Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • Please log in to reply
20 replies to this topic

#1 re8888

re8888

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 05 May 2007 - 02:20 PM

ogfile of HijackThis v1.99.1
Scan saved at 3:08:52 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\All Users\Documents\useful info\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iostfjpe.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qeexedjc] "C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

whatever it is install outerinfo on my pc and i cant remove it

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 06 May 2007 - 08:49 AM

Hello There re8888!

Welcome to the forums :thumbsup:

My name is Rahina Rescue and I will be handling your log to help you get cleaned up.

We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

Step #1

Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
Right click an open area in the main panel.
Select New > Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there.

Step #2

Please download Combofix to your desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #3
  • Open HijackThis
  • Click Config
  • Click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found Here.

Step #4

Please Post the following logfiles:
  • C:\Combofix.txt
  • Hijackthis Logfile
  • Unistall List

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 06 May 2007 - 01:00 PM

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iostfjpe.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qeexedjc] "C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDB550E8-E100-495B-8C02-96275BD29C96}: NameServer = 71.252.0.12 68.237.161.12
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Arol"="\"C:\\WINDOWS\\PPPATC~1\\wuaclt.exe\" -vt yazb"
"Qeexedjc"="\"C:\\Documents and Settings\\zhao\\Application Data\\?icrosoft\\?hkdsk.exe\""
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:b1,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvttq


Completion time: Sun 05/06/2007 13:41:37.46
ComboFix.txt
ComboFix2.txt


i can't save the uninstall list, but here is a list of stuff that i never seen in my add/remove list before:
-hotfix for window xp (14 of them)
-outerinfo
-Security Update for Windows XP (a lot of them)

thx for helping me =)

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 06 May 2007 - 01:08 PM

Could you please post the complete log of Hijackthis & Combofix?

There are some parts missing.

Thanks
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 07 May 2007 - 01:54 PM

C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iostfjpe.dll",realset
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qeexedjc] "C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Bajuc] "C:\Documents and Settings\zhao\Application Data\?ppPatch\w?auboot.exe"
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDB550E8-E100-495B-8C02-96275BD29C96}: NameServer = 71.252.0.12 68.237.161.12
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

zhao - 07-05-07 14:46:40.18
ComboFix 06.08.24 - Running from: C:\New Folder

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\zhao\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\ICROSO~1\?hkdsk.exe
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\PPPATC~1\w?auboot.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-07 to 2007-05-07 ))))))))))))))))))))))))))))))))))


2007-05-07 14:42 60,928 --a------ C:\WINDOWS\system32\kebfi.dll
2007-05-06 20:40 1,472,916 ---hs---- C:\WINDOWS\system32\srqss.bak2
2007-05-05 19:11 131,604 --a------ C:\WINDOWS\system32\pkbdxysw.dll
2007-05-05 14:09 49,204 --a------ C:\WINDOWS\system32\wnmkmspa.dll
2007-05-05 14:08 284,756 ---hs---- C:\WINDOWS\system32\ssqrs.dll
2007-05-05 14:08 132,660 --a------ C:\WINDOWS\system32\iostfjpe.dll
2007-05-05 14:08 131,604 --a------ C:\WINDOWS\system32\xecppjgc.dll
2007-05-05 14:08 1,464,041 ---hs---- C:\WINDOWS\system32\srqss.bak1
2007-05-05 14:01 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-05-05 14:00 45,056 --a------ C:\WINDOWS\retadpu1000272.exe
2007-05-05 14:00 26,678 --a------ C:\WINDOWS\system32\urqolli.dll
2007-05-05 14:00 11,264 --a------ C:\WINDOWS\smanager.7.exe
2007-05-05 13:59 45,056 --a------ C:\WINDOWS\retadpu2000352.exe
2007-05-05 13:59 17,408 --a------ C:\WINDOWS\system32\winhoo32.dll
2007-05-04 21:42 26,678 --a------ C:\WINDOWS\system32\xxyvttq.dll
2007-04-15 19:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 14:42 -------- d-------- C:\Program Files\Outerinfo
2007-05-07 14:41 -------- d-------- C:\Program Files\webHancer
2007-05-07 14:40 -------- d-------- C:\Program Files\Symantec AntiVirus
2007-05-05 16:42 -------- d-------- C:\Program Files\Bethesda Softworks
2007-05-05 14:03 -------- d-------- C:\Program Files\Ipwindows
2007-05-05 14:00 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-05 14:00 -------- d-------- C:\Program Files\Common Files
2007-05-05 13:14 -------- d-------- C:\Program Files\Warcraft III
2007-05-03 19:52 -------- d-------- C:\Documents and Settings\zhao\Application Data\My Games
2007-05-03 19:45 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-03 19:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-03 19:37 -------- d-------- C:\Program Files\Firaxis Games
2007-05-03 19:37 -------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-03 19:18 -------- d-------- C:\Program Files\PowerISO
2007-05-02 21:16 -------- d-------- C:\Documents and Settings\zhao\Application Data\BitTorrent
2007-05-01 11:35 146432 ---hs---- C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
2007-04-29 17:15 -------- d-------- C:\Program Files\MagicISO
2007-04-28 22:10 -------- d-------- C:\Documents and Settings\zhao\Application Data\CyberLink
2007-04-27 20:46 -------- d-------- C:\Program Files\limewire
2007-04-15 19:42 -------- d-------- C:\Program Files\Windows Media Player
2007-04-15 19:42 -------- d-------- C:\Program Files\Windows Media Connect 2
2007-04-14 12:02 -------- d-------- C:\Program Files\Google
2007-04-14 12:00 -------- d-------- C:\Program Files\Java
2007-04-09 08:27 31548 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-04-08 15:41 -------- d-------- C:\Program Files\TryMedia
2007-04-08 14:42 -------- d-------- C:\Program Files\BitTorrent
2007-03-25 16:56 -------- d---s---- C:\Documents and Settings\zhao\Application Data\Microsoft
2007-03-24 18:46 -------- d-------- C:\Program Files\SlySoft
2007-03-24 15:46 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 10:08 101438 --a------ C:\WINDOWS\b122.exe
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-28 05:10 2180352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:38 2057600 --a------ C:\WINDOWS\system32\ntkrnlpa.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"runner1"="C:\\WINDOWS\\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"SManager"="smanager.7.exe"
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\iostfjpe.dll\",realset"
"webHancer Agent"="C:\\Program Files\\webHancer\\Programs\\whagent.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Arol"="\"C:\\WINDOWS\\PPPATC~1\\wuaclt.exe\" -vt yazb"
"Qeexedjc"="\"C:\\Documents and Settings\\zhao\\Application Data\\?icrosoft\\?hkdsk.exe\""
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"Bajuc"="\"C:\\Documents and Settings\\zhao\\Application Data\\?ppPatch\\w?auboot.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:b1,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvttq


Completion time: Mon 05/07/2007 14:49:40.37
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 08 May 2007 - 08:46 AM

Hi, We'll continue.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step #1

First, Download LSPFix.exe to a convenient location. Do NOT run this program.

This is only to be used if you lose Internet Access after removing WebHancer

Next, Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

WebHancer (There may be multiple entries.)

In the event that you lose Internet access after removing WebHancer, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Step #2

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Step #3

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Outerinfo
Ipwindows


Step #4

Please open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iostfjpe.dll",realset
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Qeexedjc] "C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Bajuc] "C:\Documents and Settings\zhao\Application Data\?ppPatch\w?auboot.exe"


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #5

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Step #6

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #7

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepads: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Step #8

In your next reply please post:
  • C:\Vundofix.txt
  • C:\Deckard\System Scanner\Main.txt
  • C:\Deckard\System Scanner\extra.txt
  • DoctorWeb Report

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 09 May 2007 - 03:05 PM

Drweb
ifqia.exe;c:\program files\common files\ifqi;Trojan.DownLoader.11355;Will be cured after reboot.;
ifqim.exe;c:\program files\common files\ifqi;Adware.TargetServer;Incurable.Will be moved after reboot.;
netmon.exe;c:\program files\network monitor;Trojan.DnsChange;Will be cured after reboot.;
command.exe;c:\windows\emhhbw;Trojan.Proxy.493;Will be cured after reboot.;
lanijfdi.dll;c:\windows\system32;Adware.ClickSpring;Incurable.Moved.;
pkbdxysw.dll;c:\windows\system32;Adware.Crew;Incurable.Moved.;
ssqrs.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
winhoo32.dll;c:\windows\system32;Trojan.Mezzia;Will be cured after reboot.;
wnmkmspa.dll;c:\windows\system32;Trojan.Juan;Deleted.;
xxyvttq.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
Process.exe;C:\Documents and Settings\All Users\Documents\useful info\smitRem;Tool.Prockill;Incurable.Moved.;
cmdinst.exe;C:\Documents and Settings\zhao\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.;
lo1[1];C:\Documents and Settings\zhao\Local Settings\Temporary Internet Files\Content.IE5\FTPS34S9;Trojan.Virtumod;Deleted.;
installer[1].exe;C:\Documents and Settings\zhao\Local Settings\Temporary Internet Files\Content.IE5\S3TKHP95;Trojan.Proxy.493;Incurable.Moved.;
crack.exe;C:\Documents and Settings\zhao\My Documents\gg;Trojan.Inject.254;Deleted.;
install.exe;C:\Documents and Settings\zhao\My Documents\gg;Trojan.DownLoader.21844;Deleted.;
Yazzle1122OinAdmin.exe\data001;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe\data002;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.MediaTicket;;
Yazzle1122OinAdmin.exe\data003;C:\Program Files\Common Files\Yazzle1122OinAdmin.exe;Adware.ClickSpring;;
Yazzle1122OinAdmin.exe;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
Yazzle1162OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
ifqia.exe;C:\Program Files\Common Files\ifqi;Trojan.DownLoader.11355;Will be cured after reboot.;
ifqil.exe;C:\Program Files\Common Files\ifqi;Trojan.DownLoader.11354;Deleted.;
ifqim.exe;C:\Program Files\Common Files\ifqi;Adware.TargetServer;Incurable.Will be moved after reboot.;
ifqip.exe;C:\Program Files\Common Files\ifqi;Adware.TargetServer;Incurable.Moved.;
ifqic.dll;C:\Program Files\Common Files\ifqi\ifqid;Adware.TargetServer;Incurable.Will be moved after reboot.;
ipwins.dll;C:\Program Files\Ipwindows;Trojan.Rond;Deleted.;
ipwins.exe;C:\Program Files\Ipwindows;Trojan.Rond;Deleted.;
UnInstall.exe;C:\Program Files\Ipwindows;Trojan.Rond;Deleted.;
netmon.exe;C:\Program Files\Network Monitor;Trojan.DnsChange;Deleted.;
A0133617.dll;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP287;Adware.ClickSpring;Incurable.Moved.;
A0133654.dll;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP288;Adware.ClickSpring;Incurable.Moved.;
A0133668.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP288;Adware.WebHancer;Incurable.Moved.;
A0133669.dll;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP288;Adware.WebHancer;Incurable.Moved.;
A0133673.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP288;Adware.WebHancer;Incurable.Moved.;
A0136681.exe\data001;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289\A0136681.exe;Adware.ClickSpring;;
A0136681.exe\data002;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289\A0136681.exe;Adware.MediaTicket;;
A0136681.exe\data003;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289\A0136681.exe;Adware.ClickSpring;;
A0136681.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Archive contains infected objects;Moved.;
A0136682.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Trojan.DownLoader.11354;Deleted.;
A0136683.dll;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Trojan.Rond;Deleted.;
A0136684.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Trojan.Rond;Deleted.;
A0136685.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Trojan.Rond;Deleted.;
A0136686.exe;C:\System Volume Information\_restore{B0C71A52-D2A0-41B6-B378-40E46471CE15}\RP289;Trojan.DnsChange;Deleted.;
retadpu1000272.exe;C:\WINDOWS;Trojan.DownLoader.20279;Deleted.;
retadpu2000352.exe;C:\WINDOWS;Trojan.DownLoader.20279;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.based;Deleted.;
asappsrv.dll;C:\WINDOWS\emhhbw;Trojan.Proxy.493;Will be cured after reboot.;
command.exe;C:\WINDOWS\emhhbw;Trojan.Proxy.493;Will be cured after reboot.;
iostfjpe.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
lanijfdi.dll;C:\WINDOWS\system32;Adware.ClickSpring;;
pkbdxysw.dll;C:\WINDOWS\system32;Adware.Crew;;
ssqrs.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
urqolli.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
winhoo32.dll;C:\WINDOWS\system32;Trojan.Mezzia;Will be cured after reboot.;
xecppjgc.dll;C:\WINDOWS\system32;Adware.Crew;Incurable.Moved.;
xxyvttq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
nsh27.dll;C:\WINDOWS\system32\SearchTool;Adware.SearchEnh;Incurable.Moved.;
SearchTool.dll;C:\WINDOWS\system32\SearchTool;Adware.SearchEnh;Incurable.Moved.;

Logfile of HijackThis v1.99.1
Scan saved at 3:58:10 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\emhhbw\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\hjt\zhao.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll
O2 - BHO: (no name) - {B005E3C2-FC37-463A-8B3C-066BC25C2742} - C:\WINDOWS\system32\ssqrs.dll
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\wnmkmspa.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ejfpxjyi.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: xxyvttq - C:\WINDOWS\SYSTEM32\xxyvttq.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\emhhbw\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 1800+
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 255.48 MiB / 57.34 MiB
Pagefile Memory (total/avail): 616.8 MiB / 327.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1970.37 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 28.63 GiB total, 7.18 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v9.0.1.1000 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\zhao\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZHAO-17466C7D50
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\zhao
LOGONSERVER=\\ZHAO-17466C7D50
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\zhao\LOCALS~1\Temp
TMP=C:\DOCUME~1\zhao\LOCALS~1\Temp
USERDOMAIN=ZHAO-17466C7D50
USERNAME=zhao
USERPROFILE=C:\Documents and Settings\zhao
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

zhao (admin)
Administrator (admin)

Deckard's System Scanner v20070426.43
Run by zhao on 2007-05-09 at 15:34:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
45: 2007-05-09 19:34:30 UTC - RP291 - Deckard's System Scanner Restore Point
44: 2007-05-09 02:07:24 UTC - RP290 - Software Distribution Service 2.0
43: 2007-05-08 20:41:35 UTC - RP289 - System Checkpoint
42: 2007-05-07 20:41:22 UTC - RP288 - System Checkpoint
41: 2007-05-06 17:18:04 UTC - RP287 - System Checkpoint


-- First Restore Point --
1: 2007-03-25 20:56:43 UTC - RP247 - Removed Battle Realms


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as zhao.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:35:33 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\emhhbw\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\All Users\Documents\useful info\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\hjt\zhao.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll
O2 - BHO: (no name) - {B005E3C2-FC37-463A-8B3C-066BC25C2742} - C:\WINDOWS\system32\ssqrs.dll
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\wnmkmspa.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ejfpxjyi.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: xxyvttq - C:\WINDOWS\SYSTEM32\xxyvttq.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\emhhbw\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-- HijackThis Fixed Entries (C:\hjt\backups\) ----------------------------------

backup-20070508-150914-158 O4 - HKCU\..\Run: [Qeexedjc] "C:\Documents and Settings\zhao\Application Data\?icrosoft\?hkdsk.exe"
backup-20070508-150914-247 O4 - HKCU\..\Run: [Bajuc] "C:\Documents and Settings\zhao\Application Data\?ppPatch\w?auboot.exe"
backup-20070508-150914-257 O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iostfjpe.dll",realset
backup-20070508-150914-477 O4 - HKLM\..\Run: [SManager] smanager.7.exe
backup-20070508-150914-560 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
backup-20070508-150914-652 O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
backup-20070508-150914-980 O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 Ptserial (W2K Pctel Serial Device Driver) - c:\windows\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
R3 Vmodem (W2K Vmodem) - c:\windows\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
R3 Vpctcom (W2K Vpctcom) - c:\windows\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
R3 Vvoice (W2K Vvoice) - c:\windows\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>

S3 oflpydin - c:\docume~1\zhao\locals~1\temp\oflpydin.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cmdService (Command Service) - c:\windows\emhhbw\command.exe

S2 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing)


-- Files created between 2007-04-09 and 2007-05-09 -----------------------------

2007-05-09 14:44:30 0 d-------- C:\VundoFix Backups
2007-05-08 18:27:24 132660 --a------ C:\WINDOWS\system32\ejfpxjyi.dll
2007-05-08 18:24:49 131604 --a------ C:\WINDOWS\system32\eiyiyidx.dll
2007-05-08 15:19:44 0 d-------- C:\Documents and Settings\zhao\DoctorWeb
2007-05-07 22:09:11 32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-05-07 21:54:06 0 d-------- C:\Program Files\Common Files\ifqi
2007-05-07 21:54:04 127578 --a------ C:\WINDOWS\system32\tsuninst.exe
2007-05-07 21:54:04 0 d-------- C:\WINDOWS\ifqi
2007-05-07 21:39:30 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2007-05-07 21:39:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-05-07 21:38:59 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2007-05-07 21:38:59 0 d-------- C:\Program Files\Network Monitor
2007-05-07 21:38:39 0 d-------- C:\Program Files\InetGet2
2007-05-07 14:42:29 0 d-------- C:\Program Files\Outerinfo
2007-05-06 20:40:54 1475380 ---hs---- C:\WINDOWS\system32\srqss.bak2
2007-05-06 13:36:13 0 d-------- C:\New Folder
2007-05-06 13:35:02 0 d-------- C:\hjt
2007-05-05 14:08:53 1473405 ---hs---- C:\WINDOWS\system32\srqss.bak1
2007-05-05 14:08:15 284756 -----n--- C:\WINDOWS\system32\ssqrs.dll
2007-05-05 14:03:19 0 d-------- C:\Program Files\Ipwindows
2007-05-05 14:01:11 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-05-05 14:00:48 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-05 13:59:48 17408 -----n--- C:\WINDOWS\system32\winhoo32.dll
2007-05-04 21:42:38 26678 -----n--- C:\WINDOWS\system32\xxyvttq.dll
2007-05-03 19:52:57 0 d-------- C:\Documents and Settings\zhao\Application Data\My Games
2007-05-03 19:37:56 0 d-------- C:\Program Files\Firaxis Games
2007-05-03 19:18:17 0 d-------- C:\Program Files\PowerISO
2007-04-29 17:15:01 0 d-------- C:\Program Files\MagicISO
2007-04-28 22:10:55 0 d-------- C:\Documents and Settings\zhao\Application Data\CyberLink
2007-04-15 19:42:18 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-14 12:02:58 0 d-------- C:\Program Files\Google
2007-04-09 08:27:07 31548 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Find3M Report ---------------------------------------------------------------

2007-05-09 14:38:38 0 d-------- C:\Program Files\Symantec AntiVirus
2007-05-05 16:42:17 0 d-------- C:\Program Files\Bethesda Softworks
2007-05-05 13:14:53 0 d-------- C:\Program Files\Warcraft III
2007-05-03 19:38:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-03 19:37:32 0 d-------- C:\Program Files\Common Files\InstallShield
2007-05-02 21:16:11 0 d-------- C:\Documents and Settings\zhao\Application Data\BitTorrent
2007-04-27 20:46:53 0 d-------- C:\Program Files\limewire
2007-04-14 12:00:43 0 d-------- C:\Program Files\Java
2007-04-08 15:41:53 0 d-------- C:\Program Files\TryMedia
2007-04-08 14:42:59 0 d-------- C:\Program Files\BitTorrent
2007-03-24 18:46:49 0 d-------- C:\Program Files\SlySoft
2007-03-24 15:46:51 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-03-17 10:51:03 1536 --a----c- C:\WINDOWS\system32\TrueSoft.dat
2007-03-16 20:49:04 0 d-------- C:\Documents and Settings\zhao\Application Data\Command & Conquer 3 Tiberium Wars Demo
2007-03-15 10:08:13 101438 --a------ C:\WINDOWS\b122.exe
2007-02-19 07:01:20 252356 --a------ C:\WINDOWS\b128.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{42E992F8-E4D1-48DC-A480-B193897CB0Fc} C:\WINDOWS\system32\eiyiyidx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7B8151EC-B14E-420E-A84D-608DE40D697E} C:\WINDOWS\system32\xxyvttq.dll
{B005E3C2-FC37-463A-8B3C-066BC25C2742} C:\WINDOWS\system32\ssqrs.dll
{D0685CA2-E95B-47ED-B1A5-D614166F8E38} C:\WINDOWS\system32\eiyiyidx.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\wnmkmspa.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\ejfpxjyi.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Rhsngik"="\"C:\\Documents and Settings\\zhao\\My Documents\\?asks\\w?auclt.exe\""
"ifqi"="C:\\PROGRA~1\\COMMON~1\\ifqi\\ifqim.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvttq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 1.httpdads.com #SpySweeperCASS
127.0.0.1 207-87-18-203.wsmg.digex.net #SpySweeperCASS
127.0.0.1 a.mktw.net #SpySweeperCASS
127.0.0.1 a.tribalfusion.com #SpySweeperCASS
127.0.0.1 a207.p.f.qz3.net #SpySweeperCASS
127.0.0.1 a3.suntimes.com #SpySweeperCASS
127.0.0.1 actionsplash.com #SpySweeperCASS
127.0.0.1 ad.abcnews.com #SpySweeperCASS
127.0.0.1 ad.adsmart.net #SpySweeperCASS
127.0.0.1 ad.adtraq.com #SpySweeperCASS

674 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-05-09 at 15:39:30 ---------

i couldn't get the vundofix log because it didn't find anything

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 10 May 2007 - 07:55 AM

As the Main.txt Log seems to be old, could you please run Dss.exe again, and post a Fresh Main.txt Logfile ( make sure it's created 10.5.2007 )

Thanks
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#9 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 10 May 2007 - 06:20 PM

Deckard's System Scanner v20070426.43
Run by zhao on 2007-05-10 at 19:13:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as zhao.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:13:38 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\emhhbw\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\useful info\dss.exe
C:\hjt\zhao.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {6F454625-7D2D-4E94-9737-7F29B80105CF} - C:\WINDOWS\system32\ssqrs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\wnmkmspa.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\gretsknm.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\system32\ssqrs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: xxyvttq - C:\WINDOWS\SYSTEM32\xxyvttq.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\emhhbw\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-- Files created between 2007-04-10 and 2007-05-10 -----------------------------

2007-05-10 14:52:42 132660 --a------ C:\WINDOWS\system32\gretsknm.dll
2007-05-09 14:44:30 0 d-------- C:\VundoFix Backups
2007-05-08 18:27:24 132660 -----n--- C:\WINDOWS\system32\ejfpxjyi.dll
2007-05-08 18:24:49 131604 --a------ C:\WINDOWS\system32\eiyiyidx.dll
2007-05-08 15:19:44 0 d-------- C:\Documents and Settings\zhao\DoctorWeb
2007-05-07 22:09:11 32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-05-07 21:54:06 0 d-------- C:\Program Files\Common Files\ifqi
2007-05-07 21:54:04 127578 --a------ C:\WINDOWS\system32\tsuninst.exe
2007-05-07 21:54:04 0 d-------- C:\WINDOWS\ifqi
2007-05-07 21:39:30 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2007-05-07 21:39:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-05-07 21:38:59 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2007-05-07 21:38:59 0 d-------- C:\Program Files\Network Monitor
2007-05-07 21:38:39 0 d-------- C:\Program Files\InetGet2
2007-05-07 14:42:29 0 d-------- C:\Program Files\Outerinfo
2007-05-06 20:40:54 1473340 ---hs---- C:\WINDOWS\system32\srqss.bak2
2007-05-06 13:36:13 0 d-------- C:\New Folder
2007-05-06 13:35:02 0 d-------- C:\hjt
2007-05-05 14:08:53 1473258 ---hs---- C:\WINDOWS\system32\srqss.bak1
2007-05-05 14:08:15 284756 -----n--- C:\WINDOWS\system32\ssqrs.dll
2007-05-05 14:03:19 0 d-------- C:\Program Files\Ipwindows
2007-05-05 14:01:11 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-05-05 14:00:48 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-05 13:59:48 17408 -----n--- C:\WINDOWS\system32\winhoo32.dll
2007-05-04 21:42:38 26678 -----n--- C:\WINDOWS\system32\xxyvttq.dll
2007-05-03 19:52:57 0 d-------- C:\Documents and Settings\zhao\Application Data\My Games
2007-05-03 19:37:56 0 d-------- C:\Program Files\Firaxis Games
2007-05-03 19:18:17 0 d-------- C:\Program Files\PowerISO
2007-04-29 17:15:01 0 d-------- C:\Program Files\MagicISO
2007-04-28 22:10:55 0 d-------- C:\Documents and Settings\zhao\Application Data\CyberLink
2007-04-15 19:42:18 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-14 12:02:58 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-05-10 14:48:34 0 d-------- C:\Program Files\Symantec AntiVirus
2007-05-05 16:42:17 0 d-------- C:\Program Files\Bethesda Softworks
2007-05-05 13:14:53 0 d-------- C:\Program Files\Warcraft III
2007-05-03 19:38:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-03 19:37:32 0 d-------- C:\Program Files\Common Files\InstallShield
2007-05-02 21:16:11 0 d-------- C:\Documents and Settings\zhao\Application Data\BitTorrent
2007-04-27 20:46:53 0 d-------- C:\Program Files\limewire
2007-04-14 12:00:43 0 d-------- C:\Program Files\Java
2007-04-08 15:41:53 0 d-------- C:\Program Files\TryMedia
2007-04-08 14:42:59 0 d-------- C:\Program Files\BitTorrent
2007-03-24 18:46:49 0 d-------- C:\Program Files\SlySoft
2007-03-24 15:46:51 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-03-17 10:51:03 1536 --a----c- C:\WINDOWS\system32\TrueSoft.dat
2007-03-16 20:49:04 0 d-------- C:\Documents and Settings\zhao\Application Data\Command & Conquer 3 Tiberium Wars Demo
2007-03-15 10:08:13 101438 --a------ C:\WINDOWS\b122.exe
2007-02-19 07:01:20 252356 --a------ C:\WINDOWS\b128.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{42E992F8-E4D1-48DC-A480-B193897CB0Fc} C:\WINDOWS\system32\eiyiyidx.dll
{6F454625-7D2D-4E94-9737-7F29B80105CF} C:\WINDOWS\system32\ssqrs.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7B8151EC-B14E-420E-A84D-608DE40D697E} C:\WINDOWS\system32\xxyvttq.dll
{D0685CA2-E95B-47ED-B1A5-D614166F8E38} C:\WINDOWS\system32\eiyiyidx.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\wnmkmspa.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\gretsknm.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Rhsngik"="\"C:\\Documents and Settings\\zhao\\My Documents\\?asks\\w?auclt.exe\""
"ifqi"="C:\\PROGRA~1\\COMMON~1\\ifqi\\ifqim.exe"
"Arol"="\"C:\\WINDOWS\\PPPATC~1\\wuaclt.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvttq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-10 at 19:15:25 ---------

#10 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 10 May 2007 - 11:47 PM

Alright, we'll continue.

Step #1
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #4

In your next reply please post:

C:\Vundofix.txt
C:\Combofix.txt

Also Post a Fresh Hijackthis logfile.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#11 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 12 May 2007 - 06:57 PM

zhao - 07-05-12 18:25:43.15
ComboFix 06.08.24 - Running from: C:\Documents and Settings\All Users\Documents\useful info

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\network monitor
C:\WINDOWS\emhhbw

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\zhao\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\ICROSO~1\?hkdsk.exe
C:\QooBox\Purity\Documents and Settings\zhao\Application Data\PPPATC~1\w?auboot.exe
C:\QooBox\Purity\Documents and Settings\zhao\My Documents\ASKS~1
C:\QooBox\Purity\Documents and Settings\zhao\My Documents\ASKS~1\w?auclt.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-12 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-10 14:52 132,660 --a------ C:\WINDOWS\system32\gretsknm.dll
2007-05-08 18:24 131,604 --a------ C:\WINDOWS\system32\eiyiyidx.dll
2007-05-06 20:40 1,472,156 ---hs---- C:\WINDOWS\system32\srqss.bak2
2007-05-05 14:08 284,756 --------- C:\WINDOWS\system32\ssqrs.dll
2007-05-05 14:08 1,473,258 ---hs---- C:\WINDOWS\system32\srqss.bak1
2007-05-05 14:01 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-05-05 14:00 11,264 --a------ C:\WINDOWS\smanager.7.exe
2007-05-05 13:59 17,408 --------- C:\WINDOWS\system32\winhoo32.dll
2007-05-04 21:42 26,678 --------- C:\WINDOWS\system32\xxyvttq.dll
2007-04-15 19:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 18:30 -------- d-------- C:\Program Files\Symantec AntiVirus
2007-05-08 22:10 -------- d-------- C:\Program Files\Internet Explorer
2007-05-08 18:18 -------- d-------- C:\Program Files\Common Files\ifqi
2007-05-08 18:12 -------- d-------- C:\Program Files\Common Files
2007-05-08 17:20 -------- d-------- C:\Program Files\Ipwindows
2007-05-07 22:09 32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-05-07 14:42 -------- d-------- C:\Program Files\Outerinfo
2007-05-05 16:42 -------- d-------- C:\Program Files\Bethesda Softworks
2007-05-05 14:00 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-05 13:14 -------- d-------- C:\Program Files\Warcraft III
2007-05-03 19:52 -------- d-------- C:\Documents and Settings\zhao\Application Data\My Games
2007-05-03 19:45 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-03 19:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-05-03 19:37 -------- d-------- C:\Program Files\Firaxis Games
2007-05-03 19:37 -------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-03 19:18 -------- d-------- C:\Program Files\PowerISO
2007-05-02 21:16 -------- d-------- C:\Documents and Settings\zhao\Application Data\BitTorrent
2007-04-29 17:15 -------- d-------- C:\Program Files\MagicISO
2007-04-28 22:10 -------- d-------- C:\Documents and Settings\zhao\Application Data\CyberLink
2007-04-27 20:46 -------- d-------- C:\Program Files\limewire
2007-04-15 19:42 -------- d-------- C:\Program Files\Windows Media Player
2007-04-15 19:42 -------- d-------- C:\Program Files\Windows Media Connect 2
2007-04-14 12:02 -------- d-------- C:\Program Files\Google
2007-04-14 12:00 -------- d-------- C:\Program Files\Java
2007-04-09 08:27 31548 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-04-08 15:41 -------- d-------- C:\Program Files\TryMedia
2007-04-08 14:42 -------- d-------- C:\Program Files\BitTorrent
2007-04-03 10:46 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-03-25 16:56 -------- d---s---- C:\Documents and Settings\zhao\Application Data\Microsoft
2007-03-24 18:46 -------- d-------- C:\Program Files\SlySoft
2007-03-24 15:46 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 10:08 101438 --a------ C:\WINDOWS\b122.exe
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 13:45 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-03-07 13:45 51712 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2007-03-07 13:45 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2007-03-07 13:45 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-03-07 13:45 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-03-07 13:45 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-03-07 13:45 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-03-07 13:45 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-03-07 13:45 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-03-07 13:45 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-03-07 13:45 105984 --a------ C:\WINDOWS\system32\url.dll
2007-03-07 13:45 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-03-07 04:28 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-02-28 05:10 2180352 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:38 2057600 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-27 04:20 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-02-21 04:00 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-02-19 07:01 252356 --a------ C:\WINDOWS\b128.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\gretsknm.dll\",realset"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Rhsngik"="\"C:\\Documents and Settings\\zhao\\My Documents\\?asks\\w?auclt.exe\""
"ifqi"="C:\\PROGRA~1\\COMMON~1\\ifqi\\ifqim.exe"
"Arol"="\"C:\\WINDOWS\\PPPATC~1\\wuaclt.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:b1,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvttq


Completion time: Sat 05/12/2007 18:32:01.60
ComboFix new.txt
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Logfile of HijackThis v1.99.1
Scan saved at 8:52:39 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\PPPATC~1\wuaclt.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\useful info\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll (file missing)
O2 - BHO: (no name) - {CF9F43E3-9717-4BF4-8B90-150C24CF2A8F} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\gretsknm.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDB550E8-E100-495B-8C02-96275BD29C96}: NameServer = 71.252.0.12 68.237.161.12
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

the vundofix found and deleted 6 items, but it didn't leave a log

Edited by re8888, 12 May 2007 - 07:58 PM.


#12 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 13 May 2007 - 03:26 AM

Please Re-Scan With Vundofix.

Vundofix Logfile is located here:

C:\Vundofix.txt

Please Re-scan using Deckards system scanner and Post me a fresh Main.txt Logfile.

Logs are located here:

C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt

Did you Remove all older versions of Java update like i told you to do?

Thanks.

Edited by Rahina Rescue, 13 May 2007 - 03:27 AM.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#13 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 13 May 2007 - 01:21 PM

VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 2:44:30 PM 5/9/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 6:22:58 PM 5/12/2007

Listing files found while scanning....


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 7:59:59 PM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\wnmkmspa.dll
C:\WINDOWS\system32\xxyvttq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xxyvttq.dll
C:\WINDOWS\system32\xxyvttq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyvttq.dll
C:\WINDOWS\system32\xxyvttq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:37:17 PM 5/12/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 1:37:57 PM 5/13/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

#14 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:27 PM

Posted 13 May 2007 - 01:26 PM

Could you please post a Fresh HJT Logfile?
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#15 re8888

re8888
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 13 May 2007 - 03:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:10:38 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PPPATC~1\wuaclt.exe
C:\WINDOWS\system32\?racle\??chost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\zhao.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {62E3FC42-3085-3326-A140-69E33791FEEA} - C:\WINDOWS\system32\fcxjfdvm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll (file missing)
O2 - BHO: (no name) - {CF9F43E3-9717-4BF4-8B90-150C24CF2A8F} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\gretsknm.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Lvzwih] C:\WINDOWS\system32\?racle\??chost.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDB550E8-E100-495B-8C02-96275BD29C96}: NameServer = 71.252.0.12 68.237.161.12
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Deckard's System Scanner v20070426.43
Run by zhao on 2007-05-13 at 14:19:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as zhao.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:19:11 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PPPATC~1\wuaclt.exe
C:\WINDOWS\system32\?racle\??chost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Documents\useful info\dss.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\USEFUL~1\zhao.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {42E992F8-E4D1-48DC-A480-B193897CB0Fc} - C:\WINDOWS\system32\eiyiyidx.dll
O2 - BHO: (no name) - {62E3FC42-3085-3326-A140-69E33791FEEA} - C:\WINDOWS\system32\fcxjfdvm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7B8151EC-B14E-420E-A84D-608DE40D697E} - C:\WINDOWS\system32\xxyvttq.dll (file missing)
O2 - BHO: (no name) - {CF9F43E3-9717-4BF4-8B90-150C24CF2A8F} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {D0685CA2-E95B-47ED-B1A5-D614166F8E38} - C:\WINDOWS\system32\eiyiyidx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\gretsknm.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Rhsngik] "C:\Documents and Settings\zhao\My Documents\?asks\w?auclt.exe"
O4 - HKCU\..\Run: [ifqi] C:\PROGRA~1\COMMON~1\ifqi\ifqim.exe
O4 - HKCU\..\Run: [Arol] "C:\WINDOWS\PPPATC~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Lvzwih] C:\WINDOWS\system32\?racle\??chost.exe
O4 - Global Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-- Files created between 2007-04-13 and 2007-05-13 -----------------------------

2007-05-13 09:15:30 0 d-------- C:\WINDOWS\system32\?racle
2007-05-13 09:15:24 60928 --a------ C:\WINDOWS\system32\fcxjfdvm.dll
2007-05-12 20:33:22 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-05-10 14:52:42 132660 --a------ C:\WINDOWS\system32\gretsknm.dll
2007-05-09 14:44:30 0 d-------- C:\VundoFix Backups
2007-05-08 18:24:49 131604 --a------ C:\WINDOWS\system32\eiyiyidx.dll
2007-05-08 15:19:44 0 d-------- C:\Documents and Settings\zhao\DoctorWeb
2007-05-07 22:09:11 32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-05-07 21:54:06 0 d-------- C:\Program Files\Common Files\ifqi
2007-05-07 21:54:04 0 d-------- C:\WINDOWS\ifqi
2007-05-07 14:42:29 0 d-------- C:\Program Files\Outerinfo
2007-05-06 13:36:13 0 d-------- C:\New Folder
2007-05-06 13:35:02 0 d-------- C:\hjt
2007-05-05 14:03:19 0 d-------- C:\Program Files\Ipwindows
2007-05-05 14:01:11 2 --a------ C:\WINDOWS\system32\wcptr.exe
2007-05-05 14:00:48 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-05 13:59:48 17408 -----n--- C:\WINDOWS\system32\winhoo32.dll
2007-05-03 19:52:57 0 d-------- C:\Documents and Settings\zhao\Application Data\My Games
2007-05-03 19:37:56 0 d-------- C:\Program Files\Firaxis Games
2007-05-03 19:18:17 0 d-------- C:\Program Files\PowerISO
2007-04-29 17:15:01 0 d-------- C:\Program Files\MagicISO
2007-04-28 22:10:55 0 d-------- C:\Documents and Settings\zhao\Application Data\CyberLink
2007-04-15 19:42:18 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-15 19:37:25 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-14 12:02:58 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-05-13 10:15:40 0 d-------- C:\Program Files\Symantec AntiVirus
2007-05-05 16:42:17 0 d-------- C:\Program Files\Bethesda Softworks
2007-05-05 13:14:53 0 d-------- C:\Program Files\Warcraft III
2007-05-03 19:38:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-03 19:37:32 0 d-------- C:\Program Files\Common Files\InstallShield
2007-05-02 21:16:11 0 d-------- C:\Documents and Settings\zhao\Application Data\BitTorrent
2007-04-27 20:46:53 0 d-------- C:\Program Files\limewire
2007-04-14 12:00:43 0 d-------- C:\Program Files\Java
2007-04-08 15:41:53 0 d-------- C:\Program Files\TryMedia
2007-04-08 14:42:59 0 d-------- C:\Program Files\BitTorrent
2007-03-24 18:46:49 0 d-------- C:\Program Files\SlySoft
2007-03-24 15:46:51 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-03-17 10:51:03 1536 --a----c- C:\WINDOWS\system32\TrueSoft.dat
2007-03-16 20:49:04 0 d-------- C:\Documents and Settings\zhao\Application Data\Command & Conquer 3 Tiberium Wars Demo
2007-03-15 10:08:13 101438 --a------ C:\WINDOWS\b122.exe
2007-02-19 07:01:20 252356 --a------ C:\WINDOWS\b128.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{42E992F8-E4D1-48DC-A480-B193897CB0Fc} C:\WINDOWS\system32\eiyiyidx.dll
{62E3FC42-3085-3326-A140-69E33791FEEA} C:\WINDOWS\system32\fcxjfdvm.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7B8151EC-B14E-420E-A84D-608DE40D697E} C:\WINDOWS\system32\xxyvttq.dll [x]
{CF9F43E3-9717-4BF4-8B90-150C24CF2A8F} C:\WINDOWS\system32\ssqrs.dll [x]
{D0685CA2-E95B-47ED-B1A5-D614166F8E38} C:\WINDOWS\system32\eiyiyidx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\gretsknm.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Rhsngik"="\"C:\\Documents and Settings\\zhao\\My Documents\\?asks\\w?auclt.exe\""
"ifqi"="C:\\PROGRA~1\\COMMON~1\\ifqi\\ifqim.exe"
"Arol"="\"C:\\WINDOWS\\PPPATC~1\\wuaclt.exe\" -vt yazb"
"Lvzwih"="C:\\WINDOWS\\system32\\?racle\\??chost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7B8151EC-B14E-420E-A84D-608DE40D697E}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoo32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-13 at 14:20:08 ---------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users