Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijackthis.log

Started by zealmusic , Mar 07 2008 09:38 PM

  • Please log in to reply

#1
zealmusic
Posted 07 March 2008 - 09:38 PM

zealmusic

    Member

  • Member
  • PipPip
  • 11 posts
I have recently noticed a huge slow down on the internet explorer and experienced pop ups everytime I go to a different website. I read some tutorial about malware removal from this site, downloaded ad-aware and spybot and did a scan and remove on those 2 softwares. Then downloaded HijackThis and did a scan, the follow is the scan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 下午 08:18:06, on 2008/3/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\zealmusic\Desktop\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {3D368DD7-4F8E-43E8-A84B-20FD7D82DA76} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {d8680ef8-3fa2-f99a-59e4-35697e724039} - {930427e7-9653-4e95-a99f-2af38fe0868d} - C:\WINDOWS\system32\jpqiggca.dll (file missing)
O2 - BHO: (no name) - {A32F1166-6F79-49A2-912B-A30B53858E73} - (no file)
O2 - BHO: (no name) - {C18BCA5D-8730-4A4C-96BF-D94E298D4BB7} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} - http://cache2.vuze.c...a_Installer.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\ZEALMU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6813 bytes


What steps should I proceed next?
Thanks in advance for the help!
  • 0

Advertisements

#2
sarahw
Posted 08 March 2008 - 04:21 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw
Posted 08 March 2008 - 04:21 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#4
zealmusic
Posted 08 March 2008 - 01:07 PM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi sarahw, thanks for the help!

I downloaded VundoFix to my desktop, but when I try to run it, an error saying:

Run-time error '339'
Component 'comdlg32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

how do I get vundofix to run??
  • 0

#5
sarahw
Posted 08 March 2008 - 08:27 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Download ComboFix from Download ComboFix from Here, Here, or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Edited by sarahw, 08 March 2008 - 08:27 PM.

  • 0

#6
zealmusic
Posted 09 March 2008 - 01:52 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I ran combofix and encountered something strange. While combofix was creating a log after the reboot, I recieved a popup from spybot saying there's a change in the browser help object registry and it won't let me click deny change.... so I clicked accept change..... probably wasn't a good idea :) Now when I try to open internet explorer, it takes a good minute before it starts up.

Anyways, here's the combofix log:

ComboFix 08-03-08.2 - zealmusic 2008-03-09 0:37:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1033.18.714 [GMT -7:00]
Running from: C:\Documents and Settings\zealmusic\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\zealmusic\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\zealmusic\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\zealmusic\Application Data\SCURIT~1
C:\WINDOWS\BM3f138836.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\updater.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 16:59 . 2008-03-08 16:59 244 --ah----- C:\sqmnoopt01.sqm
2008-03-08 16:59 . 2008-03-08 16:59 232 --ah----- C:\sqmdata01.sqm
2008-03-08 16:33 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 22:33 . 2008-03-07 22:33 244 --ah----- C:\sqmnoopt00.sqm
2008-03-07 22:33 . 2008-03-07 22:33 232 --ah----- C:\sqmdata00.sqm
2008-03-07 19:37 . 2008-03-07 20:14 202 --a------ C:\WINDOWS\wininit.ini
2008-03-07 18:06 . 2008-03-07 18:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 18:06 . 2008-03-07 20:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-07 17:48 . 2008-03-07 17:49 1,307,561 --ahs---- C:\WINDOWS\system32\cxfudruk.ini
2008-03-07 01:56 . 2008-03-07 01:56 1,308,019 --ahs---- C:\WINDOWS\system32\iadxnqnk.ini
2008-03-06 15:13 . 2008-03-06 20:20 1,306,686 --ahs---- C:\WINDOWS\system32\iksssybn.ini
2008-03-05 23:39 . 2008-03-05 23:39 1,308,134 --ahs---- C:\WINDOWS\system32\tlaupeyy.ini
2008-03-05 23:28 . 2008-03-05 23:39 <DIR> d-------- C:\Program Files\PhotoScape
2008-03-05 15:29 . 2008-03-05 20:07 1,307,383 --ahs---- C:\WINDOWS\system32\rxniknol.ini
2008-03-04 17:56 . 2008-03-04 19:00 1,302,865 --ahs---- C:\WINDOWS\system32\awqndiou.ini
2008-03-04 16:39 . 2008-03-04 16:39 294 --ahs---- C:\WINDOWS\system32\beuycsmg.ini
2008-03-03 18:11 . 2008-03-03 18:38 1,302,451 --ahs---- C:\WINDOWS\system32\jrlufpus.ini
2008-03-03 17:06 . 2008-03-03 17:06 294 --ahs---- C:\WINDOWS\system32\aewymprj.ini
2008-03-03 01:18 . 2008-03-03 02:02 1,286,289 --ahs---- C:\WINDOWS\system32\jcxktmgs.ini
2008-03-02 23:41 . 2008-03-02 23:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-02 23:41 . 2008-03-02 23:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-02 23:13 . 2008-03-02 23:13 <DIR> d-------- C:\Program Files\Panda Security
2008-03-02 21:59 . 2008-03-03 00:11 294 --ahs---- C:\WINDOWS\system32\dqbdhyqg.ini
2008-03-02 03:48 . 2008-03-02 03:48 1,285,961 --ahs---- C:\WINDOWS\system32\cxvpsxdq.ini
2008-03-01 05:28 . 2008-03-01 05:28 1,285,961 --ahs---- C:\WINDOWS\system32\hhffmcha.ini
2008-03-01 03:26 . 2008-03-01 04:08 1,285,979 --ahs---- C:\WINDOWS\system32\nueqjlwb.ini
2008-02-28 15:03 . 2008-02-28 15:32 1,243,084 --ahs---- C:\WINDOWS\system32\hpcielff.ini
2008-02-27 16:01 . 2008-02-27 16:07 1,246,645 --ahs---- C:\WINDOWS\system32\iehhodiu.ini
2008-02-26 20:34 . 2008-02-26 23:37 1,261,775 --ahs---- C:\WINDOWS\system32\ldirsarm.ini
2008-02-26 04:15 . 2008-02-26 16:52 1,260,184 --ahs---- C:\WINDOWS\system32\dakkpexw.ini
2008-02-25 11:58 . 2008-02-25 14:09 1,260,202 --ahs---- C:\WINDOWS\system32\tujrkuii.ini
2008-02-24 14:42 . 2008-02-24 14:55 1,253,732 --ahs---- C:\WINDOWS\system32\iyaxowyj.ini
2008-02-24 02:12 . 2008-02-24 02:12 294 --ahs---- C:\WINDOWS\system32\hlrffynd.ini
2008-02-22 16:08 . 2008-02-22 17:37 1,253,732 --ahs---- C:\WINDOWS\system32\vlvvivmr.ini
2008-02-21 15:01 . 2008-02-21 15:01 1,253,381 --ahs---- C:\WINDOWS\system32\mihpswob.ini
2008-02-20 15:59 . 2008-02-20 16:44 1,244,532 --ahs---- C:\WINDOWS\system32\fxvitghp.ini
2008-02-19 23:45 . 2008-02-19 23:45 1,241,960 --ahs---- C:\WINDOWS\system32\gypwurlh.ini
2008-02-19 17:33 . 2008-02-19 17:33 294 --ahs---- C:\WINDOWS\system32\xbdtwxyx.ini
2008-02-18 21:10 . 2008-02-18 21:10 1,238,253 --ahs---- C:\WINDOWS\system32\kuskqetq.ini
2008-02-18 14:47 . 2008-02-18 14:47 1,238,253 --ahs---- C:\WINDOWS\system32\dqwgnsqe.ini
2008-02-17 13:23 . 2008-02-18 13:23 1,248,347 --ahs---- C:\WINDOWS\system32\iyrywkpm.ini
2008-02-16 17:16 . 2008-02-16 17:16 1,248,347 --ahs---- C:\WINDOWS\system32\enqpaart.ini
2008-02-15 15:49 . 2008-02-15 15:50 1,248,347 --ahs---- C:\WINDOWS\system32\mahiunyw.ini
2008-02-15 13:17 . 2008-02-15 13:17 1,248,347 --ahs---- C:\WINDOWS\system32\crnmddwc.ini
2008-02-14 15:05 . 2008-02-14 15:05 1,242,240 --ahs---- C:\WINDOWS\system32\hsrvbeqf.ini
2008-02-14 12:59 . 2008-02-14 12:59 1,242,240 --ahs---- C:\WINDOWS\system32\glwyuciw.ini
2008-02-14 12:44 . 2008-02-14 12:45 1,242,240 --ahs---- C:\WINDOWS\system32\upttwtra.ini
2008-02-12 17:59 . 2008-02-12 17:59 <DIR> d-------- C:\Program Files\Koei

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 23:32 --------- d-----w C:\Program Files\Java
2008-03-03 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 09:32 --------- d-----w C:\Program Files\RebirthRO
2008-02-03 09:37 --------- d-----w C:\Program Files\BitComet
2008-01-29 00:51 --------- d-----w C:\Program Files\武林群俠傳
2008-01-13 00:20 --------- d-----w C:\Program Files\Ahead
2008-01-13 00:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-01-11 09:35 --------- d-----w C:\Program Files\Gabest
2008-01-11 09:31 --------- d-----w C:\Program Files\Real Alternative
2008-01-11 09:31 --------- d-----w C:\Documents and Settings\zealmusic\Application Data\Media Player Classic
2008-01-11 09:29 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 21:17 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 18:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D368DD7-4F8E-43E8-A84B-20FD7D82DA76}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930427e7-9653-4e95-a99f-2af38fe0868d}]
C:\WINDOWS\system32\jpqiggca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A32F1166-6F79-49A2-912B-A30B53858E73}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18BCA5D-8730-4A4C-96BF-D94E298D4BB7}]
C:\WINDOWS\system32\ddcyx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-14 06:18 482760]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 00:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 15:47 3296256]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-08 23:03 221184]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-08-08 23:03 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
nnnmkkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]
C:\WINDOWS\system32\ddcyx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Downloads\\eMule\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18892:TCP"= 18892:TCP:BitComet 18892 TCP
"18892:UDP"= 18892:UDP:BitComet 18892 UDP

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-10-27 15:39]
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys [2007-08-08 18:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a92adc8-b3ff-11dc-b4df-0013d3adcfb1}]
\Shell\AutoRun\command - E:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 00:41:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-09 0:43:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 07:43:32
.
2008-02-13 10:02:37 --- E O F ---
  • 0

#7
zealmusic
Posted 09 March 2008 - 01:53 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
and the HijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 12:46:28, on 2008/3/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\zealmusic\Desktop\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {3D368DD7-4F8E-43E8-A84B-20FD7D82DA76} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {d8680ef8-3fa2-f99a-59e4-35697e724039} - {930427e7-9653-4e95-a99f-2af38fe0868d} - C:\WINDOWS\system32\jpqiggca.dll (file missing)
O2 - BHO: (no name) - {A32F1166-6F79-49A2-912B-A30B53858E73} - (no file)
O2 - BHO: (no name) - {C18BCA5D-8730-4A4C-96BF-D94E298D4BB7} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://cache2.vuze.c...a_Installer.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\ZEALMU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 7306 bytes
  • 0

#8
zealmusic
Posted 09 March 2008 - 01:55 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
err.. nevermind about the slow IE startup :)
I disabled the java stuff and it starts up a lot faster now
  • 0

#9
sarahw
Posted 09 March 2008 - 04:42 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
We'll delete those BHO's now. Enable java and update it, there is instructions in the last step.
When you have updated it, go into Add/Remove programs and delete any old version of java you have as Vundo uses them as an exploit.

1.
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


2.
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


3.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cxvpsxdq.ini
C:\WINDOWS\system32\hhffmcha.ini
C:\WINDOWS\system32\nueqjlwb.ini
C:\WINDOWS\system32\hpcielff.ini
C:\WINDOWS\system32\iehhodiu.ini
C:\WINDOWS\system32\ldirsarm.ini
C:\WINDOWS\system32\dakkpexw.ini
C:\WINDOWS\system32\tujrkuii.ini
C:\WINDOWS\system32\iyaxowyj.ini
C:\WINDOWS\system32\hlrffynd.ini
C:\WINDOWS\system32\vlvvivmr.ini
C:\WINDOWS\system32\mihpswob.ini
C:\WINDOWS\system32\fxvitghp.ini
C:\WINDOWS\system32\gypwurlh.ini
C:\WINDOWS\system32\xbdtwxyx.ini
C:\WINDOWS\system32\kuskqetq.ini
C:\WINDOWS\system32\dqwgnsqe.ini
C:\WINDOWS\system32\iyrywkpm.ini
C:\WINDOWS\system32\enqpaart.ini
C:\WINDOWS\system32\mahiunyw.ini
C:\WINDOWS\system32\crnmddwc.ini
C:\WINDOWS\system32\hsrvbeqf.ini
C:\WINDOWS\system32\glwyuciw.ini
C:\WINDOWS\system32\upttwtra.ini
C:\WINDOWS\system32\dqbdhyqg.ini
C:\WINDOWS\system32\rxniknol.ini
C:\WINDOWS\system32\awqndiou.ini
C:\WINDOWS\system32\beuycsmg.ini
C:\WINDOWS\system32\jrlufpus.ini
C:\WINDOWS\system32\aewymprj.ini
C:\WINDOWS\system32\jcxktmgs.ini
C:\WINDOWS\system32\cxfudruk.ini
C:\WINDOWS\system32\nnnmkkh.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\jpqiggca.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D368DD7-4F8E-43E8-A84B-20FD7D82DA76}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930427e7-9653-4e95-a99f-2af38fe0868d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A32F1166-6F79-49A2-912B-A30B53858E73}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18BCA5D-8730-4A4C-96BF-D94E298D4BB7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by sarahw, 09 March 2008 - 04:43 AM.

  • 0

#10
zealmusic
Posted 09 March 2008 - 09:58 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Disabled teatimer and deleted old java stuff.

Here is the new combofix log:

ComboFix 08-03-08.2 - zealmusic 2008-03-09 9:33:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1033.18.674 [GMT -6:00]
Running from: C:\Documents and Settings\zealmusic\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\zealmusic\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\aewymprj.ini
C:\WINDOWS\system32\awqndiou.ini
C:\WINDOWS\system32\beuycsmg.ini
C:\WINDOWS\system32\crnmddwc.ini
C:\WINDOWS\system32\cxfudruk.ini
C:\WINDOWS\system32\cxvpsxdq.ini
C:\WINDOWS\system32\dakkpexw.ini
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\dqbdhyqg.ini
C:\WINDOWS\system32\dqwgnsqe.ini
C:\WINDOWS\system32\enqpaart.ini
C:\WINDOWS\system32\fxvitghp.ini
C:\WINDOWS\system32\glwyuciw.ini
C:\WINDOWS\system32\gypwurlh.ini
C:\WINDOWS\system32\hhffmcha.ini
C:\WINDOWS\system32\hlrffynd.ini
C:\WINDOWS\system32\hpcielff.ini
C:\WINDOWS\system32\hsrvbeqf.ini
C:\WINDOWS\system32\iehhodiu.ini
C:\WINDOWS\system32\iyaxowyj.ini
C:\WINDOWS\system32\iyrywkpm.ini
C:\WINDOWS\system32\jcxktmgs.ini
C:\WINDOWS\system32\jpqiggca.dll
C:\WINDOWS\system32\jrlufpus.ini
C:\WINDOWS\system32\kuskqetq.ini
C:\WINDOWS\system32\ldirsarm.ini
C:\WINDOWS\system32\mahiunyw.ini
C:\WINDOWS\system32\mihpswob.ini
C:\WINDOWS\system32\nnnmkkh.dll
C:\WINDOWS\system32\nueqjlwb.ini
C:\WINDOWS\system32\rxniknol.ini
C:\WINDOWS\system32\tujrkuii.ini
C:\WINDOWS\system32\upttwtra.ini
C:\WINDOWS\system32\vlvvivmr.ini
C:\WINDOWS\system32\xbdtwxyx.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aewymprj.ini
C:\WINDOWS\system32\awqndiou.ini
C:\WINDOWS\system32\beuycsmg.ini
C:\WINDOWS\system32\crnmddwc.ini
C:\WINDOWS\system32\cxfudruk.ini
C:\WINDOWS\system32\cxvpsxdq.ini
C:\WINDOWS\system32\dakkpexw.ini
C:\WINDOWS\system32\dqbdhyqg.ini
C:\WINDOWS\system32\dqwgnsqe.ini
C:\WINDOWS\system32\enqpaart.ini
C:\WINDOWS\system32\fxvitghp.ini
C:\WINDOWS\system32\glwyuciw.ini
C:\WINDOWS\system32\gypwurlh.ini
C:\WINDOWS\system32\hhffmcha.ini
C:\WINDOWS\system32\hlrffynd.ini
C:\WINDOWS\system32\hpcielff.ini
C:\WINDOWS\system32\hsrvbeqf.ini
C:\WINDOWS\system32\iehhodiu.ini
C:\WINDOWS\system32\iyaxowyj.ini
C:\WINDOWS\system32\iyrywkpm.ini
C:\WINDOWS\system32\jcxktmgs.ini
C:\WINDOWS\system32\jrlufpus.ini
C:\WINDOWS\system32\kuskqetq.ini
C:\WINDOWS\system32\ldirsarm.ini
C:\WINDOWS\system32\mahiunyw.ini
C:\WINDOWS\system32\mihpswob.ini
C:\WINDOWS\system32\nueqjlwb.ini
C:\WINDOWS\system32\rxniknol.ini
C:\WINDOWS\system32\tujrkuii.ini
C:\WINDOWS\system32\upttwtra.ini
C:\WINDOWS\system32\vlvvivmr.ini
C:\WINDOWS\system32\xbdtwxyx.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 17:59 . 2008-03-08 17:59 244 --ah----- C:\sqmnoopt01.sqm
2008-03-08 17:59 . 2008-03-08 17:59 232 --ah----- C:\sqmdata01.sqm
2008-03-08 17:33 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 23:33 . 2008-03-07 23:33 244 --ah----- C:\sqmnoopt00.sqm
2008-03-07 23:33 . 2008-03-07 23:33 232 --ah----- C:\sqmdata00.sqm
2008-03-07 20:37 . 2008-03-07 21:14 202 --a------ C:\WINDOWS\wininit.ini
2008-03-07 19:06 . 2008-03-07 19:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 19:06 . 2008-03-07 21:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-07 02:56 . 2008-03-07 02:56 1,308,019 --ahs---- C:\WINDOWS\system32\iadxnqnk.ini
2008-03-06 16:13 . 2008-03-06 21:20 1,306,686 --ahs---- C:\WINDOWS\system32\iksssybn.ini
2008-03-06 00:39 . 2008-03-06 00:39 1,308,134 --ahs---- C:\WINDOWS\system32\tlaupeyy.ini
2008-03-06 00:28 . 2008-03-06 00:39 <DIR> d-------- C:\Program Files\PhotoScape
2008-03-03 00:41 . 2008-03-03 00:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-03 00:41 . 2008-03-03 00:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-03 00:13 . 2008-03-03 00:13 <DIR> d-------- C:\Program Files\Panda Security
2008-02-12 18:59 . 2008-02-12 18:59 <DIR> d-------- C:\Program Files\Koei

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 23:32 --------- d-----w C:\Program Files\Java
2008-03-03 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 09:32 --------- d-----w C:\Program Files\RebirthRO
2008-02-03 09:37 --------- d-----w C:\Program Files\BitComet
2008-01-29 00:51 --------- d-----w C:\Program Files\武林群俠傳
2008-01-13 00:20 --------- d-----w C:\Program Files\Ahead
2008-01-13 00:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-01-11 09:35 --------- d-----w C:\Program Files\Gabest
2008-01-11 09:31 --------- d-----w C:\Program Files\Real Alternative
2008-01-11 09:31 --------- d-----w C:\Documents and Settings\zealmusic\Application Data\Media Player Classic
2008-01-11 09:29 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 21:17 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 18:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-09_ 0.42.52.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D368DD7-4F8E-43E8-A84B-20FD7D82DA76}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930427e7-9653-4e95-a99f-2af38fe0868d}]
C:\WINDOWS\system32\jpqiggca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A32F1166-6F79-49A2-912B-A30B53858E73}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18BCA5D-8730-4A4C-96BF-D94E298D4BB7}]
C:\WINDOWS\system32\ddcyx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-14 07:18 482760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 01:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 16:47 3296256]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 00:03 221184]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-08-09 00:03 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
nnnmkkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]
C:\WINDOWS\system32\ddcyx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Downloads\\eMule\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18892:TCP"= 18892:TCP:BitComet 18892 TCP
"18892:UDP"= 18892:UDP:BitComet 18892 UDP

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-10-27 16:39]
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys [2007-08-08 19:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a92adc8-b3ff-11dc-b4df-0013d3adcfb1}]
\Shell\AutoRun\command - E:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 09:37:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 9:39:12
ComboFix-quarantined-files.txt 2008-03-09 15:39:07
ComboFix2.txt 2008-03-09 07:43:40
.
2008-02-13 10:02:37 --- E O F ---
  • 0

Advertisements

#11
zealmusic
Posted 09 March 2008 - 09:59 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
And here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 09:56:56, on 2008/3/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\zealmusic\Desktop\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://cache2.vuze.c...a_Installer.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\ZEALMU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6496 bytes
  • 0

#12
sarahw
Posted 09 March 2008 - 07:15 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1.
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

  • Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


2.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\iadxnqnk.ini
C:\WINDOWS\system32\iksssybn.ini
C:\WINDOWS\system32\tlaupeyy.ini
C:\WINDOWS\system32\jpqiggca.dll
C:\WINDOWS\system32\ddcyx.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D368DD7-4F8E-43E8-A84B-20FD7D82DA76}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930427e7-9653-4e95-a99f-2af38fe0868d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A32F1166-6F79-49A2-912B-A30B53858E73}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18BCA5D-8730-4A4C-96BF-D94E298D4BB7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (if your computer doesn't automatically reboot, please do so), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#13
zealmusic
Posted 10 March 2008 - 01:31 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the new combofix log:

ComboFix 08-03-08.2 - zealmusic 2008-03-10 1:08:34.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.950.1.1033.18.821 [GMT -6:00]
Running from: C:\Documents and Settings\zealmusic\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\zealmusic\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\iadxnqnk.ini
C:\WINDOWS\system32\iksssybn.ini
C:\WINDOWS\system32\jpqiggca.dll
C:\WINDOWS\system32\tlaupeyy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\iadxnqnk.ini
C:\WINDOWS\system32\iksssybn.ini
C:\WINDOWS\system32\tlaupeyy.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 01:06 . 2008-03-10 01:06 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\Webroot
2008-03-08 17:59 . 2008-03-08 17:59 244 --ah----- C:\sqmnoopt01.sqm
2008-03-08 17:59 . 2008-03-08 17:59 232 --ah----- C:\sqmdata01.sqm
2008-03-08 17:33 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 23:33 . 2008-03-07 23:33 244 --ah----- C:\sqmnoopt00.sqm
2008-03-07 23:33 . 2008-03-07 23:33 232 --ah----- C:\sqmdata00.sqm
2008-03-07 20:37 . 2008-03-07 21:14 202 --a------ C:\WINDOWS\wininit.ini
2008-03-07 19:06 . 2008-03-07 19:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-07 19:06 . 2008-03-07 21:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-06 00:28 . 2008-03-06 00:39 <DIR> d-------- C:\Program Files\PhotoScape
2008-03-03 00:41 . 2008-03-03 00:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-03 00:41 . 2008-03-03 00:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-03 00:13 . 2008-03-03 00:13 <DIR> d-------- C:\Program Files\Panda Security
2008-02-12 18:59 . 2008-02-12 18:59 <DIR> d-------- C:\Program Files\Koei

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 23:32 --------- d-----w C:\Program Files\Java
2008-03-03 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 09:32 --------- d-----w C:\Program Files\RebirthRO
2008-02-03 09:37 --------- d-----w C:\Program Files\BitComet
2008-01-29 00:51 --------- d-----w C:\Program Files\武林群俠傳
2008-01-13 00:20 --------- d-----w C:\Program Files\Ahead
2008-01-13 00:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2008-01-11 09:35 --------- d-----w C:\Program Files\Gabest
2008-01-11 09:31 --------- d-----w C:\Program Files\Real Alternative
2008-01-11 09:31 --------- d-----w C:\Documents and Settings\zealmusic\Application Data\Media Player Classic
2008-01-11 09:29 --------- d-----w C:\Program Files\Common Files\Real
2007-12-27 21:17 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-14 18:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-09_ 0.42.52.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2007-11-04 20:20:12 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 15:56:39 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 20:20:12 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 15:56:39 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-14 07:18 482760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 01:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 16:47 3296256]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 00:03 221184]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-08-09 00:03 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Downloads\\eMule\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18892:TCP"= 18892:TCP:BitComet 18892 TCP
"18892:UDP"= 18892:UDP:BitComet 18892 UDP

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2005-10-27 16:39]
S1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys [2007-08-08 19:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a92adc8-b3ff-11dc-b4df-0013d3adcfb1}]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a92adcc-b3ff-11dc-b4df-0013d3adcfb1}]
\Shell\AutoRun\command - E:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 01:10:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 1:11:31
ComboFix-quarantined-files.txt 2008-03-10 07:11:18
ComboFix2.txt 2008-03-09 15:39:14
ComboFix3.txt 2008-03-09 07:43:40
.
2008-02-13 10:02:37 --- E O F ---
  • 0

#14
zealmusic
Posted 10 March 2008 - 01:32 AM

zealmusic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
and the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 上午 01:27:32, on 2008/3/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\zealmusic\Desktop\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://cache2.vuze.c...a_Installer.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\ZEALMU~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6118 bytes
  • 0

#15
sarahw
Posted 10 March 2008 - 04:20 AM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Do you know what this is?
C:\Program Files\武林群俠傳

How is your computer running?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP