Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TROJAN VIRUS PSW.ONLINE GAMES Infection in my PC.Help! [RESOLVED]


  • This topic is locked This topic is locked

#1
kuihkociboy

kuihkociboy

    Member

  • Member
  • PipPip
  • 14 posts
Hi ,to anyone who's reading this post or to anybody who is willing to help me out here.

I am a new member and ny name is kuihkociboy an I am from Kuala Lumpur, Malaysia.You can address me as KKB as well .(short form)

Here is my problem :-
About six months ago in 2007, I have noticed that my PC (Pentium 3, 533HZ,Windows XP) was operating slower than it's usual speed. Everytime I open a folder/ file or browse the internet, it takes about 1 minute to do . So, I thought my old PC might be was giving way.

Few weeks later, everytime when I start up my Computer, there will be a message error of 'vcehelp.exe not found' before my deskstop appears,which I have close it before I can access my desktop.

I got very suspicious as to the sudden slowerspeed-than-usual ,and the appearance of this message error everytime I have my PC turned on. Consequently , I decide to download and install the Anti-Virus Guard (AVG) free Advisor ,just to scan for any viruses or malware.

Boy, was I shocked to find a few Trojan Viruses PSW. Online Games in my PC!I tied to heal or delete my infected files, but they kept on appearing in my AVG scans and some how, more and more torjan viruses are being detected.

I never had expected to be infected by Trojan Viruses from Online Games ,since I do not play online games as this PC is strictly for surfing the Net and used for basic applications only. Anyway, it does not matter how I got infected ,but I really want to solve this problem and get over it.

Now, my PC is very slow in operation :) . It takes minutes for the desktop to appear. I have not been connected to internet with this PC for about 1 week. It takes more than a day to complete an AVG virus scan ,as the PC is really slow.

I was told by a friend in my country whose PC got infected by the same type of virus that the Geeks2go forum had a very good specialist for malware removal ny the nale of Kahdah ,who managed to help many people who encounter the same problem as I did.

So, Kahdah if you are reading this post, I really hope you can help me out! I have no clues on how to fix this problem. :)

Hereby with my post, I have attached some screen shots of my list of trojan viruses scanned by AVG. Please take note that the dates of virus found are not exactly last year. This is because the dates and times setting in my computer has gone haywire due this infection.
1.JPG
2.JPG
3.JPG
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Dear Rorschach112,

First and foremost,thank very much for your kindness to help me out. I really appreciate your help. Please be patient with me as I am very slow learner and I need some time to figure out certain things.

I have completed the COMBOFIX Scan ,which the scan ended up with a log written in Notepad(combofix.txt). So, I copied and paste whatever that was written in the particular notepad below here :




ComboFix 08-02-25.3 - Administrator 2008-02-26 12:41:06.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.117 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\b8ELTPzqQs_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\a2001.dat
C:\Documents and Settings\All Users\Application Data\t\ad\dc080128.lz
C:\Documents and Settings\All Users\Application Data\t\ad\de4466485\800-600.swf
C:\Documents and Settings\All Users\Application Data\t\ad\de4466485\blank.gif
C:\Documents and Settings\All Users\Application Data\t\ad\de4466485\click.js
C:\Documents and Settings\All Users\Application Data\t\ad\de4466485\index.htm
C:\Documents and Settings\All Users\Application Data\t\b2001.dat
C:\Documents and Settings\All Users\Application Data\t\k2001.dat
C:\Documents and Settings\All Users\Application Data\t\p2001.dat
C:\Documents and Settings\All Users\Application Data\t\r2001.dat
C:\privilege.dat
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.tmp
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\Thunder Network\Thunder\Plugins\bho_adv1.dll
C:\WINDOWS\711.dll
C:\WINDOWS\9b1.bmp
C:\WINDOWS\Downloaded Program Files.\buyzz.dll
C:\WINDOWS\Downloaded Program Files.\e2d05bs.dll
C:\WINDOWS\Downloaded Program Files.\lncrf.dll
C:\WINDOWS\Downloaded Program Files.\ulq.dll
C:\WINDOWS\Downloaded Program Files.\wx94g.dll
C:\WINDOWS\Downloaded Program Files.\xswvm.dll
C:\WINDOWS\fn00321.log
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\685c7b4f5c.dll
C:\WINDOWS\system32\711.dll
C:\WINDOWS\system32\aa11997600.dll
C:\WINDOWS\system32\abnici.dll
C:\WINDOWS\system32\Bage_Srv.exe
C:\WINDOWS\system32\bajpxi38.dllmmc.pkm
C:\WINDOWS\system32\bljtct.dll
C:\WINDOWS\system32\boldshl01.dll
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\cwebpage.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dnabeser.dat
C:\WINDOWS\system32\dodolook591.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\bajpxi38.sys
C:\WINDOWS\system32\drivers\bljtct.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\System32\eec11.exe
C:\WINDOWS\system32\flym.dll
C:\WINDOWS\system32\GUIMon01.dll
C:\WINDOWS\system32\gyreuo.dll
C:\WINDOWS\system32\k11904248056.exe
C:\WINDOWS\system32\k11904979377.exe
C:\WINDOWS\system32\k119089610612.exe
C:\WINDOWS\system32\k11916004072.exe
C:\WINDOWS\system32\k11917724405.exe
C:\WINDOWS\system32\k11917836265.exe
C:\WINDOWS\system32\k11917945384.exe
C:\WINDOWS\system32\k11917981923.exe
C:\WINDOWS\system32\k11918658196.exe
C:\WINDOWS\system32\k11918856558.exe
C:\WINDOWS\system32\k11919244623.exe
C:\WINDOWS\system32\k11920867377.exe
C:\WINDOWS\system32\k11921305426.exe
C:\WINDOWS\system32\k11921308418.exe
C:\WINDOWS\system32\k11921799231.exe
C:\WINDOWS\system32\k11922348417.exe
C:\WINDOWS\system32\k11922358666.exe
C:\WINDOWS\system32\k11923634794.exe
C:\WINDOWS\system32\k11924204173.exe
C:\WINDOWS\system32\k11924204194.exe
C:\WINDOWS\system32\k11934989723.exe
C:\WINDOWS\system32\k11953000516.exe
C:\WINDOWS\system32\k11960354053.exe
C:\WINDOWS\system32\k11973743521.exe
C:\WINDOWS\system32\k11973743575.exe
C:\WINDOWS\system32\k11973743577.exe
C:\WINDOWS\system32\k119737436110.exe
C:\WINDOWS\system32\k119737436413.exe
C:\WINDOWS\system32\k11986630727.exe
C:\WINDOWS\system32\k11986632247.exe
C:\WINDOWS\system32\k11986633735.exe
C:\WINDOWS\system32\k11986633757.exe
C:\WINDOWS\system32\k11986640665.exe
C:\WINDOWS\system32\k119866424715.exe
C:\WINDOWS\system32\k11986647716.exe
C:\WINDOWS\system32\k119866478014.exe
C:\WINDOWS\system32\k119866489510.exe
C:\WINDOWS\system32\k119866489913.exe
C:\WINDOWS\system32\k119866504717.exe
C:\WINDOWS\system32\k119866559211.exe
C:\WINDOWS\system32\k11986656957.exe
C:\WINDOWS\system32\k119866570314.exe
C:\WINDOWS\system32\k119866582911.exe
C:\WINDOWS\system32\k119866583012.exe
C:\WINDOWS\system32\k119866583516.exe
C:\WINDOWS\system32\k119866583617.exe
C:\WINDOWS\system32\k11986662185.exe
C:\WINDOWS\system32\k119866664817.exe
C:\WINDOWS\system32\k11986669892.exe
C:\WINDOWS\system32\k11986671945.exe
C:\WINDOWS\system32\k11987092114.exe
C:\WINDOWS\system32\kvbatch01.dll
C:\WINDOWS\system32\lmombo.dll
C:\WINDOWS\system32\lyloadmr.exe
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\nonpack01.dll
C:\WINDOWS\system32\ProcSvr01.dll
C:\WINDOWS\system32\safectrl01.dll
C:\WINDOWS\system32\sjnaca.dll
C:\WINDOWS\system32\SVCCtrl01.dll
C:\WINDOWS\system32\svchost.dat
C:\WINDOWS\system32\unnaez.dll
C:\WINDOWS\system32\wbem\6685
C:\WINDOWS\system32\wbem\6685\svchost.exe
C:\WINDOWS\system32\wbem\IPYJWGQAOXHSC.MDA
C:\WINDOWS\system32\wxpSetup.exe
C:\WINDOWS\TEMP\~my1.tmp

----- BITS: Possible infected sites -----

hxxp://g.msn.com
hxxp://sc.msn.com
hxxp://join.msn.com
hxxp://hotmail.msn.com
hxxp://ad.doubleclick.net
hxxp://www.imagine
hxxp://go.msn.com
hxxp://lc3.law13.hotmail.passport.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ACPIDISK
-------\LEGACY_BAJPXI38
-------\LEGACY_BLJTCT
-------\LEGACY_MS_2FAX
-------\LEGACY_MXDISPDR
-------\LEGACY_SERVICEVCHELP
-------\LEGACY_SVCHOST
-------\LEGACY_SYSLOADER
-------\LEGACY_YIQILAI
-------\acpidisk
-------\bajpxi38
-------\bljtct
-------\ms_2fax
-------\mxdispdr
-------\ServicevcHelp
-------\svchost
-------\sysloader
-------\Yiqilai


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 12:35 . 2008-02-26 12:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 12:31 . 2008-02-26 12:32 74 --a------ C:\WINDOWS\system32\cflInfo.nw
2008-02-24 20:53 . 2008-01-30 11:12 12,800 --a------ C:\WINDOWS\system32\drivers\soxi.sys
2008-02-24 20:52 . 2008-01-30 10:14 77,824 --a------ C:\WINDOWS\system32\hsoxig.dll
2008-01-31 09:39 . 2008-01-31 09:39 118,784 --a------ C:\WINDOWS\system32\solid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 04:26 53,299 ----a-w C:\Documents and Settings\Administrator\msgw.dat
2008-02-26 04:26 1 ----a-w C:\Documents and Settings\Administrator\count.dat
2008-02-24 12:29 45,056 ----a-w C:\WINDOWS\system32\mceulu.dll
2008-02-22 09:13 53,248 ----a-r C:\WINDOWS\b8e1.exe
2008-02-22 09:13 53,248 ------r C:\WINDOWS\system32\1ee1.dll
2008-01-22 02:56 126,976 ----a-w C:\WINDOWS\system32\gicw.exe
2008-01-08 03:35 147,456 ----a-w C:\WINDOWS\system32\msplrc5.dll
2008-01-08 02:21 147,456 ----a-w C:\WINDOWS\system32\msplrc4.dll
2008-01-08 02:10 147,456 ----a-w C:\WINDOWS\system32\msplrc3.dll
2008-01-01 01:04 147,456 ----a-w C:\WINDOWS\system32\msplrc2.dll
2007-12-31 07:53 147,456 ----a-w C:\WINDOWS\system32\msplrc1.dll
2007-12-31 03:48 147,456 ----a-w C:\WINDOWS\system32\msplrc0.dll
2007-12-21 10:42 53,248 ----a-r C:\WINDOWS\1ee1.dll
2007-12-19 06:05 57,344 ----a-w C:\WINDOWS\system32\goo.exe
2007-12-03 02:09 61,440 ----a-w C:\WINDOWS\system32\6to4.dll
2007-10-07 09:40 34,904 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-12-19 07:16 133,120 ----a-w C:\WINDOWS\inf\temp0031.tmp
2005-12-13 08:09 20 ----a-w C:\Documents and Settings\Administrator\mhsha1.dat
2005-12-13 06:42 136,704 ----a-w C:\WINDOWS\inf\MSLogin64.exe
2007-11-07 10:57 0 --sha-w C:\WINDOWS\system32\NavCOM01.dll
2007-11-05 14:13 0 --sha-w C:\WINDOWS\system32\NavCOM02.dll
2007-11-10 07:48 0 --sha-w C:\WINDOWS\system32\WSWSleak01.dll
2007-11-16 04:26 0 --sha-w C:\WINDOWS\system32\DVBBack01.dll
2007-11-21 08:32 0 --sha-w C:\WINDOWS\system32\SQLLink01.dll
2007-11-16 04:26 0 --sha-w C:\WINDOWS\system32\BugReport01.dll
2007-11-22 07:26 0 --sha-w C:\WINDOWS\system32\MediaDrv01.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688}]
C:\Program Files\yok\toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF}]
2008-01-31 09:39 118784 --a------ c:\windows\system32\solid.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}
{8E718888-423F-11D2-876E-00A0C9082467}
{F869BB38-FFEF-4589-B986-610B7AD0ADA2}

[HKEY_CLASSES_ROOT\clsid\{f869bb38-ffef-4589-b986-610b7ad0ada2}]
[HKEY_CLASSES_ROOT\YokToolbar.Band.1]
[HKEY_CLASSES_ROOT\YokToolbar.Band]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 19:41 13312]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle"="C:\Program Files\Customizer XP\RAMIdle.exe" [2002-05-01 12:29 104960]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"WMC_AutoUpdate"="" []
"symticr"="C:\windows\system32\goo.exe" [2007-12-19 14:05 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2005-12-26 08:20 579072]
"Tlist"="regsvr32 /s abskey.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-12-25 16:27 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"buyzz"= rundll32 "C:\WINDOWS\Downlo~1\buyzz.dll",start
"xswvm"= rundll32 "C:\WINDOWS\Downlo~1\xswvm.dll",Run

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91976}"= UPS.dll [ ]

R0 mevxgk;mevxg;C:\WINDOWS\System32\DRIVERS\mevxgk.sys [2002-08-28 19:41]
R0 soxi;sox;C:\WINDOWS\System32\DRIVERS\soxi.sys [2008-01-30 11:12]
R0 TYKeeper;TYKeeper;C:\WINDOWS\System32\drivers\TYKeeper.sys [2006-11-07 00:08]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S0 zwdu;zwd;C:\WINDOWS\System32\DRIVERS\zwdu.sys []
S2 41EE3B64;41EE3B64;C:\WINDOWS\System32\D01780F6.EXE []
S2 4ivbctpv;4ivbctpv;C:\WINDOWS\System32\drivers\4ivbctpv.sys []
S2 687FA1A4;687FA1A4;C:\WINDOWS\System32\E1B055FE.EXE []
S2 EBEF311A;EBEF311A;C:\WINDOWS\System32\49483550.EXE []
S2 MSDCOMClient16;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe [2001-08-23 04:00]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\System32\DRIVERS\sbusb.sys [2005-06-10 09:39]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MSDCOMClient16
enqe
MSDCOMClient32

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 12:49:32
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-02-26 12:51:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 04:51:10
[/font]




I have also downloaded and ran Hijack This Version 2.0.2 after Combofix. I selected the option 'Do a system scan and save a log file'. Results of the scan was saved in a log in Notepad. Below is the log's content :-




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:20 PM, on 2/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\yok\toolbar.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: YOK³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\yok\toolbar.dll (file missing)
O2 - BHO: brush Class - {E157D62A-D8A4-45DF-8E9B-C33D93821BDF} - c:\windows\system32\solid.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - C:\Program Files\yok\toolbar.dll (file missing)
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [symticr] C:\windows\system32\goo.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tlist] regsvr32 /s abskey.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKLM\..\Policies\Explorer\Run: [buyzz] rundll32 "C:\WINDOWS\Downlo~1\buyzz.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [xswvm] rundll32 "C:\WINDOWS\Downlo~1\xswvm.dll",Run
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\Program Files\yok\yoksch.htm
O9 - Extra button: Ò»ÆðÀ´ÒôÀÖÉçÇø - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - http://www.yok.com (file missing)
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://202.71.104.89...r_1_1_1_130.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{2624DD52-7384-487D-9CC1-60749EC0B383}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: 41EE3B64 - Unknown owner - C:\WINDOWS\System32\D01780F6.EXE (file missing)
O23 - Service: 687FA1A4 - Unknown owner - C:\WINDOWS\System32\E1B055FE.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EBEF311A - Unknown owner - C:\WINDOWS\System32\49483550.EXE (file missing)

--
End of file - 5302 bytes




Please assist me, to what shall I do next.

Thank you for your attention.

Kuihkociboy

Edited by kuihkociboy, 26 February 2008 - 04:06 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

You do not need to PM me, I get notifications when you reply

Also don't change the font of the logs as it makes them hard to read

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\cflInfo.nw
C:\WINDOWS\system32\drivers\soxi.sys
C:\WINDOWS\system32\hsoxig.dll
C:\WINDOWS\system32\solid.dll
C:\Documents and Settings\Administrator\msgw.dat
C:\Documents and Settings\Administrator\count.dat
C:\WINDOWS\system32\mceulu.dll
C:\WINDOWS\b8e1.exe
C:\WINDOWS\system32\1ee1.dll
C:\WINDOWS\system32\gicw.exe
C:\WINDOWS\system32\msplrc5.dll
C:\WINDOWS\system32\msplrc4.dll
C:\WINDOWS\system32\msplrc3.dll
C:\WINDOWS\system32\msplrc2.dll
C:\WINDOWS\system32\msplrc1.dll
C:\WINDOWS\system32\msplrc0.dll
C:\WINDOWS\1ee1.dll
C:\WINDOWS\system32\goo.exe
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\inf\temp0031.tmp
C:\Documents and Settings\Administrator\mhsha1.dat
C:\WINDOWS\inf\MSLogin64.exe
C:\WINDOWS\system32\NavCOM01.dll
C:\WINDOWS\system32\NavCOM02.dll
C:\WINDOWS\system32\WSWSleak01.dll
C:\WINDOWS\system32\DVBBack01.dll
C:\WINDOWS\system32\SQLLink01.dll
C:\WINDOWS\system32\BugReport01.dll
C:\WINDOWS\system32\MediaDrv01.dll
c:\windows\system32\solid.dll
C:\windows\system32\goo.exe
C:\WINDOWS\Downlo~1\buyzz.dll
C:\WINDOWS\Downlo~1\xswvm.dll
C:\WINDOWS\System32\DRIVERS\mevxgk.sys
C:\WINDOWS\System32\DRIVERS\soxi.sys
C:\WINDOWS\System32\drivers\TYKeeper.sys

Folder::
C:\Program Files\yok

Driver::
mevxgk
soxi
TYKeeper
zwdu
41EE3B64
4ivbctpv
687FA1A4
EBEF311A


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
  • 0

#5
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi!
1)Sorry for the PM and confusion in my previous reply. :)

2) I have already downloaded SDFix ,extracted and ran SDFix in Safe Mode. save it to your Desktop.
Here are the contents of the Report.txt file :-




SDFix: Version 1.147

Run by Administrator on Tue 02/26/2008 at 09:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\K1404F~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GZUZHB.DLL - Deleted
C:\WINDOWS\SYSTEM32\UPS.DLL - Deleted
C:\WINDOWS\SYSTEM32\MQCIBB.DLL - Deleted
C:\WINDOWS\SYSTEM32\QKTNTV.DLL - Deleted
C:\WINDOWS\SYSTEM32\UZNLRJ.DLL - Deleted
C:\WINDOWS\SYSTEM32\NGLXSB.DLL - Deleted
C:\WINDOWS\SYSTEM32\KPSHTE.DLL - Deleted
C:\WINDOWS\SYSTEM32\NAVCOM01.DLL - Deleted
C:\WINDOWS\SYSTEM32\DDAMTI.DLL - Deleted
C:\WINDOWS\SYSTEM32\TJXCVA.DLL - Deleted
C:\WINDOWS\SYSTEM32\SRECLP.DLL - Deleted
C:\WINDOWS\SYSTEM32\DBJGNZ.DLL - Deleted
C:\WINDOWS\SYSTEM32\EVGWHZ.DLL - Deleted
C:\WINDOWS\SYSTEM32\NAVCOM02.DLL - Deleted
C:\WINDOWS\SYSTEM32\AKVHGC.DLL - Deleted
C:\WINDOWS\SYSTEM32\WSWSLE~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\GVCICT.DLL - Deleted
C:\WINDOWS\SYSTEM32\BBJUBT.DLL - Deleted
C:\WINDOWS\SYSTEM32\DVBBAC~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SQLLIN~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\BUGREP~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\MEDIAD~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\JVVWDZ.DLL - Deleted
C:\WINDOWS\SYSTEM32\TGCZWC.DLL - Deleted
C:\WINDOWS\SYSTEM32\MDVNLE.DLL - Deleted
C:\WINDOWS\SYSTEM32\XQKOYG.DLL - Deleted
C:\WINDOWS\SYSTEM32\JDCZDZ.DLL - Deleted
C:\WINDOWS\SYSTEM32\LWDTYN.DLL - Deleted
C:\WINDOWS\SYSTEM32\BCPLXC.DLL - Deleted
C:\WINDOWS\SYSTEM32\UZQWPW.DLL - Deleted
C:\WINDOWS\SYSTEM32\JHVRTK.DLL - Deleted
C:\WINDOWS\SYSTEM32\XLFRSX.DLL - Deleted
C:\WINDOWS\SYSTEM32\CNFLNB.DLL - Deleted
C:\WINDOWS\SYSTEM32\MZMTUH.DLL - Deleted
C:\WINDOWS\SYSTEM32\QSWPIR.DLL - Deleted
C:\WINDOWS\SYSTEM32\YKVNHG.DLL - Deleted
C:\WINDOWS\SYSTEM32\XEFKDL.DLL - Deleted
C:\WINDOWS\SYSTEM32\HLCOSP.DLL - Deleted
C:\WINDOWS\SYSTEM32\UCWDDY.DLL - Deleted
C:\WINDOWS\SYSTEM32\FQEQRG.DLL - Deleted
C:\WINDOWS\SYSTEM32\JQTQMY.DLL - Deleted
C:\WINDOWS\SYSTEM32\GBMPAO.DLL - Deleted
C:\WINDOWS\SYSTEM32\WKFUND.DLL - Deleted
C:\WINDOWS\SYSTEM32\LSKINI.DLL - Deleted
C:\WINDOWS\SYSTEM32\PDAJUS.DLL - Deleted
C:\WINDOWS\SYSTEM32\WALHFQ.DLL - Deleted
C:\WINDOWS\SYSTEM32\XPHURD.DLL - Deleted
C:\WINDOWS\SYSTEM32\IUODVU.DLL - Deleted
C:\WINDOWS\SYSTEM32\NVPUOW.DLL - Deleted
C:\WINDOWS\SYSTEM32\LMOBLW.DLL - Deleted
C:\WINDOWS\system32\setup_iesuper_20071221.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 22:02:25
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
symticr = C:\windows\system32\goo.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 20 Aug 2002 1,511,453 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 29 Aug 2002 91,136 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Sat 16 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 15 Jun 2007 34,304 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3651.tmp"
Thu 18 Oct 2007 119,808 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1201.tmp"
Fri 16 Nov 2007 242,176 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0828.tmp"
Fri 15 Jun 2007 26,624 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0635.tmp"
Fri 15 Jun 2007 29,184 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1698.tmp"
Fri 15 Jun 2007 30,720 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0745.tmp"
Fri 15 Jun 2007 30,720 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3450.tmp"

Finished!



3)I have already open a notepad, add the quote into it,save the file as CFscript.txt and dragged it to Combo.exe and a report was produced as follows:-



ComboFix 08-02-25.3 - Administrator 2008-02-26 22:08:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.86 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Administrator\count.dat
C:\Documents and Settings\Administrator\mhsha1.dat
C:\Documents and Settings\Administrator\msgw.dat
C:\WINDOWS\1ee1.dll
C:\WINDOWS\b8e1.exe
C:\WINDOWS\Downlo~1\buyzz.dll
C:\WINDOWS\Downlo~1\xswvm.dll
C:\WINDOWS\inf\MSLogin64.exe
C:\WINDOWS\inf\temp0031.tmp
C:\WINDOWS\system32\1ee1.dll
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\BugReport01.dll
C:\WINDOWS\system32\cflInfo.nw
C:\WINDOWS\System32\DRIVERS\mevxgk.sys
C:\WINDOWS\System32\DRIVERS\soxi.sys
C:\WINDOWS\system32\drivers\soxi.sys
C:\WINDOWS\System32\drivers\TYKeeper.sys
C:\WINDOWS\system32\DVBBack01.dll
C:\WINDOWS\system32\gicw.exe
C:\windows\system32\goo.exe
C:\WINDOWS\system32\goo.exe
C:\WINDOWS\system32\hsoxig.dll
C:\WINDOWS\system32\mceulu.dll
C:\WINDOWS\system32\MediaDrv01.dll
C:\WINDOWS\system32\msplrc0.dll
C:\WINDOWS\system32\msplrc1.dll
C:\WINDOWS\system32\msplrc2.dll
C:\WINDOWS\system32\msplrc3.dll
C:\WINDOWS\system32\msplrc4.dll
C:\WINDOWS\system32\msplrc5.dll
C:\WINDOWS\system32\NavCOM01.dll
C:\WINDOWS\system32\NavCOM02.dll
C:\WINDOWS\system32\solid.dll
c:\windows\system32\solid.dll
C:\WINDOWS\system32\SQLLink01.dll
C:\WINDOWS\system32\WSWSleak01.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\count.dat
C:\Documents and Settings\Administrator\mhsha1.dat
C:\Documents and Settings\Administrator\msgw.dat
C:\WINDOWS\1ee1.dll
C:\WINDOWS\b8e1.exe
C:\WINDOWS\inf\MSLogin64.exe
C:\WINDOWS\inf\temp0031.tmp
C:\WINDOWS\system32\1ee1.dll
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\cflInfo.nw
C:\WINDOWS\System32\DRIVERS\mevxgk.sys
C:\WINDOWS\System32\DRIVERS\soxi.sys
C:\WINDOWS\System32\drivers\TYKeeper.sys
C:\WINDOWS\system32\gicw.exe
C:\WINDOWS\system32\goo.exe
C:\WINDOWS\system32\hsoxig.dll
C:\WINDOWS\system32\mceulu.dll
C:\WINDOWS\system32\msplrc0.dll
C:\WINDOWS\system32\msplrc1.dll
C:\WINDOWS\system32\msplrc2.dll
C:\WINDOWS\system32\msplrc3.dll
C:\WINDOWS\system32\msplrc4.dll
C:\WINDOWS\system32\msplrc5.dll
C:\WINDOWS\system32\solid.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_41EE3B64
-------\LEGACY_4IVBCTPV
-------\LEGACY_687FA1A4
-------\LEGACY_EBEF311A
-------\LEGACY_MEVXGK
-------\LEGACY_SOXI
-------\LEGACY_TYKEEPER
-------\LEGACY_ZWDU
-------\41EE3B64
-------\4ivbctpv
-------\687FA1A4
-------\EBEF311A
-------\mevxgk
-------\soxi
-------\TYKeeper
-------\zwdu


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 21:56 . 2008-02-26 21:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-26 21:51 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-26 12:35 . 2008-02-26 12:35 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 09:40 34,904 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688}]
C:\Program Files\yok\toolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 19:41 13312]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle"="C:\Program Files\Customizer XP\RAMIdle.exe" [2002-05-01 12:29 104960]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"WMC_AutoUpdate"="" []
"symticr"="C:\windows\system32\goo.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2005-12-26 08:20 579072]
"Tlist"="regsvr32 /s abskey.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-12-25 16:27 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91976}"= UPS.dll [ ]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\System32\DRIVERS\sbusb.sys [2005-06-10 09:39]
Stop Pending2 MSDCOMClient16;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe [2001-08-23 04:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MSDCOMClient16
enqe
MSDCOMClient32

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 22:14:59
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-02-26 22:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 14:16:16
ComboFix2.txt 2008-02-26 04:51:16



4)Last but not least , I did another Hijack This Log ,and the contents are as below here:-



ComboFix 08-02-25.3 - Administrator 2008-02-26 22:08:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.86 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Administrator\count.dat
C:\Documents and Settings\Administrator\mhsha1.dat
C:\Documents and Settings\Administrator\msgw.dat
C:\WINDOWS\1ee1.dll
C:\WINDOWS\b8e1.exe
C:\WINDOWS\Downlo~1\buyzz.dll
C:\WINDOWS\Downlo~1\xswvm.dll
C:\WINDOWS\inf\MSLogin64.exe
C:\WINDOWS\inf\temp0031.tmp
C:\WINDOWS\system32\1ee1.dll
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\BugReport01.dll
C:\WINDOWS\system32\cflInfo.nw
C:\WINDOWS\System32\DRIVERS\mevxgk.sys
C:\WINDOWS\System32\DRIVERS\soxi.sys
C:\WINDOWS\system32\drivers\soxi.sys
C:\WINDOWS\System32\drivers\TYKeeper.sys
C:\WINDOWS\system32\DVBBack01.dll
C:\WINDOWS\system32\gicw.exe
C:\windows\system32\goo.exe
C:\WINDOWS\system32\goo.exe
C:\WINDOWS\system32\hsoxig.dll
C:\WINDOWS\system32\mceulu.dll
C:\WINDOWS\system32\MediaDrv01.dll
C:\WINDOWS\system32\msplrc0.dll
C:\WINDOWS\system32\msplrc1.dll
C:\WINDOWS\system32\msplrc2.dll
C:\WINDOWS\system32\msplrc3.dll
C:\WINDOWS\system32\msplrc4.dll
C:\WINDOWS\system32\msplrc5.dll
C:\WINDOWS\system32\NavCOM01.dll
C:\WINDOWS\system32\NavCOM02.dll
C:\WINDOWS\system32\solid.dll
c:\windows\system32\solid.dll
C:\WINDOWS\system32\SQLLink01.dll
C:\WINDOWS\system32\WSWSleak01.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\count.dat
C:\Documents and Settings\Administrator\mhsha1.dat
C:\Documents and Settings\Administrator\msgw.dat
C:\WINDOWS\1ee1.dll
C:\WINDOWS\b8e1.exe
C:\WINDOWS\inf\MSLogin64.exe
C:\WINDOWS\inf\temp0031.tmp
C:\WINDOWS\system32\1ee1.dll
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\cflInfo.nw
C:\WINDOWS\System32\DRIVERS\mevxgk.sys
C:\WINDOWS\System32\DRIVERS\soxi.sys
C:\WINDOWS\System32\drivers\TYKeeper.sys
C:\WINDOWS\system32\gicw.exe
C:\WINDOWS\system32\goo.exe
C:\WINDOWS\system32\hsoxig.dll
C:\WINDOWS\system32\mceulu.dll
C:\WINDOWS\system32\msplrc0.dll
C:\WINDOWS\system32\msplrc1.dll
C:\WINDOWS\system32\msplrc2.dll
C:\WINDOWS\system32\msplrc3.dll
C:\WINDOWS\system32\msplrc4.dll
C:\WINDOWS\system32\msplrc5.dll
C:\WINDOWS\system32\solid.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_41EE3B64
-------\LEGACY_4IVBCTPV
-------\LEGACY_687FA1A4
-------\LEGACY_EBEF311A
-------\LEGACY_MEVXGK
-------\LEGACY_SOXI
-------\LEGACY_TYKEEPER
-------\LEGACY_ZWDU
-------\41EE3B64
-------\4ivbctpv
-------\687FA1A4
-------\EBEF311A
-------\mevxgk
-------\soxi
-------\TYKeeper
-------\zwdu


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 21:56 . 2008-02-26 21:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-26 21:51 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-26 12:35 . 2008-02-26 12:35 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 09:40 34,904 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688}]
C:\Program Files\yok\toolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 19:41 13312]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle"="C:\Program Files\Customizer XP\RAMIdle.exe" [2002-05-01 12:29 104960]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"WMC_AutoUpdate"="" []
"symticr"="C:\windows\system32\goo.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2005-12-26 08:20 579072]
"Tlist"="regsvr32 /s abskey.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-12-25 16:27 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91976}"= UPS.dll [ ]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\System32\DRIVERS\sbusb.sys [2005-06-10 09:39]
Stop Pending2 MSDCOMClient16;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe [2001-08-23 04:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MSDCOMClient16
enqe
MSDCOMClient32

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 22:14:59
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-02-26 22:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 14:16:16
ComboFix2.txt 2008-02-26 04:51:16

Please guide me on my next step. I will be online for at least 3-4 hours after I post this reply. Please feel free to PM if you need to gather any other information .
Thank you


Kuihkociboy
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

#7
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi.

I have just completed my Kaspersky online scan . The result isn't as pleasing as I thought I would be. :) Anyway , here below are test results :-


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 27, 2008 1:01:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 581907
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 20112
Number of viruses found: 33
Number of infected objects: 74
Number of suspicious objects: 0
Duration of the scan process: 01:02:13

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\vcshow.sys Infected: Trojan-Downloader.Win32.Delf.ewt skipped
C:\WINDOWS\system32\drivers\vcplay.sys Infected: Trojan.Win32.Delf.aow skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\k113445601710.exe Infected: Trojan-PSW.Win32.OnLineGames.ksj skipped
C:\WINDOWS\system32\vcplay.exe Infected: Trojan.Win32.Delf.aow skipped
C:\WINDOWS\system32\vcshow.dll Infected: Trojan-Downloader.Win32.Delf.ewt skipped
C:\WINDOWS\system32\inf\MSLogin64.exe Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\WINDOWS\system32\inf\d03.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ne skipped
C:\WINDOWS\system32\inf\d03.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ne skipped
C:\WINDOWS\system32\inf\d03.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\k11354865256.exe Infected: Trojan-PSW.Win32.OnLineGames.lqb skipped
C:\WINDOWS\system32\k11354934166.exe Infected: Trojan-PSW.Win32.OnLineGames.lqb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Downloaded Program Files\jtlc3as.dll Infected: not-a-virus:AdWare.Win32.Agent.xy skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\d39.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.oa skipped
C:\WINDOWS\d39.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.oa skipped
C:\WINDOWS\d39.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\Perflib_Perfdata_40c.dat Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000111.exe/stream/data0003/stream/data0035 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000111.exe/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000111.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000111.exe/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000111.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000166.exe/stream/data0003/stream/data0035 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000166.exe/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000166.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000166.exe/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP1\A0000166.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP2\A0000249.dll Infected: not-a-virus:AdWare.Win32.BHO.po skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP2\A0000251.exe Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP2\change.log Object is locked skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP2\A0000265.sys Infected: Trojan-Downloader.Win32.Hmir.me skipped
C:\System Volume Information\_restore{3BED6D62-3FAE-4B9C-8592-2C0C518C5154}\RP2\A0000266.sys Infected: Rootkit.Win32.Agent.abp skipped
C:\SDFix\backups\backups.zip/backups/setup_iesuper_20071221.exe/stream/data0003/stream/data0035 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\SDFix\backups\backups.zip/backups/setup_iesuper_20071221.exe/stream/data0003/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\SDFix\backups\backups.zip/backups/setup_iesuper_20071221.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\SDFix\backups\backups.zip/backups/setup_iesuper_20071221.exe/stream Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\SDFix\backups\backups.zip/backups/setup_iesuper_20071221.exe Infected: not-a-virus:AdWare.Win32.Yokbar.n skipped
C:\SDFix\backups\backups.zip ZIP: infected - 5 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\CPUSH\cpush.tmp.vir Infected: not-a-virus:AdWare.Win32.BHO.ne skipped
C:\QooBox\Quarantine\C\Program Files\Thunder Network\Thunder\Plugins\bho_adv1.dll.vir Infected: Trojan-Spy.Win32.Delf.awd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cwebpage.dll.vir Infected: not-a-virus:AdWare.Win32.NewWeb.bf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir Infected: not-a-virus:AdWare.Win32.Cinmus.bey skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\bajpxi38.sys.vir Infected: Rootkit.Win32.Agent.qk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mevxgk.sys.vir Infected: Trojan-Downloader.Win32.Hmir.me skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\soxi.sys.vir Infected: Rootkit.Win32.Agent.abp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\LYLOADMR.EXE.vir Infected: Trojan-PSW.Win32.OnLineGames.mhc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\flym.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ri skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook591.exe.vir/stream/data0002/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook591.exe.vir/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook591.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook591.exe.vir/stream Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook591.exe.vir NSIS: infected - 4 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11917724405.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.enp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11917836265.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.enp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11921799231.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.egt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11953000516.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.hzd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11973743575.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ksn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11973743577.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ksm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k119737436110.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.kmu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\k11986647716.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.lqb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\711.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.aca skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\eec11.exe.vir Infected: Trojan-Downloader.Win32.Agent.hll skipped
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall7_22.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\e2d05bs.dll.vir Infected: Trojan-Downloader.Win32.Agent.hmt skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\lncrf.dll.vir Infected: Trojan-Downloader.Win32.Agent.jns skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\ulq.dll.vir Infected: Trojan-Downloader.Win32.Agent.jns skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\wx94g.dll.vir Infected: Trojan-Downloader.Win32.Agent.jix skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\buyzz.dll.vir Infected: Trojan-Downloader.Win32.Agent.jns skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\xswvm.dll.vir Infected: Trojan-Downloader.Win32.Agent.jix skipped
C:\QooBox\Quarantine\C\WINDOWS\9b1.bmp.vir Infected: not-a-virus:AdWare.Win32.BHO.aca skipped
C:\QooBox\Quarantine\C\WINDOWS\711.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.pp skipped
C:\QooBox\Quarantine\C\WINDOWS\1ee1.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.po skipped
C:\QooBox\Quarantine\C\WINDOWS\inf\MSLogin64.exe.vir Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\WINDOWS\inf\temp0031.tmp.vir Infected: not-a-virus:AdWare.Win32.BHO.ms skipped
C:\QooBox\Quarantine\C\Privilege.dat.vir Infected: Trojan-PSW.Win32.OnLineGames.mhc skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Virus.Win32.AutoRun.mg skipped

Scan process completed.

2) I have also hijack-ed another log . Please look at the contents below: -


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:12 AM, on 2/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Customizer XP\RAMIdle.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\yok\toolbar.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: YOK³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\yok\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - (no file)
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [symticr] C:\windows\system32\goo.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tlist] regsvr32 /s abskey.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\Program Files\yok\yoksch.htm
O9 - Extra button: Ò»ÆðÀ´ÒôÀÖÉçÇø - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - http://www.yok.com (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://202.71.104.89...r_1_1_1_130.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{2624DD52-7384-487D-9CC1-60749EC0B383}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5008 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
We are making progress don't worry

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\yok\toolbar.dll (file missing)
O2 - BHO: YOK³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\yok\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - (no file)
O4 - HKLM\..\Run: [symticr] C:\windows\system32\goo.exe
O4 - HKLM\..\Run: [Tlist] regsvr32 /s abskey.dll
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\Program Files\yok\yoksch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - http://www.yok.com (file missing)
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://202.71.104.89...r_1_1_1_130.cab


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\vcshow.sys
C:\WINDOWS\system32\drivers\vcplay.sys
C:\WINDOWS\system32\k113445601710.exe
C:\WINDOWS\system32\vcplay.exe
C:\WINDOWS\system32\vcshow.dll
C:\WINDOWS\system32\inf\MSLogin64.exe
C:\WINDOWS\system32\inf\d03.exe
C:\WINDOWS\system32\k11354865256.exe
C:\WINDOWS\system32\k11354934166.exe
C:\WINDOWS\Downloaded Program Files\jtlc3as.dll
C:\WINDOWS\d39.exe
C:\WINDOWS\web\related.htm

Folder::
C:\Program Files\yok


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Forgot to add this

Do this after the above post

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

If you have internet connection problems then do the following :

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
  • 0

#10
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

We are making progress don't worry

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\Program Files\yok\toolbar.dll (file missing)
O2 - BHO: YOK³¬¼¶ËÑË÷ - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\Program Files\yok\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - (no file)
O4 - HKLM\..\Run: [symticr] C:\windows\system32\goo.exe
O4 - HKLM\..\Run: [Tlist] regsvr32 /s abskey.dll
O8 - Extra context menu item: YOK³¬¼¶ËÑË÷ - C:\Program Files\yok\yoksch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: YOK³¬¼¶ËÑË÷ - {F869BB38-FFEF-4589-B986-610B7AD0ADA2} - http://www.yok.com (file missing)
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://202.71.104.89...r_1_1_1_130.cab


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\vcshow.sys
C:\WINDOWS\system32\drivers\vcplay.sys
C:\WINDOWS\system32\k113445601710.exe
C:\WINDOWS\system32\vcplay.exe
C:\WINDOWS\system32\vcshow.dll
C:\WINDOWS\system32\inf\MSLogin64.exe
C:\WINDOWS\system32\inf\d03.exe
C:\WINDOWS\system32\k11354865256.exe
C:\WINDOWS\system32\k11354934166.exe
C:\WINDOWS\Downloaded Program Files\jtlc3as.dll
C:\WINDOWS\d39.exe
C:\WINDOWS\web\related.htm

Folder::
C:\Program Files\yok


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log


As requested this the log :) Thanks again your continous support!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:52 AM, on 2/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Customizer XP\RAMIdle.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Ò»ÆðÀ´ÒôÀÖÉçÇø - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{2624DD52-7384-487D-9CC1-60749EC0B383}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}: NameServer = 85.255.113.148,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.26
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3870 bytes

I will do your next request right away!!!

Kuihkociboy
  • 0

Advertisements


#11
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach 112!

1)Below, is the report (from reprt.txt)from the Fixwareout software :-

Username "Administrator" - 02/27/2008 1:41:21 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.148 85.255.112.26" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{038B2C61-CECC-4AB9-B7DC-BB0EA8D48331}
"nameserver"="85.255.113.148,85.255.112.26" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2624DD52-7384-487D-9CC1-60749EC0B383}
"nameserver"="85.255.113.148,85.255.112.26" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2624DD52-7384-487D-9CC1-60749EC0B383}
"DhcpNameServer"="85.255.113.148,85.255.112.26" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{772ABBF5-B14F-4D78-B375-9594464BA9F7}
"DhcpNameServer"="85.255.113.148,85.255.112.26" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RAM Idle"="C:\\Program Files\\Customizer XP\\RAMIdle.exe"
"SbUsb AudCtrl"="RunDll32 sbusbdll.dll,RCMonitor"
"WMC_AutoUpdate"=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


2) This a new HijackThis log after I have completed the Fixwareout scan:-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:36 AM, on 2/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Customizer XP\RAMIdle.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Ò»ÆðÀ´ÒôÀÖÉçÇø - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 3063 bytes

What's next?.Do not worry about my 'working hours' even though it is now almost 2am in Kuala Lumpur, Malaysia. I am keen of solving this problem soonest possible!
  • 0

#12
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Rorschach 112,

I will be offline for a few hours. Keep me updated on my next step.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix log please
  • 0

#14
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the most recent combofix.txt contents:-
ComboFix 08-02-25.3 - Administrator 2008-02-27 1:24:38.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.141 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\d39.exe
C:\WINDOWS\Downloaded Program Files\jtlc3as.dll
C:\WINDOWS\system32\drivers\vcplay.sys
C:\WINDOWS\system32\drivers\vcshow.sys
C:\WINDOWS\system32\inf\d03.exe
C:\WINDOWS\system32\inf\MSLogin64.exe
C:\WINDOWS\system32\k113445601710.exe
C:\WINDOWS\system32\k11354865256.exe
C:\WINDOWS\system32\k11354934166.exe
C:\WINDOWS\system32\vcplay.exe
C:\WINDOWS\system32\vcshow.dll
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\d39.exe
C:\WINDOWS\Downloaded Program Files\jtlc3as.dll
C:\WINDOWS\system32\drivers\vcplay.sys
C:\WINDOWS\system32\drivers\vcshow.sys
C:\WINDOWS\system32\inf\d03.exe
C:\WINDOWS\system32\inf\MSLogin64.exe
C:\WINDOWS\system32\k113445601710.exe
C:\WINDOWS\system32\k11354865256.exe
C:\WINDOWS\system32\k11354934166.exe
C:\WINDOWS\system32\MXITJS.DLL
C:\WINDOWS\system32\vcplay.exe
C:\WINDOWS\system32\vcshow.dll
C:\WINDOWS\system32\wbem\IPYJWGQAOXHSC.MDA
C:\WINDOWS\system32\XIUHWHRBNXH.DLL
C:\WINDOWS\web\related.htm

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 23:00 . 2008-02-26 23:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 23:00 . 2008-02-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 21:56 . 2008-02-26 21:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-26 21:51 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-26 12:35 . 2008-02-26 12:35 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 09:40 34,904 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 19:41 13312]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle"="C:\Program Files\Customizer XP\RAMIdle.exe" [2002-05-01 12:29 104960]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2005-12-26 08:20 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-12-25 16:27 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91976}"= UPS.dll [ ]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\System32\DRIVERS\sbusb.sys [2005-06-10 09:39]
Stop Pending2 MSDCOMClient16;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe [2001-08-23 04:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MSDCOMClient16
enqe
MSDCOMClient32

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 01:29:38
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-02-27 1:30:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 17:30:48
ComboFix3.txt 2008-02-26 04:51:16
ComboFix2.txt 2008-02-26 14:16:22
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nearly there I think

You will need two posts for these logs, make sure all the information is there


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91976}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91976}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.





Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP