[Resolved] CHINA HUJACKED DOMAIN

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] CHINA HUJACKED DOMAIN, Help needed Windows 2003 many host files

Options

Menteng View Member Profile	Oct 9 2008, 04:19 AM Post #1
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear advisors, Please help with my WIN 2003 SERVER. With HJT Ternd Micro it seems to be many HOST FILE connected to many CHINESE website (some truncated). Please urgently help. Thanks, Lee Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:11:43 PM, on 07/10/2008 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\ismserv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\RTPSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\store.exe C:\Program Files\Exchsrvr\bin\emsmta.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE c:\windows\system32\inetsrv\w3wp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE E:\HASIL\DOWNLOAD\HiJackThis_trendMicro.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.id/ O1 - Hosts: 127.1 localhost O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn O1 - Hosts: 127.1 61.134.37.12 O1 - Hosts: 127.1 ko.ssa387.cn O1 - Hosts: 127.1 www.ndxrr.cn O1 - Hosts: 127.1 12345.ssa387.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 wwwwhf.cn O1 - Hosts: 127.1 a89369093.sq.u9idc.com O1 - Hosts: 127.1 www.mmd178.cn O1 - Hosts: 127.1 www.178mmd.cn O1 - Hosts: 127.1 www.wenzhuoyyy.cn O1 - Hosts: 127.1 tw.lovechina.tw.cn O1 - Hosts: 127.1 593ffcey.cn O1 - Hosts: 127.1 set.yay520.cn O1 - Hosts: 127.1 tenmoc999.cn O1 - Hosts: 127.1 lihai88.com O1 - Hosts: 127.1 121.kcuf-01.com O1 - Hosts: 127.1 www.ew1q.cn O1 - Hosts: 127.1 www.b3sk.cn O1 - Hosts: 127.1 up.bizmd.cn O1 - Hosts: 127.1 max-1.cn O1 - Hosts: 127.1 max-3.cn O1 - Hosts: 127.1 max-4.cn O1 - Hosts: 127.1 max-5.cn O1 - Hosts: 127.1 max-6.cn O1 - Hosts: 127.1 max-7.cn O1 - Hosts: 127.1 max-8.cn O1 - Hosts: 127.1 aa.9234.net O1 - Hosts: 127.1 www.97love.info O1 - Hosts: 127.1 97love.info O1 - Hosts: 127.1 www.zyzhuiku.cn O1 - Hosts: 127.1 zyzhuiku.cn O1 - Hosts: 127.1 www.lang18.com O1 - Hosts: 127.1 lang18.com O1 - Hosts: 127.1 sao6666.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [WinSysW] C:\WINDOWS\940477L.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\Software\..\Telephony: DomainName = SBPI.com O17 - HKLM\System\CCS\Services\Tcpip\..\{60C5B723-2E06-4481-8744-927F69F2903B}: NameServer = 192.168.0.18 O17 - HKLM\System\CCS\Services\Tcpip\..\{E73FAE43-2E8D-41A2-B198-FBD88DE04187}: NameServer = 202.158.3.7 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SBPI.com O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe -- End of file - 8396 bytes

LDTate View Member Profile	Oct 9 2008, 04:17 PM Post #2
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	We're not equiped to do any fixes on servers. You can try this: Make Sure Internet Explorer is NOT open when trying this) Launch HijackThis, click the 'Open'Misc Tools'Section -> 'Open hosts file manager'. Delete every line (select each line and click 'Delete line(s)') except the very first top lines beginning with # and: 127.0.0.1 localhost Once finished, click the 'Open in Notepad' button. It should look like this: QUOTE # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost After the above: Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these: O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main O4 - HKLM\..\Run: [WinSysW] C:\WINDOWS\940477L.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u Close ALL windows and browsers except HijackThis and click "Fix checked" Delete these Files if listed: C:\WINDOWS\940477L.exe Reboot

Menteng View Member Profile	Oct 10 2008, 04:39 AM Post #3
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear Forum God, I really appreciate your help. I run HJT from SAVE MODE. O4 - HKLM\..\Run: [HBService32] System.exe -> CANNOT be deleted I feel there is still some strange entry such as chinese name HB ZHU ZIAN Kindly pls keep assist me. best rgds, Lee gmt +7 [bThe result HJT log is like this :[/b] Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:18:19 PM, on 10/10/2008 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\ismserv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\RTPSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\store.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Exchsrvr\bin\emsmta.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\RTHDCPL.EXE D:\[P'C'M'A'V]\PCMAV_17\PCMAV-RTP.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe E:\HASIL\VIRTOOL_COMBOFIX\HiJackThis_trendMicro.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.id/ O1 - Hosts: 127.1 localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PCMAV-RTP] "D:\[P'C'M'A'V]\PCMAV_17\PCMAV-RTP.exe" O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\Software\..\Telephony: DomainName = SBPI.com O17 - HKLM\System\CCS\Services\Tcpip\..\{60C5B723-2E06-4481-8744-927F69F2903B}: NameServer = 192.168.0.18 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SBPI.com O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe -- End of file - 4367 bytes

LDTate View Member Profile	Oct 10 2008, 04:04 PM Post #4
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Do you have any protection on this server? 1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4. Save in: Desktop File Name: fixme.reg Save as Type: All files Click: Save QUOTE REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" 2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (.)" and save it to your desktop. Include the word REGEDIT4 3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes. Next: Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these: O1 - Hosts: 127.1 localhost O4 - HKLM\..\Run: [HBService32] System.exe O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll Close ALL windows and browsers except HijackThis and click "Fix checked" Delete these Files if listed: C:\Program Files\Messenger\msgmr.dll <--Trojan-Downloader.Win32.Agent.yuv C:\WINDOWS\sysocmgr.dll <--TROJAN.AGENT Reboot and "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

Menteng View Member Profile	Oct 13 2008, 12:36 AM Post #5
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear Forum God, Try to run from Save Mode and Normal Mode. - FIXME.REG have been added., but 2 line still cannot be deleted. O4 - HKLM\..\Run: [HBService32] System.exe O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll (This O20 line not shown in Save Mode) - 2 Trojan Agent files deleted. - No Host Files anymore, but yesterday try to put EEE.CAB and AIM.CAB at startup. But rejected by Win 2003 (that caused the Sent to MicroSoft wndows appeared) - Internet Connection in very busy state. Even sometimes hang. - Only rely on PCMEDIA-AV not enough (even had been crashed itself). In desperate now, try fix this first then install more AV. Thanks Sir!. Lee Here is the HJT TREND MICRO log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:27:22 PM, on 13/10/2008 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\ismserv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\RTPSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\store.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Exchsrvr\bin\emsmta.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\NOTEPAD.EXE D:\[P'C'M'A'V]\KENA_VIRUS_SEPT08_ALMAN\HijackThis_TrendMicro.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.id/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PCMAV-RTP] "D:\[P'C'M'A'V]\PCMAV_17\PCMAV-RTP.exe" O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\Software\..\Telephony: DomainName = SBPI.com O17 - HKLM\System\CCS\Services\Tcpip\..\{60C5B723-2E06-4481-8744-927F69F2903B}: NameServer = 192.168.0.18 O17 - HKLM\System\CCS\Services\Tcpip\..\{E73FAE43-2E8D-41A2-B198-FBD88DE04187}: NameServer = 202.158.3.7 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SBPI.com O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe -- End of file - 4340 bytes This post has been edited by Menteng: Oct 13 2008, 12:38 AM

LDTate View Member Profile	Oct 13 2008, 04:59 PM Post #6
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Lets see if this will run on your OS. Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected . When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot. Also "copy/paste" a new HijackThis log file into this thread.

Menteng View Member Profile	Oct 15 2008, 04:18 AM Post #7
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear forum God, I have run MBAM from Normal Mode. And needed to reboot to delete 2 files. But the result is every start-up programs displayed : The DLL C:\WIN\SYS32\hbmhly.dll is not a valid Windows Image. Pls chk against instll diskette. System.exe deleted but hbmhly.dll seems to be recreated In panic sorry I restore the 2 files from Quarantine. thanks for help, Lee Here is the MBAM log : Malwarebytes' Anti-Malware 1.27 Database version: 1127 Windows 5.2.3790 Service Pack 2 15/10/2008 11:01:55 AM mbam-log-2008-10-15 (11-01-55).txt Scan type: Quick Scan Objects scanned: 42156 Time elapsed: 5 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

Menteng View Member Profile	Oct 15 2008, 04:21 AM Post #8
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear forum god, Please help me whether there is any afford to destroy this spyware.Onlinegames thanks very much. The latest HJT log is here : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:44:52 PM, on 15/10/2008 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\ismserv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\RTPSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\store.exe C:\Program Files\Exchsrvr\bin\emsmta.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe c:\windows\system32\inetsrv\w3wp.exe D:\[P'C'M'A'V]\KENA_VIRUS_SEPT08_ALMAN\HijackThis_TrendMicro.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.id/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PCMAV-RTP] "D:\[P'C'M'A'V]\PCMAV_17\PCMAV-RTP.exe" O4 - HKLM\..\Run: [HBService32] System.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\Software\..\Telephony: DomainName = SBPI.com O17 - HKLM\System\CCS\Services\Tcpip\..\{60C5B723-2E06-4481-8744-927F69F2903B}: NameServer = 192.168.0.18 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SBPI.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SBPI.com O20 - AppInit_DLLs: HBmhly.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBBO.dll,HBCHIBI.dll,HBQQ SG.dll,HBQQFFO.dll,HBZG.dll O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe -- End of file - 4433 bytes

LDTate View Member Profile	Oct 15 2008, 05:50 AM Post #9
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	QUOTE System.exe deleted but hbmhly.dll seems to be recreated In panic sorry I restore the 2 files from Quarantine. Are you saying you restored those 2 infected files?

Menteng View Member Profile	Oct 15 2008, 11:30 PM Post #10
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	QUOTE (LDTate @ Oct 15 2008, 06:50 PM) QUOTE System.exe deleted but hbmhly.dll seems to be recreated In panic sorry I restore the 2 files from Quarantine. Are you saying you restored those 2 infected files? Unfortunately YES... Because it caused the unstable of system.... After the 2 file deletion (delete on reboot), this below windows displayed for EVERY Start-Up program : (Such as : PCMAV-RTP, ACROTRAY.exe , WZQPICK etc) The DLL C:\WIN\SYS32\hbmhly.dll is not a valid Windows Image. Pls chk against instll diskette. Because MBAM detect 2 files only. Are the other HB.dll not detected? The status now (back to) Status Quo. Is there another way .... Sorry and thanks, Lee This post has been edited by Menteng*: Oct 15 2008, 11:42 PM

LDTate View Member Profile	Oct 16 2008, 05:52 AM Post #11
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	QUOTE (Menteng @ Oct 16 2008, 12:30 AM) QUOTE (LDTate @ Oct 15 2008, 06:50 PM) QUOTE System.exe deleted but hbmhly.dll seems to be recreated In panic sorry I restore the 2 files from Quarantine. Are you saying you restored those 2 infected files? Unfortunately YES... Because it caused the unstable of system.... After the 2 file deletion (delete on reboot), this below windows displayed for EVERY Start-Up program : (Such as : PCMAV-RTP, ACROTRAY.exe , WZQPICK etc) The DLL C:\WIN\SYS32\hbmhly.dll is not a valid Windows Image. Pls chk against instll diskette. Because MBAM detect 2 files only. Are the other HB.dll not detected? The status now (back to) Status Quo. Is there another way .... Sorry and thanks, Lee Those two files need to be deleted. Those are the infected files. Once you run MBAM and remove them, go to C:\WIN\SYS32\hbmhly.dll <--Delete that file. Click "Start"> "Run"> type in Regedit* tap Enter Key Make sure "My Computer" is highlighted Click "Edit"> "Find" Type in HBService32 tap Enter Key. Right Click on the file if found and select "Delete" Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching. Do the same for: hbmhly.dll Close Regedit. Empty Recycle Bin Reboot and "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

Menteng View Member Profile	Oct 17 2008, 12:17 AM Post #12
New Member Group: New Member Posts: 11 Joined: 2-July 08 Member No.: 79,986 Operating System: Win XP	Dear Form God, 1. Should I run MBAM from Save Mode? 2. How about the other HB*.dll --> those not detected by MBAM... Is it become tobe a trigger 3. The REGEDIT should be done AFTER the reboot (and the many warning windows appear?) many thanks, Lee

LDTate View Member Profile	Oct 19 2008, 01:25 PM Post #13
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	QUOTE 1. Should I run MBAM from Save Mode? No QUOTE 2. How about the other HB.dll --> those not detected by MBAM... Check them here: Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis: Example: C:\WIN\SYS32\hbmhly.dll* Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. If Jotti is too busy you can try these. http://www.kaspersky.com/scanforvirus.html http://www.virustotal.com/en/indexf.html QUOTE 3. The REGEDIT should be done AFTER the reboot Before reboot

LDTate View Member Profile	Oct 22 2008, 03:34 PM Post #14
Forum God Group: Root Admin Posts: 40,565 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: