Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrojanWin32.Conhook.D Hijackthis Log and ComboFix Log [CLOSED]

Started by hydracom , Apr 15 2008 01:33 PM

  • This topic is locked This topic is locked

#1
hydracom
Posted 15 April 2008 - 01:33 PM

hydracom

    New Member

  • Member
  • Pip
  • 1 posts
My Win Defender signaled non stop about this trojan. I've tried to resolve it but it cant be done cuz the infected file is an .DLL file. So i do as what said forum and post what i got here. Aparently, there is no damage yet and I think it may be from my IE. Since this morning, there are always site webs that went out and ask me to install some sorts of antivirus prog when I use IE. When I use FireFox, there is no Prob.

Here is my Hijackthis Log and Combofix Log. Thx for help

1. Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:03, on 15/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\vsnp2uvc.exe
C:\Windows\ITECIR\x86\CIRAP.exe
C:\Program Files\Lenovo\EnergyCut\utilty.exe
C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\VeriFace\PManage.exe
C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\explorer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mtd2002\MTDSERVER.EXE
C:\Program Files\mtd2002\MTDSHELF.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEF...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.fr/0SEF...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vnexpress.net/Vietnam/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fr/0SEF...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyweb.utc.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Unattend0000000001{7CE4F652-9E84-4617-9F54-DC8891DFB725}] C:\Windows\test.bat
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [CIRAP] C:\Windows\ITECIR\x86\CIRAP.exe
O4 - HKLM\..\Run: [EnergyUtility] C:\Program Files\Lenovo\EnergyCut\utilty.exe
O4 - HKLM\..\Run: [EnergyCut] C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] C:\WINDOWS\system32\TpShocks.exe
O4 - HKLM\..\Run: [VeriFacePassManager] C:\Program Files\Lenovo\VeriFace\PManage.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\HANGHI~1\AppData\Local\Temp\qomMGVOh.dll,#1
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\HANGHI~1\AppData\Local\Temp\xvkisubo.dll",run
O4 - HKCU\..\Run: [eedf45f2] rundll32.exe "C:\Users\HANGHI~1\AppData\Local\Temp\edejcrfj.dll",b
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\HANGHI~1\AppData\Local\Temp\pmnoMFYQ.dll,c
O4 - HKCU\..\Run: [BMedec766e] Rundll32.exe "C:\Users\HANGHI~1\AppData\Local\Temp\iqpxtsjy.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Acrobat.lnk = ?
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Ajouter au fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Envoyer l'&image au périphérique Bluetooth... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Tout télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Télécharger avec NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra 'Tools' menuitem: Password Administration Box - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\Lenovo\VeriFace\OpenWnd.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe

--
End of file - 13909 bytes

__________________________________

2. Combofix

ComboFix 08-04-14.2 - Hang Hieu 2008-04-15 21:20:24.1 - NTFSx86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.764 [GMT 2:00]
Endroit: D:\ComboFix.exe
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-15 to 2008-04-15 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 19:17 --------- d-----w C:\Program Files\Trend Micro
2008-04-15 17:14 --------- d-----w C:\Program Files\BitComet
2008-04-15 17:09 2,560 ----a-w C:\Windows\System32\BitCometRes.dll
2008-04-15 13:45 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-15 13:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 09:56 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\Lavasoft
2008-04-15 09:55 --------- d-----w C:\Program Files\Lavasoft
2008-04-15 09:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 09:23 --------- d-----w C:\Program Files\Lenovo
2008-04-15 09:21 --------- d-----w C:\Program Files\Google
2008-04-14 22:35 --------- d-----w C:\ProgramData\Google Updater
2008-04-14 22:12 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\LG Electronics
2008-04-14 19:17 --------- d-----w C:\Program Files\LG Electronics
2008-04-14 19:16 --------- d-----w C:\Program Files\LG PC Suite 2
2008-04-14 19:14 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\InstallShield
2008-04-14 19:10 --------- d-----w C:\Program Files\PowerISO
2008-04-13 23:19 --------- d-----w C:\ProgramData\Nokia
2008-04-13 23:18 --------- d-----w C:\Program Files\Nokia
2008-04-13 23:18 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-13 23:13 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-13 19:23 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\Nokia
2008-04-13 19:22 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\PC Suite
2008-04-13 19:22 --------- d-----w C:\ProgramData\PC Suite
2008-04-13 19:18 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-11 17:07 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 00:43 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-06 00:34 --------- d-----w C:\ProgramData\Symantec
2008-04-06 00:34 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-06 00:33 --------- d-----w C:\ProgramData\VeriFace
2008-04-06 00:06 --------- d-----w C:\ProgramData\FLEXnet
2008-04-05 22:49 --------- d-----w C:\Program Files\Bejeweled 2 Deluxe
2008-04-05 22:48 720,896 ----a-w C:\Windows\iun6002ev.exe
2008-03-30 21:02 --------- d-----w C:\Program Files\SecureW2
2008-03-30 20:51 --------- d-----w C:\Program Files\Alfa & Ariss
2008-03-27 14:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-24 17:19 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-03-24 17:19 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-03-24 17:19 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-03-24 17:19 --------- d-----w C:\Program Files\Symantec
2008-03-24 16:46 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-24 16:45 --------- d-----w C:\Program Files\Microsoft Small Business
2008-03-24 15:33 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\CyberLink
2008-03-24 15:33 --------- d-----w C:\ProgramData\CyberLink
2008-03-24 14:10 --------- d-----w C:\Program Files\mtd2002
2008-03-23 18:52 --------- d-----w C:\Program Files\Real
2008-03-23 18:52 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-23 18:52 --------- d-----w C:\Program Files\Common Files\Real
2008-03-23 14:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-23 14:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-23 13:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-21 12:06 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\Xi
2008-03-21 12:05 --------- d-----w C:\Program Files\Xi
2008-03-21 11:36 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 11:35 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\BSplayer Pro
2008-03-21 11:35 --------- d-----w C:\Program Files\Webteh
2008-03-21 00:07 --------- d-----w C:\Users\Hang Hieu\AppData\Roaming\Talkback
2008-03-20 23:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-20 20:22 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 13:31 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-20 13:31 --------- d-----w C:\Program Files\Windows Calendar
2008-03-20 13:27 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-20 13:27 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-20 13:27 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-20 13:27 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-20 13:27 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-20 13:27 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-20 13:27 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-03-20 13:27 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-03-20 13:27 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-20 13:27 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-03-20 13:27 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-20 13:27 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-03-20 13:26 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-20 13:26 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-03-20 13:23 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-20 13:23 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-20 13:22 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-20 13:22 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-20 13:22 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-20 13:22 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-03-20 13:22 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-20 13:20 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-03-20 13:20 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-20 13:20 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-20 13:20 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-03-20 13:20 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-03-20 13:20 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-20 13:20 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-03-20 13:18 61,440 ----a-w C:\Windows\System32\ntprint.exe
2008-03-20 13:18 269,824 ----a-w C:\Windows\System32\schannel.dll
2008-03-20 13:18 220,160 ----a-w C:\Windows\System32\ntprint.dll
2008-03-20 13:18 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-03-20 13:18 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-03-20 13:16 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-03-20 13:16 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-20 13:16 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-03-20 13:16 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-03-20 13:16 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-03-20 13:16 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-03-20 13:15 2,048 ----a-w C:\Windows\System32\tzres.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@={771C7324-DA80-49D3-8017-753B0AF60951}

[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2007-10-20 11:12 241752 --a------ C:\Program Files\Lenovo\VeriFace\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-20 15:17 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 14:34 2159104 C:\Windows\System32\oobefldr.dll]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-24 15:57 68856]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 14:05 544768]
"cmds"="C:\Users\HANGHI~1\AppData\Local\Temp\pmnoMFYQ.dll" [2008-04-14 21:18 273408]
"BMedec766e"="C:\Users\HANGHI~1\AppData\Local\Temp\iqpxtsjy.dll" [2008-04-15 11:04 96320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-05-17 11:24 1006264]
"Unattend0000000001{7CE4F652-9E84-4617-9F54-DC8891DFB725}"="C:\Windows\test.bat" [ ]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 12:04 4423680 C:\Windows\RtHDVCpl.exe]
"snp2uvc"="C:\Windows\vsnp2uvc.exe" [2007-03-12 18:49 569344]
"CIRAP"="C:\Windows\ITECIR\x86\CIRAP.exe" [2007-07-23 12:16 640512]
"EnergyUtility"="C:\Program Files\Lenovo\EnergyCut\utilty.exe" [2007-07-26 15:20 2502656]
"EnergyCut"="C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe" [2007-07-26 17:05 1232896]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-09 12:03 857648]
"TpShocks"="C:\WINDOWS\system32\TpShocks.exe" [2007-08-03 10:27 176128]
"VeriFacePassManager"="C:\Program Files\Lenovo\VeriFace\PManage.exe" [2007-10-20 11:12 262245]
"PCMService"="C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe" [2007-08-09 19:38 417792]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 13:37 174872]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 18:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 18:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 18:07 133656]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 20:52 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 01:50 233472]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
BTTray.lnk - C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe [2007-03-29 13:11:50 719664]
Lancement rapide d'Adobe Acrobat.lnk - C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-03-23 16:49:14 295606]
Outil de mise … jour Google.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-24 15:57:15 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ADE2785C-8206-4879-A99C-264B78197657}"= C:\Program Files\Lenovo\ShuttleCenter\PowerCinema.exe:CyberLink PowerCinema
"{EC27754B-413E-4FA7-B8EF-156AD5C4D125}"= C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe:CyberLink PowerCinema Resident Program
"{DF26A2B0-2E0A-4C7F-9BA4-C2EF7F872905}"= C:\Program Files\Lenovo\ShuttleCenter\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{17E10D3C-A6CD-4030-BF0D-0A6E7135263E}"= C:\Program Files\Lenovo\ShuttleCenter\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D3C6885F-0DAA-4EEE-AE0C-19E9608E865A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B457B622-7193-48E5-AEC8-02BB8B8E2321}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A9909439-7B7A-4680-9583-28930EC43E4E}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0A7D22AA-E157-458F-900E-60EA1B2C8723}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{1B58332C-C791-4C20-A3C1-A470AF178D62}"= UDP:18054:BitComet 25726 TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 Shockprf;Shockprf;C:\Windows\system32\DRIVERS\Apsx86.sys [2007-07-31 15:25]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM86.sys [2007-07-31 15:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080407.002\IDSvix86.sys [2008-03-12 01:34]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys [2007-06-05 17:39]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 15:03]
R3 CapFilt;CapFilt;C:\Windows\system32\drivers\CapFilt.sys [2007-10-20 11:12]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 17:48]
R3 ITECIR;ITE EC CIR Driver (EC);C:\Windows\system32\DRIVERS\ITECIR.sys [2007-03-03 06:21]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-10 00:32]
S3 btwaudio;Périphérique audio Bluetooth;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 21:46]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 07:20]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 07:20]
S3 SQLWriter;Enregistreur VSS SQL Server;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\LGInstaller.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a0e5bb7-ff1c-11dc-8522-001b249b17fd}]
\shell\AutoRun\command - F:\diox3j.com
\shell\explore\Command - F:\diox3j.com
\shell\open\Command - F:\diox3j.com

*Newly Created Service* - CATCHME
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-03-24 17:23:26 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - Hang Hieu.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-04-15 18:56:05 C:\Windows\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
??
???8\- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 21:22:32
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Lenovo\VeriFace\IGetSkin.dll
-> C:\Program Files\Lenovo\VeriFace\FaceVerify.dll
-> C:\Program Files\Lenovo\VeriFace\MainOp.dll
-> C:\Program Files\Lenovo\VeriFace\VideoOp.dll
-> C:\Program Files\Lenovo\VeriFace\Image.dll
-> C:\Program Files\Lenovo\VeriFace\Momo.dll
-> C:\Program Files\Lenovo\VeriFace\facev.dll
-> C:\Users\HANGHI~1\AppData\Local\Temp\edejcrfj.dll
-> C:\Users\HANGHI~1\AppData\Local\Temp\iqpxtsjy.dll
-> C:\Program Files\Lenovo\VeriFace\IcnOvrly.dll
-> C:\Users\HANGHI~1\AppData\Local\Temp\pmnoMFYQ.dll
.
Temps d'accomplissement: 2008-04-15 21:23:35
ComboFix-quarantined-files.txt 2008-04-15 19:23:16

Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
.
2008-04-15 17:59:20 --- E O F ---
  • 0

Advertisements

#2
greyknight17
Posted 19 April 2008 - 08:24 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Download Malwarebytes' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html

Double-click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
greyknight17
Posted 25 April 2008 - 08:59 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP