Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] HijackThis Log: Please help Diagnose, some background


  • This topic is locked This topic is locked
31 replies to this topic

#1 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 25 July 2009 - 07:14 AM

Hi friend,

I got my computer infected again and wish to get assistance in fixing, thanks a lot .

Some background info of the infection: Sorry be being very lengthy

1) i was browsing some site using firefox, then some windows pops up saying my computer is infected and asks me to download some cleaner etc , i fell for those tricks before ( i think they are virus) so i did not click it.. but after a while, there are 2 red crosses icon on the task bar ,darn i was paniced and tried to click it (ouch! fell again) and the computer restarts immediately.

2) after it restarts, when it tries to load into windows after toshiba screen, it restarts again and the cycle goes on,
i try to go into safe mode pushing F8 in the toshiba screen. and it cannot load into safe mode or safe mode (with internet) too, i saw commands in the bottom of the screen with the phrase partition and it asks me whether to load or skip to run a XXX.SYS (or other file extension)..but whatever i do , i restarts before loading into the windows.

Finally, i choose the option of "using the last system settings that works perviously" (my translation)
and it can suscefully load into window, and after that my norton said he detected sth and deleted sth.
and the windows said it recovered from an error..

3) then i go into internet and use IE to go here and post the log, i dare not use FF again before it is fixed.
btw, my IE first page has been kidnapped? by a website previously, but i just stopped it everytime and input my website manually.

4) i am not good at computers, please bear with me


the log is posted below, any assiatance will be highly appreciated.
------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 05:27:09, on 2009/7/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\SxgTkBar.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 01
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [lphc5mnj0ee33] C:\WINDOWS\system32\lphc5mnj0ee33.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...nds/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B69C40C-4719-4BCA-85F7-49A8AFC67880}: NameServer = 218.102.32.208 205.252.144.126
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour 服務 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: 自動 LiveUpdate 排程器 - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 8261 bytes

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 25 July 2009 - 06:19 PM

Hi and Welcome,

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted.
  • Please DO NOT run any scans or fix items without my direction.



Please do the following:

STEP #1

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


STEP #2


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 26 July 2009 - 04:19 AM

hi friend i ran the DDS and GMER scans and zipped the three logs into one zip files (as i don't know how to upload more than 1 attachments) (edited i can upload them now) by the way, somethings occur during the GMER scan, as follows: 1) when i open it, an error promoted me, it saids sth like C:\WINDOWS\Sytem is in use (xxxxx i did not copy it exactly) , i just click ok and ran the scan. 2) during the scan, several error prompts poped up. i copied down as follows:(try to translate the last part in english) a) C:\WINDOWS\System 32\config\System : application cannot save file:because file being used by another application B) C:\WINDOWS\System 32\config\software: application cannot save file:because file being used by another application c) C:\Documents and Settings\Administrator\ntuser.dat: application cannot save file:because file being used by another application 3)after the scan, it warned that GMER has found system modification by ROOTKIT activities, just clicked ok, no further action and saved the log

Attached Files



#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 July 2009 - 05:40 AM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:

Posted Image


Posted Image
--------------------------------------------------------------------
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.


-----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 26 July 2009 - 07:31 AM

the combofix txt seem not have the - in the middle
i save as the log in desktop as log.txt also , both are uploaded


some details:

A) it asks me to install a "restore control panel" and ask me to connect to internet and download the stuff before the scan, and i did..

B) the desktop taskbar seems to be disappeared for a while durin the scan.

C) my IE (which i am using now) has its frontpage kidnapped before, but now it seems clean, but i have abandoned IE and been using firefox for 1 year before the crash yesterday

ComboFix 09-07-25.06 - Administrator /07/26 ¬P´Á¤é 21:07.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.511.186 [GMT 8:00]
°õ¦æ¦ì¸m: c:\documents and settings\Administrator\®à­±\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( ³Q§R°£ªºÀÉ®× )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Installer\1169d77.msi
c:\windows\Installer\1169d7d.msi
c:\windows\Installer\2b7fe76.msi
c:\windows\system32\lo2.txtt
c:\windows\system32\uacinit.dll

.
((((((((((((((((((((((((( 2009-06-26 ¦Ü 2009-07-26 ªº·sªºÀÉ®× )))))))))))))))))))))))))))))))
.

2009-07-26 03:06 . 2009-07-26 03:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-25 11:51 . 2008-12-11 00:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-25 11:51 . 2009-04-03 03:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-25 11:51 . 2008-12-18 04:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-25 11:50 . 2009-07-25 11:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-25 11:50 . 2008-12-10 03:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-25 11:50 . 2009-07-25 11:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-25 09:24 . 2009-07-25 09:24 -------- d-----w- c:\program files\Trend Micro
2009-07-25 08:42 . 2009-07-25 08:42 20480 ----a-w- c:\windows\system32\UACoujaxtxupr.dll
2009-07-25 08:42 . 2009-07-25 08:42 30208 ----a-w- c:\windows\system32\UACuyjluxprip.dll
2009-07-25 08:41 . 2009-07-25 08:42 843776 ----a-w- c:\windows\system32\UACqjspxxnhml.dll
2009-07-25 08:41 . 2009-07-25 08:41 310 ----a-w- c:\windows\system32\UACkcdklnkktd.dat
2009-07-25 08:41 . 2009-07-25 08:41 74240 ----a-w- c:\windows\system32\UACktkconkvdq.dll
2009-07-25 08:41 . 2009-07-25 08:42 54784 ----a-w- c:\windows\system32\drivers\UACgypqvpcvlt.sys
2009-07-19 16:09 . 1997-06-09 06:57 92160 ----a-w- c:\windows\system32\dinoav.dll
2009-07-19 16:09 . 1997-06-09 06:56 78848 ----a-w- c:\windows\system32\Dino2d.dll
2009-07-19 16:09 . 1997-06-09 06:54 100352 ----a-w- c:\windows\system32\dmix.dll
2009-07-19 16:09 . 1997-10-16 06:57 43008 ----a-w- c:\windows\system32\RDXInst.dll
2009-07-19 16:09 . 1997-06-09 07:47 137728 ----a-w- c:\windows\system32\Rdxcom.dll
2009-07-19 16:09 . 1997-06-09 07:00 62976 ----a-w- c:\windows\system32\rdxam.dll
2009-07-19 16:09 . 1997-06-09 06:59 188928 ----a-w- c:\windows\system32\rdxmmx.dll
2009-07-19 16:09 . 1997-06-09 06:58 185856 ----a-w- c:\windows\system32\rdxp5.dll
2009-07-14 11:40 . 2009-07-14 11:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\iSilo
2009-07-14 11:40 . 2009-07-14 11:40 -------- d-----w- c:\documents and settings\Administrator\¡u¶}©l¡v
2009-07-14 11:40 . 2009-07-14 11:40 -------- d-----w- c:\program files\iSilo
2009-07-06 12:26 . 2009-07-06 12:26 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( ¦b¤T­Ó¤ë¤º³Q­×§ïªºÀÉ®× ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 09:02 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP59ef.tmp
2009-07-25 09:00 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP3a35.tmp
2009-07-25 08:59 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP955a.tmp
2009-07-25 08:57 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP95ab.tmp
2009-07-25 08:56 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP9655.tmp
2009-07-24 17:59 . 2002-08-26 04:55 90112 ----a-w- c:\windows\DUMP9564.tmp
2008-12-20 16:03 . 2005-07-16 02:31 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 16:03 . 2005-07-16 02:31 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 16:03 . 2007-12-21 23:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 16:03 . 2007-12-21 23:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 16:04 . 2005-07-16 02:31 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-06 17:25 . 2005-07-06 17:25 56 --sh--r- c:\windows\system32\D782B1A6B6.sys
.

------- Sigcheck -------

[-] 2008-06-20 10:45 360320 01D5EAAFF224415A7FF513E4C882BE30 c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2001-09-17 04:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( ­«­nµn¤JÂI ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*ª`·N* ªÅ¥Õ»P¦Xªk¯Ê¬Ùµn¿ý±N¤£·|³QÅã¥Ü
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-06-06 1003520]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2002-01-08 245760]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-08-16 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-08-16 376832]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-01-22 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2002-10-17 151597]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 429568]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-05-19 59040]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-01-12 100056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-26 148888]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-01-25 196608]
"TFncKy"="TFncKy.exe" [BU]
"SxgTkBar"="SxgTkBar.exe" - c:\windows\system32\Sxgtkbar.exe [2001-07-11 53248]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-03 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2004-08-12 15360]

c:\documents and settings\Administrator\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\±Ò°Ê\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

c:\documents and settings\Administrator\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\±Ò°Ê\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

c:\documents and settings\All Users\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\±Ò°Ê\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\bf1942.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Administrator\\®à­±\\Å]?1.07\\Warcraft III.exe"=
"g:\\CQ Design Institute\\GEO\\Å]?1.07\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gfscagent.exe"=
"c:\\Program Files\\NextLink\\GOGOBOX\\gogobox.exe"=

R0 pciSm;pciSm;c:\windows\system32\drivers\tossmpci.sys [2002/7/31 ¤W¤È 11:47 45803]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009/7/25 ¤U¤È 07:51 130936]
R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;c:\windows\system32\drivers\TVALDX.SYS [2002/7/31 ¤W¤È 11:43 6082]
R2 ¦Û°Ê LiveUpdate ±Æµ{¾¹;¦Û°Ê LiveUpdate ±Æµ{¾¹;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2006/12/29 ¤U¤È 11:13 100032]
R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2002/7/31 ¤W¤È 11:51 966784]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008/10/12 ¤U¤È 05:12 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - PCTCORE
*NewlyCreated* - WEAOTOKP
*Deregistered* - mchInjDrv
*Deregistered* - weaotokp
.
¡¥­p¹º¥ô°È¡¦ ¤å¥ó§¨ ¸Ìªº¤º®e

2009-07-24 c:\windows\Tasks\Norton AntiVirus - ±½´y§Úªº¹q¸£ - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-09-01 10:36]

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphc5mnj0ee33 - c:\windows\system32\lphc5mnj0ee33.exe


.
------- ¦Ó¥~ªº±½´y -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: ¶×¥X¦Ü Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {9B69C40C-4719-4BCA-85F7-49A8AFC67880} = 218.102.32.208 205.252.144.126
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: Microsoft XML Parser for Java
DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} - hxxp://www.gogobox.com.tw/neo.fld/GNowStarter.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uhgh87ld.Default User\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 21:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

±½´y³QÁôÂ꺶iµ{ ...

±½´y³QÁôÂêº±Ò°Ê²Õ ...

±½´y³QÁôÂ꺤å¥ó ...

±½´y§¹¦¨
³QÁôÂêºÀÉ®×: 0

**************************************************************************
Binary file temp00 matches
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\ºNáT*úQ\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\ºNáT*úQ\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\ºNáT*úQ\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\AppEvents\Schemes\Apps\Conf\ºNáT*úQ\.Current]
@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ N_*8n_*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,da,01,00,00,01,00,00,00,04,00,00,00,74,00,
00,00,00,00,00,00,66,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,54,00,32,\

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\wc‘_ *-* * *D–l\Éa(u z_]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\nndto@Y,n3*"{E`3U]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,14,01,00,00,01,00,00,00,02,00,00,00,86,00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,36,\

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\èrR€l–Ò_5*‘Pˆ^^tX]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1605616401-71594873-1131426265-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\At|T*\3*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-299502267-1606980848-854245398-500_Classes\O*v*e*r*t*u*r*e* *j\‹]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-1606980848-854245398-500_Classes\O*v*e*r*t*u*r*e* *j\‹\DefaultIcon]
@=expand:"%APPDATA%\\Microsoft\\Installer\\{50ADDF79-3249-4679-B527-3FB8C5EA99E5}\\_294823.exe,0"

[HKEY_USERS\S-1-5-21-299502267-1606980848-854245398-500_Classes\O*v*e*r*t*u*r*e* *j\‹\shell]
@="open"

[HKEY_USERS\S-1-5-21-299502267-1606980848-854245398-500_Classes\O*v*e*r*t*u*r*e* *j\‹\shell\open]
@="¶}±Ò(&O)"

[HKEY_USERS\S-1-5-21-299502267-1606980848-854245398-500_Classes\O*v*e*r*t*u*r*e* *j\‹\shell\open\command]
@="\"c:\\Program Files\\Overture 4.0 ÁcÅ餤¤åª©\\Overture.exe\" \"%1\""
"command"=multi:"%_(xAdi9`=RGK6dXKNlr>?%)duR)D9Xu~OSIW`PT- \"%1\"\00\00"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQöN\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQöN\CurVer]
@="BDATuner.¤¸¥ó.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\èrR€l–Ò_5*‘Pˆ^^tX]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,40,10,
3f,a7,97,c6,01,18,00,00,00,43,00,3a,00,5c,00,47,00,54,00,41,00,20,00,56,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\êÕR A N Y O N E - 3 D C F 4 6 2 0
N„v H P D e s k J e t 9 3 0 C / 9 3 2 C / 9 3 5 C \DsDriver]
"printBinNames"=multi:"¦Û°Ê¿ï¨ú\00¤W¤è¯È§X\00¤â°Ê°e¯È\00«H«Ê, ¤â°Ê°e¯È\00\00"
"printCollate"=hex:01
"printColor"=hex:01
"printDuplexSupported"=hex:00
"printStaplingSupported"=hex:00
"printMaxXExtent"=dword:0000086f
"printMaxYExtent"=dword:00000de4
"printMinXExtent"=dword:000003e8
"printMinYExtent"=dword:000005b4
"printMediaSupported"=multi:"Letter\00Legal\00Executive\00A4\00A5\00B5 (JIS)\00Envelope #10\00Envelope DL\00Envelope C6\00Japanese Postcard\00A6\00Envelope A2\00US Index Card 4x6\00US Index Card 5x8\00\00"
"printMediaReady"=multi:"A4\00\00"
"printNumberUp"=dword:00000006
"printOrientationsSupported"=multi:"PORTRAIT\00LANDSCAPE\00\00"
"printMaxResolutionSupported"=dword:000004b0
"printLanguage"=multi:"PCL\00\00"
"printRate"=dword:00000009
"printRateUnit"="PagesPerMinute"
"printPagesPerMinute"=dword:00000009
"driverVersion"=dword:00000401

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\êÕR A N Y O N E - 3 D C F 4 6 2 0
N„v H P D e s k J e t 9 3 0 C / 9 3 2 C / 9 3 5 C \DsSpooler]
"description"=""
"driverName"="HP DeskJet 930C/932C/935C"
"location"=""
"portName"=multi:"\\\\ANYONE-3DCF4620\\¥´¦LÉó\00\00"
"printStartTime"=dword:00000000
"printEndTime"=dword:00000000
"printerName"="¦Û°Ê ANYONE-3DCF4620 ¤Wªº HP DeskJet 930C/932C/935C"
"printKeepPrintedJobs"=hex:00
"printSeparatorFile"=""
"printShareName"=""
"printSpooling"="PrintWhileSpooling"
"priority"=dword:00000001
"uNCName"="\\\\LEE-YV2R7VX5FBM\\¦Û°Ê ANYONE-3DCF4620 ¤Wªº HP DeskJet 930C/932C/935C"
"versionNumber"=dword:00000004
"serverName"="LEE-YV2R7VX5FBM"
"shortServerName"="LEE-YV2R7VX5FBM"
"flags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Print\Printers\êÕR A N Y O N E - 3 D C F 4 6 2 0
N„v H P D e s k J e t 9 3 0 C / 9 3 2 C / 9 3 5 C \PrinterDriverData]
"InitDriverVersion"=dword:00000500
"Model"="HP DeskJet 930C/932C/935C"
"PrinterDataSize"=dword:00000230
"PrinterData"=hex:00,05,30,02,81,08,00,00,80,1a,06,00,00,00,00,00,00,00,00,00,
64,00,58,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f4,0c,86,d1,01,\
"FeatureKeywordSize"=dword:0000001d
"FeatureKeyword"=hex:48,50,44,75,70,6c,65,78,55,6e,69,74,00,4e,6f,74,49,6e,73,
74,61,6c,6c,65,64,00,0a,00,00
"Forms?"=dword:d1860cf4

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\êÕR *L*i*v*e*U*p*d*a*t*e* *’c zhV\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
§¹¦¨®É¶¡: 2009-07-26 21:19
ComboFix-quarantined-files.txt 2009-07-26 13:19

Pre-Run: 1,177,911,296 ¦ì¤¸²Õ¥i¥Î
Post-Run: 1,148,321,792 ¦ì¤¸²Õ¥i¥Î

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

365 --- E O F --- 2008-11-16 16:44

Attached Files



#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 July 2009 - 07:46 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/HijackThis_Log_Please_help_Diagnose_some_background_included_t105533.html&view=findpost&p=581948#entry581948

Collect::
c:\windows\system32\UACoujaxtxupr.dll
c:\windows\system32\UACuyjluxprip.dll
c:\windows\system32\UACqjspxxnhml.dll
c:\windows\system32\UACkcdklnkktd.dat
c:\windows\system32\UACktkconkvdq.dll
c:\windows\system32\drivers\UACgypqvpcvlt.sys


DirLook::
c:\documents and settings\Administrator\¡u¶}©l¡v

File::
c:\windows\DUMP59ef.tmp
c:\windows\DUMP3a35.tmp
c:\windows\DUMP955a.tmp
c:\windows\DUMP95ab.tmp
c:\windows\DUMP9655.tmp
c:\windows\DUMP9564.tmp

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • ComboFix.log
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 26 July 2009 - 08:00 AM

hi, got some questions before executing the steps, thanks for advice! redarding the code: a) just to confirm, the forum link is needed? B) DirLook:: c:\documents and settings\Administrator\¡u¶}©l¡v my windows is not english so i try to find the above in the log and found out that it means the "start" ,ie the button on lower left corner of windows so should i still copy it to the notepad? and should i copy the local language of it instead of the code? Others: when i got infected yesterday, the system reboots and cannot get into windows NOR safe mode, it is safe to let the system reboot during the cleaning process?

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 July 2009 - 08:11 AM

just to confirm, the forum link is needed?


Yes, ALL the text INSIDE the codebox must be copied

so should i still copy it to the notepad? and should i copy the local language of it instead of the code?


Please do not alter the script - please just copy it as it is written

it is safe to let the system reboot during the cleaning process?


I cannot answer this with any certainty, removing malware is always a risky business, but you have the recovery console installed now, which is intended to help us recover if your system crashes.

At some point, the system has to reboot.

To make things less risky, make sure all your security programs are disabled and make sure all other programs are closed before you run the script.

Let the script run it's course, please allow it plenty of time....just wait till it finishes, sometimes it takes longer than you expect or it appears not to be doing anything at all.
Please be patient...report back here if you have to wait longer than 30 minutes.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 26 July 2009 - 10:06 AM

a) comfix already run, and i uploaded the scan to that webpage manually. B) mbam is run , 2 infection is detected, one is removed one is quanranteened but during the scan, when 1st infection is detected, an error code : 731(0,6) prompted, scan continued after i click ok c) kabasky promoted the java platform icon to load in taskbar and it seems will take a long time, took 45 minutes to update the database , now scannig my computer 15 minutes passed but still 4% scanned. will upload the scan results when its completed btw, no reboot is required by the program up to now

Attached Files



#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 July 2009 - 10:15 AM

:thumbup: That's good, please let Kaspersky finish - it can take 4-5 hours Once the scan is done, please advise how your is running and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#11 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 26 July 2009 - 06:04 PM

karbarsky scan ends with double digit infection and several thousand files, when i try to save the report, the java crahsed, and cannot be saved, i'll try to scan again and post the log

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 26 July 2009 - 06:06 PM

Hi,

Don't do that one again just now.

Please do this one instead as it will delete the bad files, we can revisit Kaspersky after:

  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning

When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)

  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
  • If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 27 July 2009 - 07:44 AM

Scanning Report Monday, July 27, 2009 20:04:16 - 21:41:00 Computer name: LEE-YV2R7VX5FBM Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 33 malware found Gen:Trojan.Heur.304CB3A0A0 (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) Trojan:W32/Qhost (spyware) System (Disinfected) TrackingCookie.Imrworldwide (spyware) System (Disinfected) Trojan.TDss.VS (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{636BC669-61F6-40F6-88B8-69078DD96737}\RP625\A0058362.DLL (Renamed & Submitted) Trojan.FakeAV.OY (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{636BC669-61F6-40F6-88B8-69078DD96737}\RP625\A0058368.EXE (Renamed) Trojan.Generic.2160343 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{636BC669-61F6-40F6-88B8-69078DD96737}\RP625\A0058369.DLL (Renamed & Submitted) Trojan.Clicker.VB.KC (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3ED353CF.EXE (Renamed & Submitted) Trojan.StartPage.DZ (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3E3D4874.EXE (Renamed & Submitted) Trojan.Fakealert.Z (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EA85C63.EXE (Renamed & Submitted) Trojan.Generic.2018288 (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\64DD65F2.EXE (Renamed & Submitted) Trojan.Downloader.Galapoper.A (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\752552D8.EXE (Renamed & Submitted) Trojan.Spy.Small.DG (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\74BF3D47.EXE (Renamed & Submitted) Generic.PWStealer.144AFFBC (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F0E41F0.DLL (Renamed & Submitted) Trojan.Spy.Small.AN (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F116BEC.DLL (Renamed & Submitted) Trojan.Downloader.Small.H (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\45B32DC7.EXE (Renamed & Submitted) Virtool.Spam.Mailbot.V (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\36867446.SYS (Renamed & Submitted) Virtool.Spam.Mailbot.V (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0FFF1923.DLL (Renamed & Submitted) Exploit.HTML.IframeBof.BN (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\31327FD3.HTM (Renamed & Submitted) Exploit.ADODB.Stream.BU (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5C7A3D53.HTM (Renamed & Submitted) Exploit.ADODB.Stream.BU (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\491F469C.HTM (Renamed & Submitted) Exploit.ADODB.Stream.BU (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\491C1C9F.HTM (Renamed & Submitted) Dropped:Virtool.Spam.Mailbot.V (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2895042A.EXE (Renamed) Trojan.Zlob.867 (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2915577E.EXE (Renamed & Submitted) Trojan.Exploit.Js.Agent.AQ (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\57766639.HTM (Renamed & Submitted) Trojan.Exploit.Js.Agent.AQ (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\57701240.HTM (Renamed & Submitted) Trojan.Downloader.HTML.FP (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\32903351 (Renamed & Submitted) Trojan.TDss.VS (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\68260B36.DLL (Renamed & Submitted) Trojan.Generic.2160343 (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20ED0ABA.DLL (Renamed & Submitted) Trojan.FakeAV.OY (virus) C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20AC4302.EXE (Renamed & Submitted) Trojan:W32/Qhost.VO (virus) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\OLD\FIX\L2MFIX.EXE (Not cleaned) Gen:Trojan.Heur.304CB3A0A0 (virus) C:\WINDOWS\SYSTEM32\SERVICE.CPL (Not cleaned) -------------------------------------------------------------------------------- Statistics Scanned: Files: 48519 System: 4194 Not scanned: 7 Actions: Disinfected: 5 Renamed: 26 Deleted: 0 Not cleaned: 2 Submitted: 24 Files not scanned: C:\PAGEFILE.SYS C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics -------------------------------------------------------------------------------- Copyright © 1998-2009 Product support | Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability. note: OLD\FIX\L2MFIX.EXE (Not cleaned) this one should be the file i use to clean the computer at my last infection, i posted on the tomcocyte forum and some experts asks me to use this i think , i put those files in this folder

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 27 July 2009 - 07:55 AM

Ok,


Please delete your copy of ComboFix from your desktop,

download a fresh copy and rerun it.

Link 1
Link 2


post the resulting log

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#15 vonnielui

vonnielui

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 27 July 2009 - 08:25 AM

Ok,


Please delete your copy of ComboFix from your desktop,

download a fresh copy and rerun it.

Link 1
Link 2


post the resulting log


i assume i should add a - between combo and fix as before?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users