Scan Complete

Summary Of This Scan

Total scanning time:00:39:54.562
Objects scanned:346616
Objects identified:5
Objects ignored:0
New critical objects:5


AD-AWARE log 3


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 17, 2006 5:25:42 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R123 14.09.2006


References detected during the scan:

None


Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R123 14.09.2006
Internal build : 151
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 780435 Bytes
Total size : 2528428 Bytes
Signature data size : 2479665 Bytes
Reference data size : 48251 Bytes
Signatures total : 68293
CSI Fingerprints total : 3774
CSI data size : 152723 Bytes
Target categories : 15
Target families : 971


Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:67 %
Total physical memory:523564 kb
Available physical memory:350628 kb
Total page file size:1275616 kb
Available on page file:1188640 kb
Total virtual memory:2097024 kb
Available virtual memory:2035972 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-17-2006 5:25:42 PM - Scan started. (Full System Scan)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 164
ThreadCreationTime : 9-17-2006 9:19:34 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 252
ThreadCreationTime : 9-17-2006 9:19:52 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 9-17-2006 9:19:56 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 320
ThreadCreationTime : 9-17-2006 9:20:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 9-17-2006 9:20:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 480
ThreadCreationTime : 9-17-2006 9:20:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 556
ThreadCreationTime : 9-17-2006 9:20:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 612
ThreadCreationTime : 9-17-2006 9:20:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 876
ThreadCreationTime : 9-17-2006 9:20:35 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft Windows Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1128
ThreadCreationTime : 9-17-2006 9:21:29 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 0



Deep scanning and examining files (C:)


Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 0


Deep scanning and examining files (D:)


Disk Scan Result for D:\

New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".


Hosts file scan result:

1 entries scanned.
New critical objects:0
Objects found so far: 0


6:05:08 PM Scan Complete

Summary Of This Scan

Total scanning time:00:39:26.953
Objects scanned:345929
Objects identified:0
Objects ignored:0
New critical objects:0

#5 yuehan

yuehan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 20 September 2006 - 06:52 AM

OK, thanks!
I have the other logs if you want to see them.


Hi yuehan, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:



#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:39 AM

Posted 30 September 2006 - 02:44 PM

Hi yuehan,

Welcome to BleepingComputer Forums and thanks again for your patience.

I'am very sorry for the delay.

Please read through this post before doing anything so you know what you're supposed to do. You may also print them.

1. Backdoor.CVM is active on your computer. This is a Trojan horse that opens a back door and can provide unauthorized access to a compromised computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

2. Download LSP-Fix!

Disconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" box. Place all listings of quartz32.dll into the remove section by highlighting quartz32.dll and clicking on the button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Then Reboot.

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

3. I see you are running Teatimer. Of course this is very good but now you have to disable it because it can interfere with the changes you'll make on your system. When your log is clean, you can enable it again; I will let you know.

> Run Spybot S&D, go to the Mode menu and select Advanced Mode;
> On the left hand side choose Tools > Resident;
> Uncheck Resident Teatimer and click Ok (close Spybot).

4. Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
5. Download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close ewido anti-spyware.

6. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

7.
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
8. Reboot to go back into Normal Mode.

9. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

10.

IE6 settings have been changed, including default page and search pages.


When I click this site (http://www.ld123.com/?p), which is okayed by the way by McAfee Site Advisor, I see chinese characters so I have not a clue what it is about. Do you know what this is; is it a site you want or is this the one you refer to in your comment above?

Please post the Ewido report together with the uninstall_list.txt, the Qoofix logfile and a new HijackThis log.



=====================================
Download ATF Cleaner by Atribune. Do not run it yet.

5. Download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close ewido anti-spyware; we'll run it later!

6. Run HijackThis, click Scan and checkmark the following entries:

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: Spoolsv Class - {9C363D55-07D7-433d-A13E-D9C105202F6F} - C:\WINDOWS\system32\drivers\spoolsv.dll
O2 - BHO: Macromedia. Flash8 Object - {C61A70F3-505E-4B90-916F-627A8706B4BC} - c:\WINDOWS\system32\FlashPlayer8OCX.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:\Program Files\kuzhan\kuzhan.dll
O2 - BHO: Microsoft Solo Browser Helper Object - {E3DB85B5-C559-4894-B474-42E89FAA1EFD} - C:\WINDOWS\system32\wuauclt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\wd2_051117_WIS205_mini.exe] C:\WINDOWS\wd2_051117_WIS205_mini.exe
O4 - HKLM\..\Run: [C:\WINDOWS\110045setup.exe] C:\WINDOWS\110045setup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\bind_40254.exe] C:\WINDOWS\bind_40254.exe
O4 - HKLM\..\Run: [C:\WINDOWS\cocomusic51.exe] C:\WINDOWS\cocomusic51.exe
O4 - HKLM\..\Run: [C:\WINDOWS\tshz168.exe] C:\WINDOWS\tshz168.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDATE2\Update.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\101628.exe] C:\WINDOWS\101628.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnnt] C:\WINDOWS\winampa.exe
O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\John\Desktop\New Folder\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O8 - Extra context menu item: ӵQQ - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ӵQQԶ - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: QQŷ͸ͼƬ - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O9 - Extra button: վ - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\kuzhan\kuzhan.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\Documents and Settings\All Users\Desktop\Glophone.lnk (file missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation
O11 - Options group: [TBH] ???????
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://autosupport.intuit.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/blue.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O20 - AppInit_DLLs: KB273100M.LOG


>

IE6 settings have been changed, including default page and search pages.


When I click this site (http://www.ld123.com/?p), which is okayed by the way by McAfee Site Advisor, I see chinese characters so I have not a clue what it is about. Do you know what this is; is it a site you want or is this the one you refer to in your comment above? If you don't know and/or want it checkmark these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ld123.com/?p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ld123.com/?p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ld123.com/?p
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ld123.com/?p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ld123.com/?p
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ld123.com/?p
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.ld123.com/?p


> O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\John\Application Data\Systweak\ASO 2\smstartUp manager.exe

This one looks legit but I cann't find much info on it, do you know it? If not checkmark the entry as well.

> Weatherbug is a program that sits in your System Tray (next to the clock) and delivers the weather. It used to come with spyware, and whilst the latest version is spyware free, it is an advertisment-supported program which many users find annoying. There is a very good ad-free alternative: Weather Pulse!

Right-click the Weatherbug icon on your taskbar and delete it. Then click Start > All Programmes and search the list for Weatherbug: click Uninstall Weatherbug. Checkmark the following entry:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

7. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

8. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

9. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folders in bold if listed:

C:\PROGRA~1\CNNIC
C:\Program Files\kuzhan


.......... and files in bold if listed:

C:\WINDOWS\system32\drivers\spoolsv.dll
c:\WINDOWS\system32\FlashPlayer8OCX.dll


O2 - BHO: Macromedia. Flash8 Object - {C61A70F3-505E-4B90-916F-627A8706B4BC} -
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - \kuzhan.dll
O2 - BHO: Microsoft Solo Browser Helper Object - {E3DB85B5-C559-4894-B474-42E89FAA1EFD} - C:\WINDOWS\system32\wuauclt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\wd2_051117_WIS205_mini.exe] C:\WINDOWS\wd2_051117_WIS205_mini.exe
O4 - HKLM\..\Run: [C:\WINDOWS\110045setup.exe] C:\WINDOWS\110045setup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\bind_40254.exe] C:\WINDOWS\bind_40254.exe
O4 - HKLM\..\Run: [C:\WINDOWS\cocomusic51.exe] C:\WINDOWS\cocomusic51.exe
O4 - HKLM\..\Run: [C:\WINDOWS\tshz168.exe] C:\WINDOWS\tshz168.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Common Files\UPDATE2\Update.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [C:\WINDOWS\101628.exe] C:\WINDOWS\101628.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnnt] C:\WINDOWS\winampa.exe
O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\John\Desktop\New Folder\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O8 - Extra context menu item: ӵQQ - C:\Documents and Settings\John\Desktop\New Folder\AddEmotion.htm
O8 - Extra context menu item: ӵQQԶ - C:\Documents and Settings\John\Desktop\New Folder\AddPanel.htm
O8 - Extra context menu item: QQŷ͸ͼƬ - C:\Documents and Settings\John\Desktop\New Folder\SendMMS.htm
O9 - Extra button: վ - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:\Program Files\kuzhan\kuzhan.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: ѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\John\Desktop\New Folder\QQ.EXE (file missing)
O9 - Extra button: Voiceglo directory - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C:\Documents and Settings\All Users\Desktop\Glophone.lnk (file missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation
O11 - Options group: [TBH] ???????
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://autosupport.intuit.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/blue.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ThereInstallHelper.dll

Let me know if you had problems with this step.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
Finally you're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 8). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:
    [list]
    Java Runtime Environment (JRE) 5.0 Update 8
Please post the Ewido report together with a new HijackThis log!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users