Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Ie Browser Pop-ups


  • Please log in to reply
8 replies to this topic

#1 MrHan

MrHan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 25 November 2006 - 05:10 AM

Dear BleepingComputer forumers,

Recently my PC's performance has slowed down tremendously, and there are dozens of IE browser with Chinese porn popping out. I've never subsribed or even visited such sites. Addition to that, I do not even use IE as my Internet browser (I'm using Mozilla Firefox).

I've done multiple scans, as you recommend (Adaware, Spybot, AVG, Kaspersky, Counterspy etc) but the problem still presists.

Below is the log of my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:51 PM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\WINDOWS\system32\Com\SERVICES.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Media\winlogon.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\11644479331.exe
C:\Program Files\HJT\analyse.exe
C:\WINDOWS\system\updata.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sqqd.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customse...msearch-en.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
R3 - URLSearchHook: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\PROGRA~1\ABOBEF~1\tbhelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTBPos00 - {24877DDE-0D18-400D-B119-40F067A05BDF} - C:\PROGRA~1\ABOBEF~1\CAB301~1.DLL
O2 - BHO: CNNIC อ๘ย็นคพ฿Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll (file missing)
O2 - BHO: TBSB00889 - {3766A838-11CD-424e-BDE1-693300AA6086} - C:\PROGRA~1\ABOBEF~1\ABOBEF~1.DLL (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
O3 - Toolbar: Abobe Flash Play 9 - {494F50A2-6CDB-43FF-BA83-85D32038D04C} - C:\Program Files\Abobe Flash Play 9\Cab301b48.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SOUNDM] win32smd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te262/fyf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mhsystem] C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKCU\..\Run: [npad_ql] C:\WINDOWS\system32\Npad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://eclaims.com.my/eclaims/general/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE8C310-71CA-48EE-A728-7E88848D831A}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: KB532793M.LOG
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C73E74C8 - Unknown owner - C:\WINDOWS\system32\C73E74C8.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe
O23 - Service: VKTServ - Unknown owner - C:\WINDOWS\system32\VKTServ.exe (file missing)


Kindly advise and guide me through the removal proccess of whatever virus/malware/spyware/adware that's infected my PC.

Thanks and regards.

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:57 AM

Posted 25 November 2006 - 01:22 PM

Hello MrHan,

I am SifuMike and I will be helping you.

You have a very bad chinese infection. :thumbsup:

Download this file - combofix.exe

and save it to your desktop (Important).

Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe" /wow

Then, reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


In your next post, please include
new hijackthis log
combofix log

*use separate posts to ensure the logs don't get cut off!

Edited by SifuMike, 25 November 2006 - 01:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MrHan

MrHan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 25 November 2006 - 08:35 PM

Dear SifuMike,

Thank you very much for your reply. I've gone through the combofix scan and this is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:56 AM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Media\winlogon.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Veoh\VeohClientService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system\updata.exe
C:\Program Files\HJT\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sqqd.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
R3 - URLSearchHook: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\PROGRA~1\ABOBEF~1\tbu03190\tbhelper.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTBPos00 - {24877DDE-0D18-400D-B119-40F067A05BDF} - C:\PROGRA~1\ABOBEF~1\tbu03190\CAB301~1.DLL (file missing)
O2 - BHO: TBSB00889 - {3766A838-11CD-424e-BDE1-693300AA6086} - C:\PROGRA~1\ABOBEF~1\ABOBEF~1.DLL (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
O3 - Toolbar: Abobe Flash Play 9 - {494F50A2-6CDB-43FF-BA83-85D32038D04C} - C:\Program Files\Abobe Flash Play 9\tbu03190\Cab301b48.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te262/fyf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mhsystem] C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [npad_ql] C:\WINDOWS\system32\Npad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://eclaims.com.my/eclaims/general/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE8C310-71CA-48EE-A728-7E88848D831A}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: 959CA180 - Unknown owner - C:\WINDOWS\system32\959CA180.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C73E74C8 - Unknown owner - C:\WINDOWS\system32\C73E74C8.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe
O23 - Service: VKTServ - Unknown owner - C:\WINDOWS\system32\VKTServ.exe (file missing)


#4 MrHan

MrHan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 25 November 2006 - 08:40 PM

And this is the combofix log:

Han - 06-11-26 9:11:55.64 Service Pack 2
ComboFix 06.11.22W - Running from: "C:\Documents and Settings\Han\desktop"
Command switches used :: /wow

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\svchost.dll
C:\Documents and Settings\All Users\Templates\temp.exe
C:\Program Files\Common Files\System\Update.dat
C:\Program Files\Common Files\System\Update.exe
C:\INSTALL.LOG
C:\WINDOWS\532793M.BMP
C:\WINDOWS\cast.config
C:\WINDOWS\castp.dat
C:\WINDOWS\castvxml.dat
C:\WINDOWS\castxml.dat
C:\WINDOWS\kb910436.log
C:\WINDOWS\mrgtask.ini
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\cdnprot.dat
C:\WINDOWS\system32\rundllfromwin2000.exe
C:\WINDOWS\system32\scia.dll
C:\WINDOWS\system32\SCIntruder32.dll
C:\WINDOWS\system32\Score.txt
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\system32\wbauninstall.exe
C:\WINDOWS\system32\armhec06.dll
C:\WINDOWS\system32\brpbyp15.dll
C:\WINDOWS\system32\caeapg12.dll
C:\WINDOWS\system32\cwbfwb64.dll
C:\WINDOWS\system32\cxztye72.dll
C:\WINDOWS\system32\dfxpnc39.dll
C:\WINDOWS\system32\dkgrvv12.dll
C:\WINDOWS\system32\dmsmta50.dll
C:\WINDOWS\system32\ebmecq03.dll
C:\WINDOWS\system32\elgzfc83.dll
C:\WINDOWS\system32\eyirkp33.dll
C:\WINDOWS\system32\fadsaa39.dll
C:\WINDOWS\system32\fteans46.dll
C:\WINDOWS\system32\gnylnc00.dll
C:\WINDOWS\system32\golzgd09.dll
C:\WINDOWS\system32\gsblzr54.dll
C:\WINDOWS\system32\hoxryp85.dll
C:\WINDOWS\system32\hqyooe27.dll
C:\WINDOWS\system32\hrdyeg14.dll
C:\WINDOWS\system32\hxlweg86.dll
C:\WINDOWS\system32\ietsjr20.dll
C:\WINDOWS\system32\irpflg43.dll
C:\WINDOWS\system32\ixykbk84.dll
C:\WINDOWS\system32\iyfzst13.dll
C:\WINDOWS\system32\jeykbh11.dll
C:\WINDOWS\system32\lgncsd62.dll
C:\WINDOWS\system32\lhpvfp12.dll
C:\WINDOWS\system32\lycmdq26.dll
C:\WINDOWS\system32\muxavc89.dll
C:\WINDOWS\system32\oxpmcf83.dll
C:\WINDOWS\system32\pkepjr30.dll
C:\WINDOWS\system32\qpnhiz62.dll
C:\WINDOWS\system32\qvhjhg90.dll
C:\WINDOWS\system32\rhlsxg67.dll
C:\WINDOWS\system32\rxbgby19.dll
C:\WINDOWS\system32\seunog03.dll
C:\WINDOWS\system32\snwrzx30.dll
C:\WINDOWS\system32\tjsikw53.dll
C:\WINDOWS\system32\ukqafl51.dll
C:\WINDOWS\system32\unpdav22.dll
C:\WINDOWS\system32\wfibrq36.dll
C:\WINDOWS\system32\wpvxwt10.dll
C:\WINDOWS\system32\wquudq83.dll
C:\WINDOWS\system32\wyzdqy59.dll
C:\WINDOWS\system32\ylqqlh59.dll
C:\WINDOWS\system32\ynhokf43.dll
C:\WINDOWS\system32\ytzrey84.dll
C:\WINDOWS\system32\wbem\aepyie93.dll
C:\WINDOWS\system32\wbem\agdtlk41.dll
C:\WINDOWS\system32\wbem\aowkvz01.dll
C:\WINDOWS\system32\wbem\bbqsri69.dll
C:\WINDOWS\system32\wbem\bcjspb81.dll
C:\WINDOWS\system32\wbem\bneiuf75.dll
C:\WINDOWS\system32\wbem\cdxnet55.dll
C:\WINDOWS\system32\wbem\cgrdac98.dll
C:\WINDOWS\system32\wbem\chbkfv98.dll
C:\WINDOWS\system32\wbem\cioyey43.dll
C:\WINDOWS\system32\wbem\cvwwbz07.dll
C:\WINDOWS\system32\wbem\dagyxx04.dll
C:\WINDOWS\system32\wbem\dezviv39.dll
C:\WINDOWS\system32\wbem\drrvxd71.dll
C:\WINDOWS\system32\wbem\eprigo45.dll
C:\WINDOWS\system32\wbem\ewfpjf26.dll
C:\WINDOWS\system32\wbem\fhojzj86.dll
C:\WINDOWS\system32\wbem\fjeegl99.dll
C:\WINDOWS\system32\wbem\fnepyo88.dll
C:\WINDOWS\system32\wbem\fqtnac79.dll
C:\WINDOWS\system32\wbem\frizat68.dll
C:\WINDOWS\system32\wbem\hzfbvs31.dll
C:\WINDOWS\system32\wbem\ipcvrk83.dll
C:\WINDOWS\system32\wbem\iyyscd55.dll
C:\WINDOWS\system32\wbem\jrhwdh90.dll
C:\WINDOWS\system32\wbem\jrrhgw06.dll
C:\WINDOWS\system32\wbem\jwpyor04.dll
C:\WINDOWS\system32\wbem\mlnbsf34.dll
C:\WINDOWS\system32\wbem\mrihej35.dll
C:\WINDOWS\system32\wbem\nrzrrr12.dll
C:\WINDOWS\system32\wbem\ojwyvn68.dll
C:\WINDOWS\system32\wbem\phftoo60.dll
C:\WINDOWS\system32\wbem\qihffg51.dll
C:\WINDOWS\system32\wbem\qsdmsa36.dll
C:\WINDOWS\system32\wbem\qvobfp18.dll
C:\WINDOWS\system32\wbem\rcgehr13.dll
C:\WINDOWS\system32\wbem\rumdry40.dll
C:\WINDOWS\system32\wbem\runpke93.dll
C:\WINDOWS\system32\wbem\sdvxtf04.dll
C:\WINDOWS\system32\wbem\skqjum17.dll
C:\WINDOWS\system32\wbem\upqpxm25.dll
C:\WINDOWS\system32\wbem\vwbkqb84.dll
C:\WINDOWS\system32\wbem\wvbrci55.dll
C:\WINDOWS\system32\wbem\wyeabu68.dll
C:\WINDOWS\system32\wbem\xfmerb20.dll
C:\WINDOWS\system32\wbem\xkafpm61.dll
C:\WINDOWS\system32\wbem\xpgabe93.dll
C:\WINDOWS\system32\wbem\ypqmwz66.dll
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\drivers\msqmx.sys
C:\WINDOWS\system32\drivers\cdntran.sys
C:\WINDOWS\system32\kb20060926a.exe
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Profiles\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Checkpoint\Working\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Checkpoint\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\QuickSave\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Reload\Working\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Reload\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Working\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\Save\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\ServerOptions\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\FEAR\_desktop.ini
C:\Documents and Settings\All Users\Documents\Monolith Productions\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000C187F\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\91C85\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Videos\_desktop.ini
C:\Documents and Settings\All Users\Documents\_desktop.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\aieijgid.sys
C:\WINDOWS\system32\drivers\cdnprot.sys
C:\WINDOWS\system32\drivers\dfdifhdf.sys
C:\WINDOWS\system32\drivers\iggfcfih.sys
C:\Documents and Settings\Han\Application Data\Macromedia\Flash Player\#SharedObjects\UAYY5VBJ\www.inter-focus.cn
C:\Documents and Settings\Han\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Program Files\CNNIC
C:\WINDOWS\system32\winup
C:\WINDOWS\system32\drivers\bbfzst92.sys
C:\WINDOWS\system32\bbfzst92.dll
C:\WINDOWS\system32\drivers\bkpkrh38.sys
C:\WINDOWS\system32\drivers\bsvpzc29.sys
C:\WINDOWS\system32\bsvpzc29.dll
C:\WINDOWS\system32\drivers\dgajxp63.sys
C:\WINDOWS\system32\drivers\gvyovd33.sys
C:\WINDOWS\system32\drivers\iuzbnh64.sys
C:\WINDOWS\system32\drivers\kmlmgs66.sys
C:\WINDOWS\system32\kmlmgs66.dll
C:\WINDOWS\system32\drivers\nsvuhn10.sys
C:\WINDOWS\system32\drivers\prwvts40.sys
C:\WINDOWS\system32\drivers\urmdzl26.sys
C:\WINDOWS\system32\urmdzl26.dll
C:\WINDOWS\system32\drivers\wjsbyk45.sys
C:\WINDOWS\system32\drivers\wowrrg68.sys
C:\WINDOWS\system32\wowrrg68.dll
C:\WINDOWS\system32\cdnns.dll


((((((((((((((((((((((((((((((( Files Created from 2006-10-26 to 2006-11-26 ))))))))))))))))))))))))))))))))))


2006-11-26 09:18 <DIR> d-------- C:\WINDOWS\erdnt
2006-11-26 08:14 121,344 --a------ C:\Sysinfo.exe
2006-11-26 08:09 20,480 --a------ C:\WINDOWS\system32\11644997581.exe
2006-11-26 07:07 20,480 --a------ C:\WINDOWS\system32\11644960231.exe
2006-11-26 06:04 20,480 --a------ C:\WINDOWS\system32\11644922881.exe
2006-11-26 05:00 20,480 --a------ C:\WINDOWS\system32\11644884161.exe
2006-11-26 03:56 20,480 --a------ C:\WINDOWS\system32\11644846051.exe
2006-11-26 03:42 20,480 --a------ C:\WINDOWS\system32\11644837281.exe
2006-11-26 03:35 156,816 --a------ C:\WINDOWS\system32\11644833272.exe
2006-11-26 03:34 20,480 --a------ C:\WINDOWS\system32\11644832921.exe
2006-11-26 03:28 46,464 --a------ C:\WINDOWS\system32\11644828932.exe
2006-11-26 03:27 20,480 --a------ C:\WINDOWS\system32\11644828581.exe
2006-11-26 02:33 20,480 --a------ C:\WINDOWS\system32\11644796161.exe
2006-11-25 18:42 398,336 --a------ C:\WINDOWS\system32\11644513735.exe
2006-11-25 18:41 20,480 --a------ C:\WINDOWS\system32\11644512801.exe
2006-11-25 18:29 20,480 --a------ C:\WINDOWS\system32\11644505901.exe
2006-11-25 17:45 20,480 --a------ C:\WINDOWS\system32\11644479331.exe
2006-11-25 17:28 <DIR> d-------- C:\Program Files\HJT
2006-11-25 17:16 398,336 --a------ C:\WINDOWS\system32\11644461835.exe
2006-11-25 17:13 20,480 --a------ C:\WINDOWS\system32\11644460271.exe
2006-11-25 16:10 20,480 --a------ C:\WINDOWS\system32\11644422451.exe
2006-11-25 15:08 20,480 --a------ C:\WINDOWS\system32\11644384981.exe
2006-11-25 14:31 20,480 --a------ C:\WINDOWS\system32\11644362741.exe
2006-11-25 03:29 24,748 --a------ C:\up_2.exe
2006-11-25 02:28 14,255 --a------ C:\up_1.exe
2006-11-24 22:25 <DIR> d-------- C:\Documents and Settings\Han\.housecall6.6
2006-11-24 22:10 79,360 --a------ C:\up_3.exe
2006-11-24 21:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-24 20:14 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-11-24 19:21 <DIR> dr-h----- C:\Documents and Settings\Han\Recent
2006-11-24 19:06 <DIR> d-------- C:\Program Files\Sunbelt Software
2006-11-24 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-24 18:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-24 18:30 9,182 --a------ C:\WINDOWS\system32\C119ED68.DLL
2006-11-24 18:30 9,182 --------- C:\WINDOWS\system32\C73E74C8.DLL
2006-11-24 18:30 36,794 --a------ C:\WINDOWS\system32\959CA180T.EXE
2006-11-24 18:28 <DIR> d-------- C:\Program Files\CCleaner
2006-11-24 18:21 129,024 --a------ C:\WINDOWS\11036.exe
2006-11-24 17:12 131,312 --a------ C:\WINDOWS\10586.exe
2006-11-24 15:22 8,941 --a------ C:\WINDOWS\system\updata.exe
2006-11-24 15:22 30,208 --a------ C:\WINDOWS\system\mhh.exe
2006-11-24 15:11 16,701 --a------ C:\WINDOWS\system\IEXPLORER.EXE
2006-11-24 10:21 50,820 --a------ C:\WINDOWS\system32\11643348782.exe
2006-11-24 06:01 398,336 --a------ C:\WINDOWS\system32\11643193185.exe
2006-11-23 22:07 398,336 --a------ C:\WINDOWS\system32\11642908525.exe
2006-11-23 20:00 131,312 --a------ C:\WINDOWS\setup235.exe
2006-11-23 18:39 <DIR> d-------- C:\WINDOWS\pss
2006-11-23 16:53 390,322 --a------ C:\WINDOWS\system32\11642719965.exe
2006-11-23 12:38 36,789 --a------ C:\WINDOWS\system32\jdsthu1.exe
2006-11-23 05:47 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-23 05:44 398,336 --a------ C:\WINDOWS\system32\11642318865.exe
2006-11-23 02:35 398,336 --a------ C:\WINDOWS\system32\11642205065.exe
2006-11-22 22:31 <DIR> d-------- C:\Documents and Settings\Han\Application Data\BearShare
2006-11-22 22:30 <DIR> d-------- C:\Program Files\BearShare Applications
2006-11-21 03:57 10,270 --a------ C:\WINDOWS\system32\alexa.exe
2006-11-21 00:43 272,976 --a------ C:\WINDOWS\system32\11640409792.exe
2006-11-18 22:52 297,266 --a------ C:\WINDOWS\system32\11638615172.exe
2006-11-18 16:02 <DIR> d-------- C:\Program Files\Kaspersky Lab
2006-11-18 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2006-11-18 16:01 <DIR> d-------- C:\kav
2006-11-18 13:47 <DIR> d-------- C:\Program Files\Eudemons Online
2006-11-17 18:23 36,539 --a------ C:\WINDOWS\system32\updsffdsg1.exe
2006-11-17 05:30 10,164 --a------ C:\WINDOWS\system32\11637126312.exe
2006-11-16 09:08 9,376 --a------ C:\WINDOWS\system32\alexasp1.exe
2006-11-16 09:07 35,248 --a------ C:\WINDOWS\system32\A583F010T.EXE
2006-11-16 09:07 35,248 --a------ C:\WINDOWS\system32\A583F010.EXE
2006-11-16 09:07 30,883 --a------ C:\WINDOWS\system32\A583F010.DLL
2006-11-16 09:07 <DIR> d-------- C:\WINDOWS\system32\Media
2006-11-16 04:01 <DIR> d-------- C:\Program Files\Abobe Flash Play 9
2006-11-16 03:55 13,151 --a------ C:\WINDOWS\system32\C119ED68T.EXE
2006-11-16 03:55 13,151 --a------ C:\WINDOWS\system32\C119ED68.EXE
2006-11-15 21:09 8,704 --a------ C:\WINDOWS\system\cmmd.dll
2006-11-13 20:53 <DIR> d-------- C:\Incomplete
2006-11-13 20:52 <DIR> d-------- C:\Documents and Settings\Han\Application Data\FrostWire
2006-11-11 03:18 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2006-11-11 03:18 <DIR> d-------- C:\Documents and Settings\Han\Application Data\Thunderbird
2006-11-06 21:49 <DIR> d-------- C:\Documents and Settings\Han\Application Data\DivX
2006-11-05 21:25 130,048 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-11-05 21:25 <DIR> d-------- C:\Program Files\Illustrate
2006-11-05 21:18 <DIR> d-------- C:\Program Files\LitexMedia
2006-11-03 22:57 <DIR> d-------- C:\Program Files\blueserver
2006-10-30 19:00 <DIR> d-------- C:\Program Files\Lavasoft
2006-10-30 19:00 <DIR> d-------- C:\Documents and Settings\Han\Application Data\Lavasoft
2006-10-27 20:46 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2006-10-27 19:47 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-26 09:20 -------- d-------- C:\Program Files\Veoh
2006-11-26 09:17 -------- d-------- C:\Program Files\Common Files\System
2006-11-26 04:12 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-26 03:52 -------- d-------- C:\Documents and Settings\Han\Application Data\AVG7
2006-11-24 21:38 -------- d-------- C:\Program Files\Internet Explorer
2006-11-24 19:18 -------- d-------- C:\Program Files\Java
2006-11-24 16:12 -------- d-------- C:\Program Files\Common Files
2006-11-24 15:11 -------- d-------- C:\Program Files\WinRAR
2006-11-21 17:55 -------- d-------- C:\Program Files\Warcraft III
2006-11-20 22:40 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-11-20 22:40 -------- d-------- C:\Program Files\BitComet
2006-11-19 03:30 -------- d-------- C:\Documents and Settings\Han\Application Data\Skype
2006-11-18 22:06 61072 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-11-18 22:06 59536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-11-18 15:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 03:18 -------- d-------- C:\Documents and Settings\Han\Application Data\Mozilla
2006-11-06 21:42 -------- d-------- C:\Program Files\Sierra
2006-11-06 21:41 -------- d-------- C:\Program Files\Ntreev
2006-11-06 20:10 -------- d-------- C:\Program Files\DivX
2006-10-29 18:23 -------- d-------- C:\Program Files\id Software
2006-10-27 19:40 -------- d-------- C:\Program Files\Electronic Arts
2006-10-17 23:05 -------- d---s---- C:\Documents and Settings\Han\Application Data\Microsoft
2006-10-17 18:36 -------- d-------- C:\Program Files\Softnyx
2006-10-16 18:51 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-08 11:41 -------- d-------- C:\Program Files\Silkroad
2006-10-07 11:53 -------- d-------- C:\Documents and Settings\Han\Application Data\My Battle for Middle-earth™ II Files
2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-03 03:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-03 03:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-29 23:04 -------- d-------- C:\Program Files\Riva
2006-09-29 23:04 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-09-26 22:07 -------- d-------- C:\Program Files\iTunes
2006-09-26 22:06 -------- d-------- C:\Program Files\QuickTime
2006-09-26 22:06 -------- d-------- C:\Program Files\iPod
2006-09-26 22:04 -------- d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"npad_ql"="C:\\WINDOWS\\system32\\Npad.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"FastUser"="C:\\WINDOWS\\system32\\fast.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
@=""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"sdmmrnm"="D;]XJOEPXT]ufnq]te262/fyf"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"mhsystem"="C:\\DOCUME~1\\Han\\LOCALS~1\\Temp\\mhsystem.exe"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"npad_ql"="C:\\WINDOWS\\system32\\Npad.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"npad_ql"="C:\\WINDOWS\\system32\\Npad.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInternetIcon"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableStatusMessages"=dword:00000000
"VerboseStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"internet"="C:\\WINDOWS\\system\\updata.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInternetIcon"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInternetIcon"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"AdobePDF"="{D92D666A-0F7B-5892-A7E8-29340333F07E}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Security


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-26 9:21:12.07
C:\ComboFix.txt ... 06-11-26 09:21



Thanks and regards,

MrHan

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:57 AM

Posted 26 November 2006 - 01:14 AM

Hello MrHan,

This chinese infection is very nasty and difficult to remove. :thumbsup:


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\PROGRA~1\ABOBEF~1\tbu03190\tbhelper.dll (file missing)
O2 - BHO: XBTBPos00 - {24877DDE-0D18-400D-B119-40F067A05BDF} - C:\PROGRA~1\ABOBEF~1\tbu03190\CAB301~1.DLL (file missing)
O2 - BHO: TBSB00889 - {3766A838-11CD-424e-BDE1-693300AA6086} - C:\PROGRA~1\ABOBEF~1\ABOBEF~1.DLL (file missing)
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te262/fyf
O4 - HKLM\..\Run: [mhsystem]C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe
O4 - HKCU\..\Run: [npad_ql] C:\WINDOWS\system32\Npad.exe


If this Domain does not belong to your Internet Service Provider, or your firms network, these entries should be fixed.
Do you know the Internet Provider or Domain '202.188.0.133,202.188.1.5'?
If not, fix this entry.



I looked up '202.188.0.133' and found this:

inetnum: 202.188.0.128 - 202.188.0.255
netname: INFRA-TMNET
descr: TMNET
country: MY
admin-c: TA35-AP
tech-c: TA35-AP
mnt-by: TM-NET-AP
changed: anieayop@tm.net.my 20040408
status: ASSIGNED NON-PORTABLE
source: APNIC
role: TMNET IP Administrators
address: Level 17 TM Annexe
address: Jalan Pantai Baru
address: 50672 Kuala Lumpur.
country: MY



O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE8C310-71CA-48EE-A728-7E88848D831A}: NameServer = 202.188.0.133,202.188.1.5

O23 - Service: 959CA180 - Unknown owner - C:\WINDOWS\system32\959CA180.EXE (file missing)
O23 - Service: C73E74C8 - Unknown owner - C:\WINDOWS\system32\C73E74C8.EXE (file missing)
O23 - Service: VKTServ - Unknown owner - C:\WINDOWS\system32\VKTServ.exe (file missing)



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\Npad.exe <==file
C:\WINDOWS\system32\Media\winlogon.exe <==file
C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.


Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :flowers: Be patient, as it can take many hours to run.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

*******************************************



You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system\updata.exe to the upload and scan it.

Also scan these files:
C:\WINDOWS\setup235.exe
C:\Sysinfo.exe
C:\WINDOWS\system32\11644479331.exe
C:\WINDOWS\system32\11644997581.exe
C:\WINDOWS\system32\11644960231.exe
C:\WINDOWS\11036.exe
C:\WINDOWS\10586.exe
C:\WINDOWS\system32\jdsthu1.exe


Let me know the results.
Copy and paste the outputs to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)



Post a new Hijackthis log, the BitDefender log, the Jotti scan logs, and tell me how your computer is running.

Edited by SifuMike, 26 November 2006 - 01:33 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 MrHan

MrHan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 27 November 2006 - 06:51 AM

Dear SifuMike,

Thank you for your reply. I followed the steps that you've given, but there are some problems...

1st of all, I couldn't find this file:

C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe

I saw this instead,

C:\DOCUME~1\Han\LOCALS~1\Temp\mhs.exe

so, I did not delete it. Should I?

Then, I continued with CCleaner. When it's done, I booted into Normal Mode, like you said. It took ages just to get into Windows, and I get this error message saying my PC is running too low on virtual memory or something like that. So when I tried to open Internet Explorer to go for the BitDefender scan, I get this error message, 'Access is denied'.

I tried booting into Safe Mode with Networking, but that didn't give access to Internet Explorer, too. Is there anything else that I could do?

Thanks.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:57 AM

Posted 27 November 2006 - 12:40 PM

1st of all, I couldn't find this file:
C:\DOCUME~1\Han\LOCALS~1\Temp\mhsystem.exe
I saw this instead,

C:\DOCUME~1\Han\LOCALS~1\Temp\mhs.exe
so, I did not delete it. Should I?


It really does not matter, as CCleaner will delete everything in the temp files.

Did you make the Hijackthis fixes?
Please post a fresh Hijackthis log.

Did you run the Jotti Online Scanner for those files?


Then, I continued with CCleaner. When it's done, I booted into Normal Mode, like you said. It took ages just to get into Windows, and I get this error message saying my PC is running too low on virtual memory or something like that. So when I tried to open Internet Explorer to go for the BitDefender scan, I get this error message, 'Access is denied'.



I need to know the exact message you are getting on your PC. "Something like that" is no help to me.
Is it IE giving you the 'access is denied' message or BitDefender? Is that the complete message?


Restart in Normal Mode and run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
Follow the Instruction on the F-Secure page for proper installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy and Paste the entire report in your next reply.



Right-click an empty space on the taskbar (bottom of the screen) and select Task Manager.
Click the Processes tab and then click the column heading CPU twice. This will sort all processes top down by CPU usage.
Tell me what process is using all the CPU.
It is normal to have System Idle Process using most of the CPU as that is your free memory.

Edited by SifuMike, 27 November 2006 - 02:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 MrHan

MrHan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 28 November 2006 - 06:23 AM

Dear SifuMike,

I booted into Safe Mode, and did a HijackThis scan. The following is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:59:33 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Han\Desktop\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sqqd.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html
R3 - URLSearchHook: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: NS Security Class - {95AB740B-D32D-41E8-85EA-CED0FD08AE2B} - C:\WINDOWS\flashO.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Webacc - {CAC068F3-A608-406B-8581-458788A67694} - C:\WINDOWS\system32\svchost.dll
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - C:\Program Files\blueserver\tbblu1.dll
O3 - Toolbar: Abobe Flash Play9 - {BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD} - C:\Program Files\Abobe Flash Play 9\Abobe Flash Player 9.dll (file missing)
O3 - Toolbar: Abobe Flash Play 9 - {494F50A2-6CDB-43FF-BA83-85D32038D04C} - C:\Program Files\Abobe Flash Play 9\Cab301b48.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te262/fyf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\System\Update.exe
O4 - HKLM\..\Run: [svc] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\win\sna.exe] C:\WINDOWS\win\sna.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [updatereal] C:\WINDOWS\realupdate.exe other
O4 - HKCU\..\Run: [msnnt] C:\WINDOWS\winampr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP chain gap (#1 in chain of 20 missing)
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://eclaims.com.my/eclaims/general/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE8C310-71CA-48EE-A728-7E88848D831A}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Program Files\Veoh\VeohClientService.exe


Then I ran thru CCleaner and let it fixed what it found. So I continued to reboot to the Normal Mode. The first error message that came out was this,

A583F010.EXE - Application Error

The instruction at "0x0012e602" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program.
Click on CANCEL to debug the program.


So, I pressed OK. Then another error message popped out:

C119ED68.EXE - Application Error

The instruction at "0x0012e602" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program.
Click on CANCEL to debug the program.


Again, I pressed OK. The low memory error message I was talking about is this:

Windows - Virtual Memory Minimum Too Low
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.


When I tried opening Internet Explorer to do the BitDefender scan, this error message came out:

Desktop
Access is denied.


This is my CPU usage:

spoolsv.exe 50
System Idle Process 50

I had to use another PC just in order to get onto the Net and make posts on this message board...

Thanks and regards.

Edited by MrHan, 28 November 2006 - 06:24 AM.


#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:57 AM

Posted 28 November 2006 - 04:18 PM

Hello MrHan,

This listing is not too good. :thumbsup:
O10 - Broken Internet access because of LSP chain gap (#1 in chain of 20 missing)

Download LSPfix http://www.bleepingcomputer.com/files/lspfix.php
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Then click the FINISH button. Restart your computer.

Now see if you can connect to the internet.



Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following (if they exist) by double-clicking on the following entries:
Chinese Navigation


Let's run ComboFix again.

save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe" /wow

Then, reboot to Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

When finished, it shall produce a log for you.
Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


******************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: NS Security Class - {95AB740B-D32D-41E8-85EA-CED0FD08AE2B} - C:\WINDOWS\flashO.dll
O2 - BHO: Webacc - {CAC068F3-A608-406B-8581-458788A67694} - C:\WINDOWS\system32\svchost.dll
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te262/fyf
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\System\Update.exe
O4 - HKLM\..\Run: [svc] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\win\sna.exe] C:\WINDOWS\win\sna.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKCU\..\Run: [svc] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [updatereal] C:\WINDOWS\realupdate.exe other
O4 - HKCU\..\Run: [msnnt] C:\WINDOWS\winampr.exe
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O11 - Options group: [CDNCLIENT] Chinese Navigation



Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\flashO.dll <= file
C:\Program Files\CNNIC\ <= folder
C:\Program Files\Common Files\System\Update.exe <= file
C:\WINDOWS\win\sna.exe <= file

C:\Program Files\DeskAdTop\ <= folder
C:\WINDOWS\realupdate.exe <= file
C:\WINDOWS\winampr.exe <= file

C:\WINDOWS\Intel\rundll32.exe <= file Be careful. Do not delete the legitimate C:\Windows\System32\rundll32.exe file.

C:\WINDOWS\services.exe <= file Be careful. Do not delete the legitimate C:\Windows\System32\services.exe.

C:\WINDOWS\svchost.exe <= file Be careful. Do not delete the legitimate C:\WINDOWS\system32\svchost.exe.

Run CCleaner.

Reboot


In your next post, please include
new hijackthis log
combofix log

Edited by SifuMike, 28 November 2006 - 06:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users