It now takes my PC 20 minutes to start up. It freezes as soon as I click my wireless connection icon. I used msconfig to turned down every unnecessary start-up process but it seems not working. A few strange things also occurs: My On-Access anti-virus always reminds me finding a PWS.QQpass trojan every 20 minutes. My ATI configuration center says I don't have the permission to change its settings which I did not. Please take a look at my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:52 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Driver.\daemon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Poss\pctools_20081130_7908.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\sony\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BxdkJpz - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: CcltKey - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: CorlCld - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: FxslJuj - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: HbcdXlx - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: HrxvKwt - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: HtqdYpn - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: JokpBnx - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: MatoEon - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MgekUfz - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: NhpaCvc - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NiegIlw - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: PygfViu - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: QckhOmd - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: RnmjRcx - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: UzkaRtx - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: VigpVou - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: WcgeZqw - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: WjfzRji - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XamzJku - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: XpzhRov - Unknown owner - C:\WINDOWS\wuauclt.exe
--
End of file - 8846 bytes
I would appreciate any help from you!
Jonathan
Full Version: Possible infection
First:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
Second:
Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Third:
1. Download Random's system information tool (RSIT) from here:
http://images.malwareremoval.com/random/RSIT.exe
Choose to *save* the file to your desktop.
2. Double click on RSIT.exe to run the tool.
3. Click *Continue* at the disclaimer screen.
4. Once it has finished, two logs will open in two separate notepad instances.
Please post the contents of both log.txt (will be maximized) and info.txt (will be minimized). You can just copy and paste the text from those logs into a reply to this topic here.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Acan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
Second:
Please download ATF Cleaner by Atribune.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Third:
1. Download Random's system information tool (RSIT) from here:
http://images.malwareremoval.com/random/RSIT.exe
Choose to *save* the file to your desktop.
2. Double click on RSIT.exe to run the tool.
3. Click *Continue* at the disclaimer screen.
4. Once it has finished, two logs will open in two separate notepad instances.
Please post the contents of both log.txt (will be maximized) and info.txt (will be minimized). You can just copy and paste the text from those logs into a reply to this topic here.
Hello LoPhatPhuud,
Thank you so much for your reply. I followed the three step you asked and here is the first log:
alwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3
1/6/2009 5:53:26 PM
mbam-log-2009-01-06 (17-53-26).txt
Scan type: Quick Scan
Objects scanned: 50104
Time elapsed: 3 minute(s), 47 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 87
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 9
Memory Processes Infected:
C:\WINDOWS\wuauclt.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{385ab8c4-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{385ab8c5-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidisk (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ifuciil (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ifuciil (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpidisk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\acpidisk (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\Poss (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools (Trojan.Yigather) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Poss\pctools_20081130_7908.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (Trojan.Yigather) -> Quarantined and deleted successfully.
C:\WINDOWS\sony\baiduc.dll (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_2008109_7908.dll (Trojan.Yigather) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd365f109.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd365f109.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\wuauclt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\acpidisk.sys (Trojan.Agent) -> Quarantined and deleted successfully.
I then tried to run RSIT the process was a error message "AutoIt Error" stating "Line-1: Error: Subscript used with non-Array variable" then the process aborted so I could not get any log files from RSIT. But I still post the new HJT log below (don't know if it's helpful...)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:30 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7330 bytes
Please let me know it there is anything else I can do!
Thanks
Jonathan
Thank you so much for your reply. I followed the three step you asked and here is the first log:
alwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3
1/6/2009 5:53:26 PM
mbam-log-2009-01-06 (17-53-26).txt
Scan type: Quick Scan
Objects scanned: 50104
Time elapsed: 3 minute(s), 47 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 87
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 9
Memory Processes Infected:
C:\WINDOWS\wuauclt.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{385ab8c4-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Trojan.Yigather) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{385ab8c5-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{295ab8c6-fb22-4d17-8834-064e2ba0a6f0} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidisk (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bxdkjpz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccltkey (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\corlcld (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fxsljuj (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbcdxlx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hrxvkwt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\htqdypn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idemcan (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ifuciil (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ifuciil (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jokpbnx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kfsfmyg (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\matoeon (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mgekufz (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nhpacvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\niegilw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pygfviu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qckhomd (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rnmjrcx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uzkartx (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vigpvou (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcgezqw (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wjfzrji (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xamzjku (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpzhrov (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpidisk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\acpidisk (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\Poss (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools (Trojan.Yigather) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Poss\pctools_20081130_7908.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (Trojan.Yigather) -> Quarantined and deleted successfully.
C:\WINDOWS\sony\baiduc.dll (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_2008109_7908.dll (Trojan.Yigather) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mprmsgse.axz (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd365f109.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd365f109.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\wuauclt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\acpidisk.sys (Trojan.Agent) -> Quarantined and deleted successfully.
I then tried to run RSIT the process was a error message "AutoIt Error" stating "Line-1: Error: Subscript used with non-Array variable" then the process aborted so I could not get any log files from RSIT. But I still post the new HJT log below (don't know if it's helpful...)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:30 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7330 bytes
Please let me know it there is anything else I can do!
Thanks
Jonathan
First:
Delete rsit.exe and the folder C:\rsit
Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Press the 'Scan' button and when done check the following items in HijackThis:
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will usually be located in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\system\rundll32.exe
*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode
Run HiJackThis again and post a new log in this thread. (Be sure that Word Wrap is turned off in Notepad)
Second:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Delete rsit.exe and the folder C:\rsit
Second:
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Press the 'Scan' button and when done check the following items in HijackThis:
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will usually be located in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\system\rundll32.exe
*How to Boot into Safe mode:
http://www.computerhope.com/issues/chsafe.htm
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode
Run HiJackThis again and post a new log in this thread. (Be sure that Word Wrap is turned off in Notepad)
Second:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Hello LoPhatPhuud,
Thank you for your reply again. I followed every step you said except I could not find "C:\WINDOWS\system\rundll32.exe". There is one called "C:\WINDOWS\system32\rundll32.exe", but I am not sure if that's is the one I should delete. Maybe I did something wrong on this. Should I did this whole process again, or something else. Sorry about this snag.
Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:33 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\systema.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inc_lj.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Baidu Service (Baidu) - Unknown owner - C:\WINDOWS\system32\systema.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7098 bytes
And here is my combofix log
ComboFix 09-01-07.01 - Jian 2009-01-07 18:25:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\strategy.txt
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mscpx32r.det
c:\windows\system32\systema.exe
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 20:52 . 2009-01-06 20:52 368,128 --a------ c:\windows\system32\inc_lj.exe
2009-01-06 20:52 . 2009-01-06 20:52 459 --a------ c:\windows\system32\searchURL.ini
2009-01-06 20:52 . 2009-01-06 20:52 15 --a------ c:\windows\system32\adset.ini
2009-01-06 18:06 . 2009-01-06 18:06 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 10:17 . 2008-12-25 10:28 <DIR> d-------- c:\program files\qpgplayer
2008-12-23 09:38 . 2009-01-09 02:02 153,732 --a------ c:\windows\system32\drivers\pnpmem.sys
2008-12-23 09:38 . 2008-12-23 09:38 32 --a------ c:\windows\system32\ormsgse.axz
2008-12-20 19:18 . 2008-12-20 19:18 <DIR> d-------- c:\windows\PIF
2008-12-20 10:23 . <DIR> C:\bad
2008-12-20 10:23 . 2008-12-20 10:23 2 --a------ c:\windows\sysinfo.tmp
2008-12-19 10:02 . <DIR> c:\windows\Driver
2008-12-18 09:44 . 2009-01-06 17:53 <DIR> d-------- c:\windows\sony
2008-12-17 16:22 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 16:08 . 2008-12-17 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-17 16:07 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-16 11:37 . 2008-12-25 10:33 <DIR> d-------- C:\101MSDCF
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2008-12-14 11:38 . 2009-01-03 11:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 11:38 . 2008-12-14 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 15:56 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 02:16 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-11-24 18:50 --------- d-----w c:\documents and settings\Jian\Application Data\goombah
2008-11-24 18:12 --------- d-----w c:\documents and settings\Jian\Application Data\Ruckus Network
2008-11-12 22:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R4 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S4 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17366785-68a8-11dd-ab37-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c1ee6c-8d61-11dd-ab92-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8903ed72-2d81-11dd-aab8-0015c5122b50}]
\Shell\AutoRun\command - F:\Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce84faf8-cc7e-11dd-ac4e-0016ce642dea}]
\Shell\AutoRun\command - E:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f24e8a-07f8-11dd-aa71-0015c5122b50}]
\Shell\AutoRun\command - F:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a315ee-6316-11dd-ab2a-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
c:\windows\Downloaded Program Files\downloader.dll - O16 -: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}
hxxp://dl.uc.sina.com/cab/downloader.cab
c:\windows\Downloaded Program Files\downloader.inf
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 18:29:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
c:\windows\system32\COMRes.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\progra~1\ipacc\ipacc_v2.dll
- - - - - - - > 'lsass.exe'(752)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-01-07 18:32:37 - machine was rebooted [Jian]
ComboFix-quarantined-files.txt 2009-01-07 23:32:34
Pre-Run: 55,741,493,248 bytes free
Post-Run: 55,758,204,928 bytes free
196 --- E O F --- 2008-12-18 14:26:38
Thank you for your help again. Please let me know what else I can do!
Jonathan
Thank you for your reply again. I followed every step you said except I could not find "C:\WINDOWS\system\rundll32.exe". There is one called "C:\WINDOWS\system32\rundll32.exe", but I am not sure if that's is the one I should delete. Maybe I did something wrong on this. Should I did this whole process again, or something else. Sorry about this snag.
Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:33 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\systema.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inc_lj.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Baidu Service (Baidu) - Unknown owner - C:\WINDOWS\system32\systema.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7098 bytes
And here is my combofix log
ComboFix 09-01-07.01 - Jian 2009-01-07 18:25:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\strategy.txt
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mscpx32r.det
c:\windows\system32\systema.exe
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 20:52 . 2009-01-06 20:52 368,128 --a------ c:\windows\system32\inc_lj.exe
2009-01-06 20:52 . 2009-01-06 20:52 459 --a------ c:\windows\system32\searchURL.ini
2009-01-06 20:52 . 2009-01-06 20:52 15 --a------ c:\windows\system32\adset.ini
2009-01-06 18:06 . 2009-01-06 18:06 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 10:17 . 2008-12-25 10:28 <DIR> d-------- c:\program files\qpgplayer
2008-12-23 09:38 . 2009-01-09 02:02 153,732 --a------ c:\windows\system32\drivers\pnpmem.sys
2008-12-23 09:38 . 2008-12-23 09:38 32 --a------ c:\windows\system32\ormsgse.axz
2008-12-20 19:18 . 2008-12-20 19:18 <DIR> d-------- c:\windows\PIF
2008-12-20 10:23 . <DIR> C:\bad
2008-12-20 10:23 . 2008-12-20 10:23 2 --a------ c:\windows\sysinfo.tmp
2008-12-19 10:02 . <DIR> c:\windows\Driver
2008-12-18 09:44 . 2009-01-06 17:53 <DIR> d-------- c:\windows\sony
2008-12-17 16:22 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 16:08 . 2008-12-17 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-17 16:07 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-16 11:37 . 2008-12-25 10:33 <DIR> d-------- C:\101MSDCF
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2008-12-14 11:38 . 2009-01-03 11:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 11:38 . 2008-12-14 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 15:56 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 02:16 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-11-24 18:50 --------- d-----w c:\documents and settings\Jian\Application Data\goombah
2008-11-24 18:12 --------- d-----w c:\documents and settings\Jian\Application Data\Ruckus Network
2008-11-12 22:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R4 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S4 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17366785-68a8-11dd-ab37-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c1ee6c-8d61-11dd-ab92-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8903ed72-2d81-11dd-aab8-0015c5122b50}]
\Shell\AutoRun\command - F:\Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce84faf8-cc7e-11dd-ac4e-0016ce642dea}]
\Shell\AutoRun\command - E:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f24e8a-07f8-11dd-aa71-0015c5122b50}]
\Shell\AutoRun\command - F:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a315ee-6316-11dd-ab2a-0016ce642dea}]
\Shell\AutoRun\command - F:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
c:\windows\Downloaded Program Files\downloader.dll - O16 -: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}
hxxp://dl.uc.sina.com/cab/downloader.cab
c:\windows\Downloaded Program Files\downloader.inf
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 18:29:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
c:\windows\system32\COMRes.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\progra~1\ipacc\ipacc_v2.dll
- - - - - - - > 'lsass.exe'(752)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-01-07 18:32:37 - machine was rebooted [Jian]
ComboFix-quarantined-files.txt 2009-01-07 23:32:34
Pre-Run: 55,741,493,248 bytes free
Post-Run: 55,758,204,928 bytes free
196 --- E O F --- 2008-12-18 14:26:38
Thank you for your help again. Please let me know what else I can do!
Jonathan
There are four files I want you to check before we go any further. I don't suspect each of them, but info available is conflicting or limited and I want to be sure.
Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com
C:\WINDOWS\system32\inc_lj.exe
c:\windows\system32\ormsgse.axz
c:\windows\system32\npkycryp.sys
c:\progra~1\ipacc\ipacc_v2.dll
Be sure to post the results in this thread.
Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com
C:\WINDOWS\system32\inc_lj.exe
c:\windows\system32\ormsgse.axz
c:\windows\system32\npkycryp.sys
c:\progra~1\ipacc\ipacc_v2.dll
Be sure to post the results in this thread.
hello LoPhatPhuud,
Thank you for your reply. I found all but "c:\windows\system32\npkycryp.sys" on my computer. Here are the complete results for the rest three files. Please let me know if there is anything else I can do!
File inc_lj.exe received on 01.09.2009 05:00:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/38 (18.43%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 Win-AppCare/RAdmin.368128
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 W32/Trojan2.XTJ
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 Trojan.Delf-4656
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 W32/Trojan2.XTJ
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 not-a-virus:AdWare.Win32.Dm.bc
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 W32/DesktopMedia.HQ
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 Trojan.LooksLike.Spy
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 368128 bytes
MD5...: 1888e22ea6846eda224330f269438d7b
SHA1..: c9b0d7b2e13dc84eb227ad88c7f78f2fc3c45ee7
SHA256: f16e6cebf68bbf60786418ca8014a1c0eda96d5da2179999415a57dce06cf29e
SHA512: 0d2c11a790ef47fad808a3f193d459e127c5cf21ececec932b1c63c7b5484d61
a9d09a8738eeff963a0fd248b70bf10db24e5657dd676fe122a858a0cf50dc15
ssdeep: 6144:uizJVFcObrxqph4s8stCzhiv4tiWY80FvrlTsZOjkaPa6SogmlAq4SYnrl:
lJ/cObrApys7BhH80aOj1a6SodAq4XnJ
PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
TrID..: File type identification
Win32 Executable Borland Delphi 7 (69.1%)
Win32 Executable Borland Delphi 6 (27.0%)
Win32 Executable Delphi generic (1.5%)
Win32 Executable Generic (0.8%)
Win32 Dynamic Link Library (generic) (0.7%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x44ca98
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x4bae0 0x4bc00 6.53 cf31209adbb09b29d28f0caa46d378e7
DATA 0x4d000 0x1124 0x1200 4.04 97339c4c90314481c4b6a220d1e83696
BSS 0x4f000 0xbd9 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x50000 0x1f2a 0x2000 4.97 a8fa3201c104151992ca4d976d73b592
.tls 0x52000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x53000 0x18 0x200 0.21 5f84fd7a6665e7dac4c7258919da69b9
.reloc 0x54000 0x5520 0x5600 6.67 80e3fea6ea63dd385bc351c77791c3b6
.rsrc 0x5a000 0x5400 0x5400 4.19 82b5c3bd6447ca5914bce1e2908aaee1
( 13 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> kernel32.dll: lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
> user32.dll: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
( 0 exports )
File ormsgse.axz received on 01.09.2009 05:06:01 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 -
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 -
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 -
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 -
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 -
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 -
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 32 bytes
MD5...: aa2e25f550e78c44996d248365e2903f
SHA1..: e64a02c1f30a7a8092825655415ffde08f2a86ed
SHA256: c84627a5d302eb2e085e17a0696e71405345cd5c6d2bde21595f7d27db1cffd8
SHA512: 2e36ce3ea8bba755cd1bb136375b975fc613616bdbed8d89e0122efca775e387
bdca93bd051a77e9d7e44d8f7f6e6af9fd720d14833e5017748ed175dbc060dc
ssdeep: 3:hdgQPTSVIE:rQ
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -
File ipacc_v2.dll received on 01.09.2009 05:13:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 -
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 -
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 -
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 -
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 -
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 -
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 57344 bytes
MD5...: aaa133dd21d070e2dcafe295ae3abc74
SHA1..: 464c4b1f857b8b6be6fc62fe23971f1826d38743
SHA256: 791dab7e2edc6625ee159f4dd90095518e2d0d72ae2cd1ec5e5a5f3d3dd728e5
SHA512: b9fa0cdb0196d4c592e8d8a7c3716dae7ab4cd23f9af0493e93e4b3fa6d04fcd
cc6f385cadc53b30f54e37f9956d0233672c69939a11c40cd3022fe1d3478dc8
ssdeep: 768:H7kV4BnYufrtY7vSJU83YSpkjQX/fSyEk/PgYmZphBKtVF:Hg4hYupffFQQX
/fPEk/Pgv8t/
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1000305a
timedatestamp.....: 0x470b0031 (Tue Oct 09 04:14:41 2007)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8734 0x9000 6.38 5c430862fb76f0947c610938aca7dce5
.rdata 0xa000 0x1dda 0x2000 5.27 be684ba4b210d5081392232d2ce2432e
.data 0xc000 0x1b3c 0x1000 2.14 c2d827157f6b7f0586c1ef839936c57a
.reloc 0xe000 0xe24 0x1000 4.43 5bd8599783f2adf189043c6e6d6d5956
( 3 imports )
> WS2_32.dll: -, -, -, -, -, WSCGetProviderPath, WSCEnumProtocols
> SHLWAPI.dll: PathStripPathW
> KERNEL32.dll: IsValidCodePage, HeapSize, RtlUnwind, HeapReAlloc, VirtualAlloc, ExpandEnvironmentStringsA, InitializeCriticalSection, WideCharToMultiByte, LoadLibraryW, HeapDestroy, HeapCreate, GetLastError, GetProcAddress, LoadLibraryA, ExpandEnvironmentStringsW, HeapAlloc, HeapFree, EnterCriticalSection, LeaveCriticalSection, FreeLibrary, CloseHandle, GetCurrentProcessId, GetModuleFileNameW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, DeleteCriticalSection, GetCurrentThreadId, GetCommandLineA, GetVersionExA, GetProcessHeap, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, ExitProcess, Sleep, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteFile
( 1 exports )
WSPStartup
Thank you for your reply. I found all but "c:\windows\system32\npkycryp.sys" on my computer. Here are the complete results for the rest three files. Please let me know if there is anything else I can do!
File inc_lj.exe received on 01.09.2009 05:00:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/38 (18.43%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 Win-AppCare/RAdmin.368128
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 W32/Trojan2.XTJ
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 Trojan.Delf-4656
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 W32/Trojan2.XTJ
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 not-a-virus:AdWare.Win32.Dm.bc
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 W32/DesktopMedia.HQ
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 Trojan.LooksLike.Spy
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 368128 bytes
MD5...: 1888e22ea6846eda224330f269438d7b
SHA1..: c9b0d7b2e13dc84eb227ad88c7f78f2fc3c45ee7
SHA256: f16e6cebf68bbf60786418ca8014a1c0eda96d5da2179999415a57dce06cf29e
SHA512: 0d2c11a790ef47fad808a3f193d459e127c5cf21ececec932b1c63c7b5484d61
a9d09a8738eeff963a0fd248b70bf10db24e5657dd676fe122a858a0cf50dc15
ssdeep: 6144:uizJVFcObrxqph4s8stCzhiv4tiWY80FvrlTsZOjkaPa6SogmlAq4SYnrl:
lJ/cObrApys7BhH80aOj1a6SodAq4XnJ
PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
TrID..: File type identification
Win32 Executable Borland Delphi 7 (69.1%)
Win32 Executable Borland Delphi 6 (27.0%)
Win32 Executable Delphi generic (1.5%)
Win32 Executable Generic (0.8%)
Win32 Dynamic Link Library (generic) (0.7%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x44ca98
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x4bae0 0x4bc00 6.53 cf31209adbb09b29d28f0caa46d378e7
DATA 0x4d000 0x1124 0x1200 4.04 97339c4c90314481c4b6a220d1e83696
BSS 0x4f000 0xbd9 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x50000 0x1f2a 0x2000 4.97 a8fa3201c104151992ca4d976d73b592
.tls 0x52000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x53000 0x18 0x200 0.21 5f84fd7a6665e7dac4c7258919da69b9
.reloc 0x54000 0x5520 0x5600 6.67 80e3fea6ea63dd385bc351c77791c3b6
.rsrc 0x5a000 0x5400 0x5400 4.19 82b5c3bd6447ca5914bce1e2908aaee1
( 13 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> kernel32.dll: lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
> user32.dll: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
( 0 exports )
File ormsgse.axz received on 01.09.2009 05:06:01 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 -
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 -
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 -
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 -
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 -
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 -
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 32 bytes
MD5...: aa2e25f550e78c44996d248365e2903f
SHA1..: e64a02c1f30a7a8092825655415ffde08f2a86ed
SHA256: c84627a5d302eb2e085e17a0696e71405345cd5c6d2bde21595f7d27db1cffd8
SHA512: 2e36ce3ea8bba755cd1bb136375b975fc613616bdbed8d89e0122efca775e387
bdca93bd051a77e9d7e44d8f7f6e6af9fd720d14833e5017748ed175dbc060dc
ssdeep: 3:hdgQPTSVIE:rQ
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -
File ipacc_v2.dll received on 01.09.2009 05:13:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 -
AhnLab-V3 2009.1.9.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.08 -
Authentium 5.1.0.4 2009.01.08 -
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 -
CAT-QuickHeal 10.00 2009.01.08 -
ClamAV 0.94.1 2009.01.08 -
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 -
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 -
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09 -
Ikarus T3.1.1.45.0 2009.01.09 -
K7AntiVirus 7.10.582 2009.01.08 -
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 -
NOD32 3752 2009.01.08 -
Norman 5.99.02 2009.01.08 -
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09 -
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
VBA32 3.12.8.10 2009.01.08 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -
Additional information
File size: 57344 bytes
MD5...: aaa133dd21d070e2dcafe295ae3abc74
SHA1..: 464c4b1f857b8b6be6fc62fe23971f1826d38743
SHA256: 791dab7e2edc6625ee159f4dd90095518e2d0d72ae2cd1ec5e5a5f3d3dd728e5
SHA512: b9fa0cdb0196d4c592e8d8a7c3716dae7ab4cd23f9af0493e93e4b3fa6d04fcd
cc6f385cadc53b30f54e37f9956d0233672c69939a11c40cd3022fe1d3478dc8
ssdeep: 768:H7kV4BnYufrtY7vSJU83YSpkjQX/fSyEk/PgYmZphBKtVF:Hg4hYupffFQQX
/fPEk/Pgv8t/
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1000305a
timedatestamp.....: 0x470b0031 (Tue Oct 09 04:14:41 2007)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8734 0x9000 6.38 5c430862fb76f0947c610938aca7dce5
.rdata 0xa000 0x1dda 0x2000 5.27 be684ba4b210d5081392232d2ce2432e
.data 0xc000 0x1b3c 0x1000 2.14 c2d827157f6b7f0586c1ef839936c57a
.reloc 0xe000 0xe24 0x1000 4.43 5bd8599783f2adf189043c6e6d6d5956
( 3 imports )
> WS2_32.dll: -, -, -, -, -, WSCGetProviderPath, WSCEnumProtocols
> SHLWAPI.dll: PathStripPathW
> KERNEL32.dll: IsValidCodePage, HeapSize, RtlUnwind, HeapReAlloc, VirtualAlloc, ExpandEnvironmentStringsA, InitializeCriticalSection, WideCharToMultiByte, LoadLibraryW, HeapDestroy, HeapCreate, GetLastError, GetProcAddress, LoadLibraryA, ExpandEnvironmentStringsW, HeapAlloc, HeapFree, EnterCriticalSection, LeaveCriticalSection, FreeLibrary, CloseHandle, GetCurrentProcessId, GetModuleFileNameW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, DeleteCriticalSection, GetCurrentThreadId, GetCommandLineA, GetVersionExA, GetProcessHeap, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, ExitProcess, Sleep, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteFile
( 1 exports )
WSPStartup
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
2. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
File::
c:\windows\system32\ormsgse.axz
c:\windows\system32\inc_lj.exe
c:\windows\system32\searchURL.ini
c:\windows\system32\adset.ini
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17366785-68a8-11dd-ab37-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c1ee6c-8d61-11dd-ab92-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8903ed72-2d81-11dd-aab8-0015c5122b50}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce84faf8-cc7e-11dd-ac4e-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f24e8a-07f8-11dd-aa71-0015c5122b50}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a315ee-6316-11dd-ab2a-0016ce642dea}]
c:\windows\system32\ormsgse.axz
c:\windows\system32\inc_lj.exe
c:\windows\system32\searchURL.ini
c:\windows\system32\adset.ini
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17366785-68a8-11dd-ab37-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c1ee6c-8d61-11dd-ab92-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8903ed72-2d81-11dd-aab8-0015c5122b50}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce84faf8-cc7e-11dd-ac4e-0016ce642dea}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f24e8a-07f8-11dd-aa71-0015c5122b50}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a315ee-6316-11dd-ab2a-0016ce642dea}]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Hello LoPhatPhuud,
Thank you for your reply. Here is the new ComboFix log. Please let me know if there is anything else I can do.
ComboFix 09-01-07.01 - Jian 2009-01-09 18:41:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.632 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jian\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\adset.ini
c:\windows\system32\inc_lj.exe
c:\windows\system32\ormsgse.axz
c:\windows\system32\searchURL.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\adset.ini
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\inc_lj.exe
c:\windows\system32\mscpx32r.det
c:\windows\system32\ormsgse.axz
c:\windows\system32\searchURL.ini
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 18:06 . 2009-01-06 18:06 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 10:17 . 2008-12-25 10:28 <DIR> d-------- c:\program files\qpgplayer
2008-12-23 09:38 . 2009-01-09 02:02 153,732 --a------ c:\windows\system32\drivers\pnpmem.sys
2008-12-20 19:18 . 2008-12-20 19:18 <DIR> d-------- c:\windows\PIF
2008-12-20 10:23 . <DIR> C:\bad
2008-12-20 10:23 . 2008-12-20 10:23 2 --a------ c:\windows\sysinfo.tmp
2008-12-19 10:02 . <DIR> c:\windows\Driver
2008-12-18 09:44 . 2009-01-06 17:53 <DIR> d-------- c:\windows\sony
2008-12-17 16:22 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 16:08 . 2008-12-17 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-17 16:07 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-16 11:37 . 2008-12-25 10:33 <DIR> d-------- C:\101MSDCF
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2008-12-14 11:38 . 2009-01-03 11:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 11:38 . 2008-12-14 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 00:43 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2009-01-07 15:56 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-11-24 18:50 --------- d-----w c:\documents and settings\Jian\Application Data\goombah
2008-11-24 18:12 --------- d-----w c:\documents and settings\Jian\Application Data\Ruckus Network
2008-11-12 22:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_18.31.59.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 23:29:19 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 23:45:39 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 23:29:19 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 23:45:39 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-07 23:29:19 98,304 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 23:45:39 98,304 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-07 23:28:13 234,012 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-09 23:44:31 236,732 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-07 23:28:13 685,466 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 23:44:31 689,976 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R4 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S4 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
c:\windows\Downloaded Program Files\downloader.dll - O16 -: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}
hxxp://dl.uc.sina.com/cab/downloader.cab
c:\windows\Downloaded Program Files\downloader.inf
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 18:47:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
c:\program files\Bonjour\mdnsNSP.dll
c:\progra~1\ipacc\ipacc_v2.dll
- - - - - - - > 'lsass.exe'(752)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 18:49:31 - machine was rebooted [Jian]
ComboFix-quarantined-files.txt 2009-01-09 23:49:28
ComboFix2.txt 2009-01-07 23:32:38
Pre-Run: 55,695,630,336 bytes free
Post-Run: 55,712,014,336 bytes free
199 --- E O F --- 2008-12-18 14:26:38
Thank you for your reply. Here is the new ComboFix log. Please let me know if there is anything else I can do.
ComboFix 09-01-07.01 - Jian 2009-01-09 18:41:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.632 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jian\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\adset.ini
c:\windows\system32\inc_lj.exe
c:\windows\system32\ormsgse.axz
c:\windows\system32\searchURL.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\adset.ini
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\inc_lj.exe
c:\windows\system32\mscpx32r.det
c:\windows\system32\ormsgse.axz
c:\windows\system32\searchURL.ini
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 18:06 . 2009-01-06 18:06 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 10:17 . 2008-12-25 10:28 <DIR> d-------- c:\program files\qpgplayer
2008-12-23 09:38 . 2009-01-09 02:02 153,732 --a------ c:\windows\system32\drivers\pnpmem.sys
2008-12-20 19:18 . 2008-12-20 19:18 <DIR> d-------- c:\windows\PIF
2008-12-20 10:23 . <DIR> C:\bad
2008-12-20 10:23 . 2008-12-20 10:23 2 --a------ c:\windows\sysinfo.tmp
2008-12-19 10:02 . <DIR> c:\windows\Driver
2008-12-18 09:44 . 2009-01-06 17:53 <DIR> d-------- c:\windows\sony
2008-12-17 16:22 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 16:08 . 2008-12-17 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-17 16:07 . 2008-12-17 16:22 <DIR> d-------- c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-16 11:37 . 2008-12-25 10:33 <DIR> d-------- C:\101MSDCF
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2008-12-16 11:36 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2008-12-14 11:38 . 2009-01-03 11:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 11:38 . 2008-12-14 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 00:43 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2009-01-07 15:56 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-11-24 18:50 --------- d-----w c:\documents and settings\Jian\Application Data\goombah
2008-11-24 18:12 --------- d-----w c:\documents and settings\Jian\Application Data\Ruckus Network
2008-11-12 22:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_18.31.59.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 23:29:19 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 23:45:39 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-07 23:29:19 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 23:45:39 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-07 23:29:19 98,304 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 23:45:39 98,304 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-07 23:28:13 234,012 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-09 23:44:31 236,732 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-07 23:28:13 685,466 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 23:44:31 689,976 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R4 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S4 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
c:\windows\Downloaded Program Files\downloader.dll - O16 -: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}
hxxp://dl.uc.sina.com/cab/downloader.cab
c:\windows\Downloaded Program Files\downloader.inf
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 18:47:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
c:\program files\Bonjour\mdnsNSP.dll
c:\progra~1\ipacc\ipacc_v2.dll
- - - - - - - > 'lsass.exe'(752)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 18:49:31 - machine was rebooted [Jian]
ComboFix-quarantined-files.txt 2009-01-09 23:49:28
ComboFix2.txt 2009-01-07 23:32:38
Pre-Run: 55,695,630,336 bytes free
Post-Run: 55,712,014,336 bytes free
199 --- E O F --- 2008-12-18 14:26:38
Looks good. Let;s remove COmboFix then run HiJackThis and post a new log in this thread.,
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
Hello LoPhatPhuud,
It's good to hear my PC is getting better, and it does. But my McAfee still constantly reminds my about the detection of "PWS-QQpass" trojan. I would love to get this fixed if possible. But already, thank you for you much help. Here is the newest HJT log. Please let me know if there is anything else I can do.
Thanks!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:36 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Baidu Service (Baidu) - Unknown owner - C:\WINDOWS\system32\systema.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7043 bytes
It's good to hear my PC is getting better, and it does. But my McAfee still constantly reminds my about the detection of "PWS-QQpass" trojan. I would love to get this fixed if possible. But already, thank you for you much help. Here is the newest HJT log. Please let me know if there is anything else I can do.
Thanks!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:36 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {295AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Intel\baiduc.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\fgiebar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Documents and Settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\DOCUME~1\Jian\MYDOCU~1\flashget\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\ipacc\ipacc_v2.dll
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Baidu Service (Baidu) - Unknown owner - C:\WINDOWS\system32\systema.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7043 bytes
Check your McAfee logs and post the name (and full path if available) of the file McAfee is detecting.
Hello LoPhatPhuud,
I didn't feel my computer slow down, but the messages pop up frequently, and it's really annoying...
Here are the messages I got from McAfee so far for today:
1/31/2009 10:18:06 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:18:07 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:18:09 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F1P9NBG4\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:18:09 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1P9NBG4\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 10:23:10 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:23:10 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:23:13 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\HTMV4O6E\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:23:13 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HTMV4O6E\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 10:38:15 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:38:15 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:38:18 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F1P9NBG4\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:38:18 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1P9NBG4\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 11:08:20 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 11:08:20 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 11:08:23 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\HTMV4O6E\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 11:08:23 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HTMV4O6E\dr20080807[1].gif PWS-QQPass (Trojan)
Please let me know if there is any thing else I can do!!
Thanks
Jonathan
I didn't feel my computer slow down, but the messages pop up frequently, and it's really annoying...
Here are the messages I got from McAfee so far for today:
1/31/2009 10:18:06 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:18:07 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:18:09 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F1P9NBG4\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:18:09 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1P9NBG4\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 10:23:10 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:23:10 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:23:13 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\HTMV4O6E\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:23:13 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HTMV4O6E\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 10:38:15 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 10:38:15 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 10:38:18 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\F1P9NBG4\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 10:38:18 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1P9NBG4\dr20080807[1].gif PWS-QQPass (Trojan)
1/31/2009 11:08:20 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\DR20080807.EXE PWS-QQPass (Trojan)
1/31/2009 11:08:20 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\TEMP\dr20080807.exe PWS-QQPass (Trojan)
1/31/2009 11:08:23 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\HTMV4O6E\DR20080807[1].GIF PWS-QQPass (Trojan)
1/31/2009 11:08:23 AM Deleted NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HTMV4O6E\dr20080807[1].gif PWS-QQPass (Trojan)
Please let me know if there is any thing else I can do!!
Thanks
Jonathan
Let';s run ComboFix again. That is a malware file but it wasn't showing before. Info I have do not show the source and I want to find what is putting it there.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
Hello LoPhatPhuud,
Again, thank you for your reply. Here is my new ComboFix log:
ComboFix 09-02-01.01 - Jian 2009-02-01 12:29:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.613 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mprmsgse.axz
c:\windows\system32\mscpx32r.det
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-29 14:13 . 2009-01-29 14:13 <DIR> d-------- c:\program files\NCSS
2009-01-29 14:13 . 2009-01-29 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Resources
2009-01-29 14:11 . 2009-01-29 14:11 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-10 10:14 . 2009-01-10 10:14 32 --a------ c:\windows\system32\ormsgse.axz
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 18:06 . 2009-01-31 14:21 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 22:29 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-31 15:33 --------- d-----w c:\program files\Dell
2009-01-10 18:28 --------- d-----w c:\documents and settings\Jian\Application Data\Move Networks
2009-01-09 07:02 153,732 ----a-w c:\windows\system32\drivers\pnpmem.sys
2009-01-09 00:43 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 16:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-25 15:28 --------- d-----w c:\program files\qpgplayer
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-12-17 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-14 16:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
2009-02-05 00:06 163840 -ra------ c:\windows\Intel\baiduc.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S2 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 12:34:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
- - - - - - - > 'lsass.exe'(572)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-01 12:37:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 17:37:20
ComboFix2.txt 2009-01-09 23:49:32
Pre-Run: 53,364,555,776 bytes free
Post-Run: 53,761,810,432 bytes free
171 --- E O F --- 2009-01-14 14:52:29
Again, thank you for your reply. Here is my new ComboFix log:
ComboFix 09-02-01.01 - Jian 2009-02-01 12:29:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.613 [GMT -5:00]
Running from: c:\documents and settings\Jian\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\B4eocaps.SRG
c:\windows\system32\drivers\acpidisk.sys
c:\windows\system32\gprmsgse.axz
c:\windows\system32\gscpx32r.det
c:\windows\system32\mprmsgse.axz
c:\windows\system32\mscpx32r.det
c:\windows\TEMP\~my1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ACPIDISK
-------\Service_acpidisk
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-01-29 14:13 . 2009-01-29 14:13 <DIR> d-------- c:\program files\NCSS
2009-01-29 14:13 . 2009-01-29 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Resources
2009-01-29 14:11 . 2009-01-29 14:11 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-10 10:14 . 2009-01-10 10:14 32 --a------ c:\windows\system32\ormsgse.axz
2009-01-07 17:41 . 2009-01-07 17:42 <DIR> d-------- c:\documents and settings\Jonathan
2009-01-06 18:06 . 2009-01-31 14:21 <DIR> d-------- c:\windows\Intel
2009-01-06 17:40 . 2009-01-06 17:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:40 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 17:40 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 11:43 . 2009-01-03 11:43 <DIR> d-------- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 22:29 --------- d-----w c:\documents and settings\Jian\Application Data\Orbit
2009-01-31 15:33 --------- d-----w c:\program files\Dell
2009-01-10 18:28 --------- d-----w c:\documents and settings\Jian\Application Data\Move Networks
2009-01-09 07:02 153,732 ----a-w c:\windows\system32\drivers\pnpmem.sys
2009-01-09 00:43 --------- d-----w c:\documents and settings\Jian\Application Data\uTorrent
2009-01-03 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 16:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-25 15:28 --------- d-----w c:\program files\qpgplayer
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools Pro
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools Lite
2008-12-17 21:22 --------- d-----w c:\documents and settings\Jian\Application Data\DAEMON Tools
2008-12-17 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-14 16:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-19 15:02 155,648 ----a-w c:\program files\internet explorer\plugins\icwres.dll
2008-09-13 15:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
2009-02-05 00:06 163840 -ra------ c:\windows\Intel\baiduc.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-16 111952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-02-21 33664]
R2 pnpmem;pnpmem;c:\windows\system32\drivers\pnpmem.sys [2008-12-23 153732]
S2 Baidu;Baidu Service;c:\windows\system32\systema.exe --> c:\windows\system32\systema.exe [?]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\documents and settings\Jian\My Documents\flashget\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\ipacc\ipacc_v2.dll
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
FF - ProfilePath - c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\
FF - prefs.js: browser.startup.homepage - hxxp://utk.edu/
FF - plugin: c:\documents and settings\Jian\Application Data\Mozilla\Firefox\Profiles\u6x4l6y3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 12:34:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="Info cache"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32]
@Denied: (A) (Users)
@Denied: (A) (PowerUsers)
@Denied: (A) (Administrators)
@="c:\\WINDOWS\\Intel\\baiduc.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{296AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib]
@="{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\syslib .dll
- - - - - - - > 'lsass.exe'(572)
c:\progra~1\ipacc\ipacc_v2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-01 12:37:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 17:37:20
ComboFix2.txt 2009-01-09 23:49:32
Pre-Run: 53,364,555,776 bytes free
Post-Run: 53,761,810,432 bytes free
171 --- E O F --- 2009-01-14 14:52:29
I think I may have found it. Did you install Baidu?/ It's a Chinese search engine. See this Wikipedia article about it. http://en.wikipedia.org/wiki/Baidu
THe file associated with it is c:\windows\system32\systema.exe and I believe a check at VirusTotal will confirm it is malware.
It was there before, but I have seen versions of it that did not return infected so I did not check.
Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com
c:\windows\system32\systema.exe
Be sure to post the results in this thread.
THe file associated with it is c:\windows\system32\systema.exe and I believe a check at VirusTotal will confirm it is malware.
It was there before, but I have seen versions of it that did not return infected so I did not check.
Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com
c:\windows\system32\systema.exe
Be sure to post the results in this thread.
Hello LoPhatPhuud,
Thank you for your reply. I have searched all my files (including hidden and system files) under C:\WINDOWS but could not find a file named "systema.exe". It's kind of weird that I saw this file all over my reports but just could not find it. Sorry...
SO please let me know what else I can do to help you to figure this out...
Thanks
Jonathan
Thank you for your reply. I have searched all my files (including hidden and system files) under C:\WINDOWS but could not find a file named "systema.exe". It's kind of weird that I saw this file all over my reports but just could not find it. Sorry...
SO please let me know what else I can do to help you to figure this out...
Thanks
Jonathan
Do you have an entry in Add/Remove Programs for Baidu or Baidu Service?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.