Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Http://www.bydou.com


  • This topic is locked This topic is locked
8 replies to this topic

#1 Nimbus Pham

Nimbus Pham

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 January 2007 - 06:03 AM

Hello,

My computer was infected by Spyware. It changes the homepage of my IE 7 to http://www.bydou.com. Please help me to remove it.

Logfile of HijackThis v1.99.1
Scan saved at 6:46:42 AM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sevchost.exe
C:\WINDOWS\system32\epoolsv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\My Documents\Softwares\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 125.244.210.140:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKeyNT.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - Global Startup: Just Click'n'See.lnk = C:\Program Files\Banmai\Just Click'n'See\ClickSee.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: comreplt - C:\WINDOWS\SYSTEM32\comreplt.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: pdfFactory Pro Dispatcher v2 - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /service (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:09:09 AM

Posted 09 January 2007 - 11:00 AM

Hi Nimbus Pham,

Welcome to Bleeping Computer. :thumbsup:

It appears that you ran HijackThis in Safe Mode.

Please run another scan in Normal Mode and post the log to a reply here.

Also please answer this question: Do you use a proxy server to connect to the internet?

Dave

#3 Nimbus Pham

Nimbus Pham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 January 2007 - 09:16 PM

Thanks for your reply, DaveM59. In my previous post, I have ran HijackThis in Safe Mode.
Although I have a proxy configuration in my IE, but I rarely use it. And I have removed it from my IE.
Here is the log in Normal Mode.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:50 AM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\epoolsv.exe
C:\WINDOWS\system32\sevchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Babylon\Babylon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\UniKey\UniKeyNT.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\Program Files\Banmai\Just Click'n'See\ClickSee.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\Program Files\Common Files\Fanix Software\textman2.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
D:\My Documents\Softwares\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKeyNT.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - Global Startup: Just Click'n'See.lnk = C:\Program Files\Banmai\Just Click'n'See\ClickSee.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{07451812-23F0-437A-B1C9-2F85E86C8C43}: NameServer = 10.10.10.10,203.162.4.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: comreplt - C:\WINDOWS\SYSTEM32\comreplt.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: pdfFactory Pro Dispatcher v2 - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /service (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:09:09 AM

Posted 09 January 2007 - 11:15 PM

Hi again,

I see a file in your log that I cannot find any information about. I need you to submit it for analysis.

First, Unhide files and folders:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Now, go to this page:

Virustotal

This is a Malware Submission Form Page. Go to the white blank select file line at the top and click Browse. This will open a File Upload window, which works just like the File Save window I am sure you are familiar with. Navigate to the file C:\WINDOWS\system32\comreplt.dll and click to select it, then click Open. You will then see the filename in the space next to the Browse button. Click Send. Your file will be put in a queue to be scanned with a battery of programs. When the scan is finished, you will be presented with a report. To save the report, highlight the relevant block of text on the web page, then press <Ctrl> - C. Open Notepad and press <Ctrl> - V. Save the file to your desktop as Virustotal.txt or some other name you will recognize.

Post the virustotal report to your next reply here. If you cannot find the file to submit it just let me know. Also please tell me whether you have a firewall installed on this computer, and whether you have any antispyware programs installed. I can see that you have McAfee Antivirus.

Good luck,

Dave

#5 Nimbus Pham

Nimbus Pham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 11 January 2007 - 12:34 AM

Hi DaveM59,

Thanks again for your help. Beside McAfee Antivirus, I recently install Windows Defender for trying to remove this spyware but it reports that my computer works normally.
Running Windows Defender, I notice that:
C:\WINDOWS\system32\epoolsv.exe
C:\WINDOWS\system32\sevchost.exe
have the Chinese names as below:
File Name: sevchost.exe
Display Name: UCopy 应用程序
Description: WindowsNT Session Manger
Publisher: Microsoft Corporation
Digitally Signed By: NOT SIGNED
File Type: Application
Auto Start: No
File Path: C:\WINDOWS\system32\sevchost.exe
File Size: 28672
File Version: 5, 0, 0, 0
Date Installed: 6/7/2004 8:00:00 AM
Process ID: 1204
User Name: NT AUTHORITY\SYSTEM
Classification: In Progress
Ships with Operating System: No
SpyNet Voting: In Progress
File Name: epoolsv.exe
Display Name: UrlEx 应用程序
Description: Internet Short Shell Exe
Publisher: Microsft Corporation
Digitally Signed By: NOT SIGNED
File Type: Application
Auto Start: No
File Path: C:\WINDOWS\system32\epoolsv.exe
File Size: 40960
File Version: 6, 0, 3790, 1830
Date Installed: 6/22/2000 8:00:00 AM
Process ID: 1196
User Name: NT AUTHORITY\SYSTEM
Classification: In Progress
Ships with Operating System: No
SpyNet Voting: In Progress

Here is the virustotal report:

STATUS: FINISHEDComplete scanning result of "comreplt.dll", received in VirusTotal at 01.11.2007, 06:25:10 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.10.2007 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.10.2007 no virus found
BitDefender 7.2 01.11.2007 Trojan.Averev.A
CAT-QuickHeal 9.00 01.10.2007 no virus found
ClamAV devel-20060426 01.11.2007 no virus found
DrWeb 4.33 01.10.2007 Trojan.Picod
eSafe 7.0.14.0 01.10.2007 no virus found
eTrust-InoculateIT 23.73.111 01.10.2007 no virus found
eTrust-Vet 30.3.3318 01.11.2007 Win32/Averev.A
Ewido 4.0 01.10.2007 no virus found
Fortinet 2.82.0.0 01.10.2007 no virus found
F-Prot 3.16f 01.10.2007 no virus found
F-Prot4 4.2.1.29 01.10.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.11.2007 no virus found
McAfee 4936 01.10.2007 no virus found
Microsoft 1.1904 01.11.2007 no virus found
NOD32v2 1971 01.11.2007 no virus found
Norman 5.80.02 01.10.2007 no virus found
Panda 9.0.0.4 01.10.2007 no virus found
Prevx1 V2 01.11.2007 no virus found
Sophos 4.13.0 01.10.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 no virus found
TheHacker 6.0.3.147 01.11.2007 no virus found
UNA 1.83 01.10.2007 no virus found
VBA32 3.11.2 01.10.2007 no virus found
VirusBuster 4.3.19:9 01.10.2007 no virus found

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:09:09 AM

Posted 11 January 2007 - 07:51 AM

Hi again,

Yes, I spotted those deceptively named files as well. We are going to try to get rid of them now.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step 2. Unhide files and folders

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Step 3. Open HijackThis and run a scan. Place a check mark next to the following:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: comreplt - C:\WINDOWS\SYSTEM32\comreplt.dll


Close all other windows on your desktop, and make sure no other programs are running in your taskbar. Then click Fix checked.

Step 4. Boot into Safe Mode

If you don't know how to do this, here are two ways:

F8 Method
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Bootsafe utility

If the F8 method does not work, you can download this program: Bootsafe.exe. Download the .exe file (not the zip file) directly to your desktop, it requires no installation. To use it, double click the program icon, then select the radio button Safe Mode - Minimal and click on the Reboot button.

Step 5. Delete files

Use Windows Explorer to navigate to and delete the following files:

C:\WINDOWS\SYSTEM32\comreplt.dll
C:\WINDOWS\system32\epoolsv.exe
C:\WINDOWS\system32\sevchost.exe


Please let me know if you cannot find any of these files.

Step 6. Reboot back into normal mode

If you used the F8 method, Windows should automatically reboot into normal mode when you restart it. If you used Bootsafe, open the program and select the Normal Mode radio button, then click Reboot.

Step 7. First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Finally, run a fresh HijackThis scan. Post the Combofix log, the Kaspersky log, and the HijackThis log to your next reply. Also please let me know how your computer is running now, and if you had any problems completing these steps.

Good luck,

Dave

#7 Nimbus Pham

Nimbus Pham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 11 January 2007 - 10:32 PM

Hi Dave,

The below is my ComboFix report. I have ran Hijackthis and fixed checked but when switching to Safe Mode, I cannot delete comreplt.dll since it returns an error message: "Cannot delete comreplt: Access is denied.". I also cannot find epoolsv.exe and sevchost.exe in C:\WINDOWS\SYSTEM32.

COMBOFIX REPORT:

Adm - 07-01-12 9:28:32.71 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\adm\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-10 18:05 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-01-10 09:08 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-03 15:15 <DIR> d-------- C:\Documents and Settings\adm\Application Data\ArcSoft
2006-12-28 19:13 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-12-21 12:41 <DIR> d-------- C:\Program Files\Minefield
2006-12-19 10:02 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-12 09:26 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-11 15:35 -------- d-------- C:\Program Files\FlashGet
2007-01-10 17:48 -------- d-------- C:\Program Files\AutoShutdown
2007-01-04 18:28 -------- d-------- C:\Program Files\Common Files
2006-12-30 21:01 -------- d-------- C:\Program Files\Visual CertExam Suite
2006-12-28 19:13 -------- d-------- C:\Program Files\Common Files\Real
2006-12-27 12:41 -------- d-------- C:\Documents and Settings\adm\Application Data\Skype
2006-12-19 10:02 -------- d-------- C:\Program Files\Google
2006-12-15 10:38 -------- d-------- C:\Program Files\Yahoo!
2006-12-13 09:26 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 09:26 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 13:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-28 16:52 -------- d-------- C:\Program Files\DigitalCAM
2006-11-24 08:29 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-11-24 08:29 388000 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2006-11-24 08:29 32288 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2006-11-24 08:29 -------- d-------- C:\Program Files\Common Files\Acronis
2006-11-20 09:21 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-17 09:30 -------- d-------- C:\Program Files\Java
2006-11-08 12:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-05 07:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-05 01:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 20:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 00:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-18 00:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-18 00:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-18 00:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-18 00:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-18 00:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-18 00:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-18 00:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-18 00:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-18 00:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-18 00:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-18 00:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-18 00:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-18 00:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-18 00:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-18 00:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-18 00:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-18 00:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-18 00:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-18 00:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-18 00:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-18 00:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 23:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 23:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 23:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 23:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 23:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 23:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 23:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 23:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 19:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 19:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 19:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"UniKey"="C:\\Program Files\\UniKey\\UniKeyNT.exe"
"TuneUp MemOptimizer"="\"C:\\Program Files\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"Babylon Client"="C:\\Program Files\\Babylon\\Babylon.exe -AutoStart"
"pdfFactory Pro Dispatcher v2"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /source=HKLM"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoPublishingWizard"=dword:00000001
"NoWebServices"=dword:00000001
"NoOnlinePrintsWizard"=dword:00000001
"NoInternetOpenWith"=dword:00000001
"NoActiveDesktop"=dword:00000001
"NoSMMyPictures"=dword:00000001
"NoStartMenuMyMusic"=dword:00000001
"NoStartMenuNetworkPlaces"=dword:00000001
"MemCheckBoxInRunDlg"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SQL Prompt.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SQL Prompt.lnk"
"backup"="C:\\WINDOWS\\pss\\SQL Prompt.lnkCommon Startup"
"location"="Common Startup"
"command"="D:\\PROGRA~1\\REDGAT~1\\SQLPRO~1\\REDGAT~2.EXE "
"item"="SQL Prompt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="schedhlp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TimounterMonitor"
"hkey"="HKLM"
"command"="D:\\Program Files\\Acronis\\TrueImageServer\\TimounterMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown Pro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TrueImageMonitor"
"hkey"="HKLM"
"command"="D:\\Program Files\\Acronis\\TrueImageServer\\TrueImageMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=dword:00000003
"ATI Smart"=dword:00000002
"Ati HotKey Poller"=dword:00000002
"AcrSch2Svc"=dword:00000003
"WinDefend"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comreplt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-01-12 9:37:40.98
C:\ComboFix.txt ... 07-01-12 09:37

#8 Nimbus Pham

Nimbus Pham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 12 January 2007 - 04:44 AM

Hi again, Dave

This computer is a workstation in my company. I have asked a network guy and he has restored the latest backup for this computer. The problem was solved now.
Anyway, your support was invaluable to me. Thank you so much.

Best Regards,
Mike Pham

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:09:09 AM

Posted 12 January 2007 - 06:34 AM

Hi Mike,

Glad you got the problem solved. :thumbsup:

There are other tools that we could have used to delete those files, but there would have been several more steps involved, since the comreplt.dll was clearly being protected.

Since a full system backup was available, that was the fastest and easiest way to solve the problem.

Your Network/IT department is to be congratulated. Not every company is as well prepared for a computer failure.

Cheers,

Dave

Since this issue appears to be resolved, this topic is closed. If you need it re-opened, please PM me and include the URL in your message.

This applies to the original poster only. Everyone else start a new topic.

Edited by DaveM59, 12 January 2007 - 06:37 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users