View Full Version : programs that restore themselves
divinewind88
10-19-2006, 10:16 AM
I installed some searching tool program on my com unknowingly recently and I tried to delete them. However, after I deleted the program and then shut off my com and then turn my com on again, the program will somehow restore itself on my com, that is, it will reappear again. I tried deleting it multiple times but everytime I restart my com, the programs would be there again. any ideas how I could remove them permanently?
Budfred
10-19-2006, 11:10 AM
It sounds like you computer is infected and we need to see a HijackThis log to begin knowing what infected it and what to do with it...
http://www.merijn.org/programs.php
To run HJT, extract it to a permanent folder such as one you create like C:\HJT or the Desktop. Close all open windows and
browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log.
When the log window appears, Right click to Copy it, open your browser and come here to Paste the entire log. Do
not make any changes until it is checked since most items are either benign or essential to the computer.
I moved this to the correct forum for this kind of issue...
divinewind88
10-19-2006, 02:19 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:13:24 AM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\cisrv.exe
c:\windows\system32\wins\SVCH0ST.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
f:\windows\pmsgr.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender8\vsserv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
F:\Program Files\Softwin\BitDefender8\bdoesrv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
F:\Program Files\Softwin\BitDefender8\bdswitch.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iriver\iriver plus\iAgent.exe
F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\HijackThis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.feixue.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - F:\Program Files\DeskAdTop\deskipn.dll
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - F:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5097.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - F:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O2 - BHO: (no name) - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - F:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
O4 - HKLM\..\Run: [BDMCon] F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] F:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] F:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [F:\WINDOWS\setup.exe] F:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [F:\WINDOWS\system32\setup.exe] F:\WINDOWS\system32\setup.exe
O4 - HKLM\..\Run: [Desktop] F:\WINDOWS\system32\rundll32.exe "F:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKLM\..\Run: [Daily] F:\Program Files\Colorwo\Daily.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent] "F:\Program Files\iriver\iriver plus\iAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - F:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - F:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\cdnns.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150098701343[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: —sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Volume Shadddsow Copyer4 (S8696664) - Unknown owner - c:\windows\system32\wins\SVCH0ST.EXE
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
And er by the way I found out why the programs kept restoring themselves - I had my system restore on. After I turned it off and deleted the malicious programs, they disappeared forever. However, I still cant seem to get rid of two such programs: DeskAdTop and CNNIC.
Spybot cant seem to detect them as spywares either... funny~
Thanks!
Budfred
10-19-2006, 06:59 PM
You have a very nasty Chinese infection that is difficult to kill... I will have to get back to you after I do some more research, but I suggest you stay offline as much as possible until we get it cleaned up and particularly avoid doing ANY financial transactions online.... I will get back to you this evening, so please get back online by about 10 PM CST and I will hopefully have a fix for you then...
Budfred
10-19-2006, 11:37 PM
Please do this:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe)
and save it to your desktop. Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.
"%userprofile%\desktop\combofix.exe" /wow
Boot into safe mode by tapping the F8 key just before Windows starts to load.
go to start --> run and copy/paste in the following:
"%userprofile%\desktop\combofix.exe" /wow
When finished, it shall produce a log for you. Save it and post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
In your next post, please include new hijackthis log combofix log
*use separate posts to ensure the logs don't get cut off!
divinewind88
10-21-2006, 03:56 PM
Hello. I tried what you said but the combofix program would seem to hang half way thru. First it wud show a blue screen with "Scanning your computer.." after awhile, it would show "scanning for wow..."
I left my com on for like 3 hours and when I came back, the "scanning for wow..." thing is still there. Its as if nothing had happened. Am i suppose to wait longer than 3 hours or?
I tried it twice, once in the morning and once at night but the same thing happens each time.
thanks.
Budfred
10-21-2006, 04:59 PM
Were you doing it in Safe Mode?? We can try to clean some of it out manually first if we need to, but this tool should be able to kill it...
If it hangs again, try a couple of other tools first and then do it again... Start with CCleaner (be sure to say "NO" to the toolbar)... Use it to clean out Temp folders...
http://www.ccleaner.com/downloadbuilds.asp
Then try this:
* Click here (http://support.f-secure.com/enu/home/ols3.shtml) to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
jlreich
10-23-2006, 08:30 PM
Oops, sorry I hit post in the wrong tab. :o
divinewind88
10-24-2006, 10:59 PM
Well erm the combofix.exe still hangs...
Let me tell you what I did.
1) I ran the CCleaner and it deleted my temp stuffs and all.
2) After the CCleaner is done, I restarted my com and ran it in Safe Mode (NOT safe mode with command prompt and the other form of safe mode.)
3) my combofix.exe is on my desktop. Then I click "Run" in the Start menu and typed in
"F:\Documents and Settings\Yong Chen Jin\Desktop\combofix.exe" /wow
4) The program started and I typed Y to indicate that I want to run the program instead of being left with an icon-less desktop.
5) Initially, the words "Scanning your computer..." appeared.
6) Then after awhile, it changed to "Scanning for wow..."
7) It just hang there for like 3 hours..
I am not very sure about your previous post. AM I suppose to run CCleaner first, then combofix.exe, then that Fsecure thing?
Budfred
10-24-2006, 11:05 PM
Go ahead and try F-Secure... If it succeeds, run ComboFix with WOW again... If not, post a fresh HJT log and we will try to take some of this out the hard way to see if that will allow ComboFix to work...
Meanwhile, as I said earlier, stay offline as much as possible and DO NOT use this computer for any financial transactions...
divinewind88
10-27-2006, 10:32 AM
I am very sorry combofix still cant work after i used Fsecure and ccleaner. heres a new hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 21:27, on 06-10-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\cisrv.exe
c:\windows\system32\wins\SVCH0ST.EXE
f:\windows\pmsgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender8\vsserv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
F:\Program Files\Softwin\BitDefender8\bdoesrv.exe
F:\progra~1\softwin\bitdef~1\bdnagent.exe
F:\Program Files\Softwin\BitDefender8\bdswitch.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iriver\iriver plus\iAgent.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\HijackThis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.feixue.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - F:\Program Files\DeskAdTop\deskipn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] F:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] F:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [F:\WINDOWS\setup.exe] F:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [F:\WINDOWS\system32\setup.exe] F:\WINDOWS\system32\setup.exe
O4 - HKLM\..\Run: [Desktop] F:\WINDOWS\system32\rundll32.exe "F:\Program Files\DeskAdTop\Run.dll" ,Rundll
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent] "F:\Program Files\iriver\iriver plus\iAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\cdnns.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150098701343[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols3/fscax.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Volume Shadddsow Copyer4 (S8696664) - Unknown owner - c:\windows\system32\wins\SVCH0ST.EXE
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
Budfred
10-27-2006, 08:47 PM
I need to see the F-Secure log...
Meanwhile, try a 4 step process... First HJT fixes...
Please open a HJT scan and put checks by:
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - F:\Program Files\DeskAdTop\deskipn.dll
O4 - HKLM\..\Run: [F:\WINDOWS\setup.exe] F:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [F:\WINDOWS\system32\setup.exe] F:\WINDOWS\system32\setup.exe
O4 - HKLM\..\Run: [Desktop] F:\WINDOWS\system32\rundll32.exe "F:\Program Files\DeskAdTop\Run.dll" ,Rundll
O23 - Service: Volume Shadddsow Copyer4 (S8696664) - Unknown owner - c:\windows\system32\wins\SVCH0ST.EXE
Please close all open windows except HJT and press Fix checked...
Next: go to this site to download LSPfix and use the link to the tutorial on how to use it to fix the two items below...
http://www.bleepingcomputer.com/files/lspfix.php
f:\windows\system32\cdnns.dll
f:\windows\system32\wshcon32.dll
Then download the latest version of ComboFix and run it in Normal mode in the normal way...
Finally, boot to Safe Mode and try the version of ComboFix with the WOW option and run that...
Reboot and post all of the logs you got, take as many posts as needed to get them all in... If this doesn't work, I will need to call on the people that first identified this chinese menace... Keep in mind that even if we succeed, your computer may never be safe again since dangerous hooks may survive the cleaning...
divinewind88
10-27-2006, 11:03 PM
So does that mean the only way left to get a clean and safe com is to buy a new one? Or can I just change the hard disk or some other parts of the com?
Will try to post the logs ASAP
Budfred
10-28-2006, 12:09 AM
So does that mean the only way left to get a clean and safe com is to buy a new one? Or can I just change the hard disk or some other parts of the com?
Will try to post the logs ASAP
No, not at all... We can try to clean it this way and we may succeed, but we just can't be certain... If you want to be certain, you wipe the hard drive thoroughly, shut the computer down and clear RAM, then reinstall Windows and start over... As nasty as this criminal crap is, they haven't found a way yet to permanently poison a system... Of course, what they really want is for you to not even know you are infected so that they can steal your personal info and clean out your bank accounts before you have a chance to protect yourself...
Regardless of how you want to proceed, we need to make sure you have good security when we are done so that you are less likely to get hit again...
divinewind88
10-28-2006, 12:34 PM
oookkk
I can't remove O23 - Service: Volume Shadddsow Copyer4 (S8696664) - Unknown owner - c:\windows\system32\wins\SVCH0ST.EXE
It always reappear on the HJT list after I reload it. The rest were successfully removed.
The LSP removed f:\windows\system32\cdnns.dll for me but it can't remove f:\windows\system32\wshcon32.dll. Similarly, the wshcon32.dll always reappears.
I got the Fsecure to the "Fixing" stage but it hangs there after awhile, the bar that indicates the process just got stuck halfway. I will try to find time to do another scan.
I cant find the site to download the latest version of Combofix.exe so I can't do it the normal way.
Combofix with wow still cant work.
Anyways, if what you say about the survival of the viruses is true, then I might consider formating my whole com so I won't waste anymore of your time to look for solutions for me. I mean I wouldnt want your efforts to go to waste at the end of the day when we realized that some virus indeed cant be removed. So ya.. thats my present thought. Perhaps you could give me some internet security advice before I do that.
But I would like to ask you about these chinese viruses. Are they able to track what I does online? Like typing in my password for msn, the sites that I visited etc etc? Is it like whatever I am viewing on my monitor can also be viewed by a second, or maybe third, party?
Budfred
10-28-2006, 12:48 PM
I have no problem continuing until this is as clean as we can verify... The problem remains that there could still be something left that is so well hidden that we can't find it, so if you can afford to reformat, that is the safest solution...
If you reformat, be extremely careful about backing up any files you wish to save... Put them on a CD or some other media that you can control and then scan them thoroughly before putting them back on the clean install... That is not a 100% certain, but it is safer...
If you decide to continue with cleanup, go to Start - Run and type (or copy/paste):
sc delete S8696664
Then get ComboFix from here to run in the normal way:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
If you succeed in running it, go back and try the F-Secure Scan again too... Also try LSPfix again to see if you can fix all instances of the remaining pest... It may not permanently fix until we kill its parent...
As for what the Chinese infections can do, I am not sure... There have been a number of reports of Chinese hackers attacking the Department of Defense in this country and any number of other organizations to gather data and steal money, so I view them as an extremely high level threat and I assume they are out to steal financial info...
divinewind88
10-29-2006, 12:44 PM
Scanning Report
Sunday, October 29, 2006 12:27:05 - 14:12:55
Computer name: HOME-YHX0M1LKH0
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\ G:\ H:\
--------------------------------------------------------------------------------
Result: 2 malware found
Adware.WSearch (spyware)
-System (Disinfected)
W32/Smalldoor.GRU (virus)
-G:\PROGRAM FILES\RNGINTERSTITIAL.DLL (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
-Files: 43639
-System: 3960
-Not scanned: 28
Actions:
-Disinfected: 1
-Renamed: 0
-Deleted: 0
-None: 1
-Submitted: 1
Files not scanned:
F:\HIBERFIL.SYS
F:\WINDOWS\SYSTEM32\DRIVERS\APIMBAWP.SYS
F:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
F:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{85C9AD 76-AC9C-495B-B4DD-2731635202E8}.BIN
F:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\QUARANTINE\MSSAPI.DLL
F:\PROGRAM FILES\DESKADTOP\FSHOOK.DLL
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0AA9B5034504 B8823D73FFA6615FF83F_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0D944AEA526B 9B6A1853A59043663FF4_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1AB4E7422B71 E20990ED29F78874BC76_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\23EC049011DC 0ED4AEFB90E5F6279959_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\313DD9DBAEE5 394C1B2E2BBC4032EE5C_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3A5B24B2D8FF 5E609553044BFB873A18_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3BB1BF83C33C 86E49DDA47EDBABCF729_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\590E5B7CAB0F 5775CD6616E15BDDC825_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6780A8584450 0F5B3204BEA655D51035_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\748D57249F13 4BA9F4887F5433C898F0_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8DB082AC4483 0E5B22583F81E51337A5_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8F5651A9F79C 27DFAF1980F2A305F342_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\93ECD54BA9A2 3AEB04834F17B9ABB06F_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\97976BF7E4FB 08115B9569B07E66DBC7_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9B09DDB8C626 FD806C1D3EBC7348638C_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9E85E29D6D8D 9DBA5EAEB3A3D05BAD2B_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A70E4A1395EA B606912D731E6FC491CE_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A819D2FED96D 56815018306F6AC67082_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AC0606A66FA8 7D087FD09FA91512C4B4_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AC6CF0198D2B 44EA729B7BAF013F4B6A_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E57F7CD49413 9976E1F7E9A4431E3852_D279CF4A-7EA4-4CA5-963E-C021C2B48787
F:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FB1BFB862E70 6307237C269C5FF8F500_D279CF4A-7EA4-4CA5-963E-C021C2B48787
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-27
F-Secure Libra: 2.4.1, 2006-10-26
F-Secure Orion: 1.2.37, 2006-10-27
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
--------------------------------------------------------------------------------
divinewind88
10-29-2006, 12:47 PM
Yong Chen Jin - 06-10-29 9:33:16.12 Service Pack 2
ComboFix 06.10.19 - Running from: "F:\Documents and Settings\Yong Chen Jin\My Documents"
((((((((((((((((((((((((((((((( Files Created from 2006-09-21 to 2006-10-21 ))))))))))))))))))))))))))))))))))
2006-10-19 21:05 71,370 --a------ F:\WINDOWS\system32\drivers\cdnprot.sys
2006-10-19 10:17 23,040 --a------ F:\WINDOWS\system32\cdnns.dll
2006-10-19 10:05 361,984 -rahs---- F:\WINDOWS\system32\tshz168.exe
2006-10-19 10:05 230,290 -rahs---- F:\WINDOWS\system32\300ra.exe
2006-10-19 10:05 172,032 -rahs---- F:\WINDOWS\system32\5097.exe
2006-10-19 10:05 143,360 -rahs---- F:\WINDOWS\system32\Setup-168.exe
2006-10-19 10:05 120,376 -rahs---- F:\WINDOWS\system32\setupzs.exe
2006-10-18 12:34 331,776 --a------ F:\WINDOWS\system32\cisrv.exe
2006-10-18 12:31 344,064 --a------ F:\WINDOWS\pmsgr.exe
2006-10-17 21:00 22,158 --a------ F:\WINDOWS\system32\drivers\nalwkus.sys
2006-10-12 17:34 114,688 --a------ F:\WINDOWS\system32\raspapi.dll
2006-10-12 17:32 114,688 --a------ F:\WINDOWS\system32\secur.dll
2006-10-10 22:10 60,416 --a------ F:\WINDOWS\ALCFDRTM.EXE
2006-10-08 15:48 114,688 --a------ F:\WINDOWS\system32\wshcon32.dll
2006-10-08 12:04 80,135 -rahs---- F:\WINDOWS\service_changk3.exe
2006-10-08 12:04 460,400 -rahs---- F:\WINDOWS\eqiso_2.exe
2006-10-08 12:04 361,984 -rahs---- F:\WINDOWS\tshz168.exe
2006-10-08 12:04 317,882 -rahs---- F:\WINDOWS\Setup_012.exe
2006-10-08 12:04 26,112 --a------ F:\WINDOWS\system32\drivers\RGWatch.sys
2006-10-08 12:04 230,249 -rahs---- F:\WINDOWS\zzh520.exe
2006-10-08 12:04 176,128 -rahs---- F:\WINDOWS\5097.exe
2006-10-08 12:04 143,360 -rahs---- F:\WINDOWS\Setup-168.exe
2006-10-08 12:04 120,376 -rahs---- F:\WINDOWS\setup.exe
2006-10-08 12:04 114,688 --a------ F:\WINDOWS\system32\quartz32.dll
2006-10-04 12:11 71,370 --a------ F:\WINDOWS\system32\drivers\ffdeeejh.sys
2006-10-04 12:11 71,370 --a------ F:\WINDOWS\system32\drivers\bbfgeicb.sys
2006-09-30 13:14 69,632 --a------ F:\WINDOWS\system32\sysreal32_SZ1018.dll
2006-09-25 16:47 10,240 --a------ F:\WINDOWS\system32\rundll.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2006-10-29 00:11 -------- d-------- F:\Program Files\DeskAdTop
2006-10-27 13:59 -------- d-------- F:\Program Files\mIRC
2006-10-26 22:28 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Nokia
2006-10-23 14:55 -------- d-------- F:\Program Files\CCleaner
2006-10-22 21:32 -------- d-------- F:\Program Files\Common Files
2006-10-22 21:31 -------- d-------- F:\Program Files\Common Files\Logitech
2006-10-21 13:55 -------- d-------- F:\Program Files\Logitech
2006-10-21 13:52 -------- d--h----- F:\Program Files\InstallShield Installation Information
2006-10-20 11:00 -------- d-------- F:\Program Files\CAPCOM
2006-10-19 11:10 -------- d-------- F:\Program Files\WinRAR
2006-10-18 14:14 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Kingsoft
2006-10-18 13:47 -------- d-------- F:\Program Files\CNNIC
2006-10-16 14:10 -------- d-------- F:\Program Files\WinZip
2006-10-15 14:42 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Windows Live Safety Center
2006-10-15 11:24 -------- d-------- F:\Program Files\Windows Live Safety Center
2006-10-14 17:31 -------- d-------- F:\Program Files\MSXML 4.0
2006-10-14 15:42 -------- d---s---- F:\Documents and Settings\Yong Chen Jin\Application Data\Microsoft
2006-10-09 03:12 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Azureus
2006-10-07 12:35 -------- d-------- F:\Program Files\BreakPoint Software
2006-09-30 09:32 -------- d-------- F:\Program Files\LimeWire
2006-09-24 21:54 -------- d-------- F:\Program Files\Legend Of Ares
2006-09-13 13:01 1084416 --a------ F:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ F:\WINDOWS\system32\msxml4.dll
2006-09-06 17:28 4608 --a------ F:\WINDOWS\system32\w95inf32.dll
2006-09-06 17:28 2272 --a------ F:\WINDOWS\system32\w95inf16.dll
2006-09-06 17:28 -------- d-------- F:\Program Files\Windows Media Player
2006-08-31 16:53 -------- d-------- F:\Program Files\Common Files\Designer
2006-08-29 21:59 -------- d-------- F:\Program Files\Ahead
2006-08-25 23:45 617472 --a------ F:\WINDOWS\system32\comctl32.dll
2006-08-24 13:36 -------- d-------- F:\Program Files\Azureus
2006-08-21 20:21 16896 --a------ F:\WINDOWS\system32\fltlib.dll
2006-08-21 17:14 23040 --a------ F:\WINDOWS\system32\fltmc.exe
2006-08-21 17:14 128896 --------- F:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 19:58 100352 --a------ F:\WINDOWS\system32\6to4svc.dll
2006-07-27 21:24 679424 --a------ F:\WINDOWS\system32\inetcomm.dll
2006-07-21 16:24 72704 --a------ F:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"MSMSGS"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"
"iPlusAgent"="\"F:\\Program Files\\iriver\\iriver plus\\iAgent.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"BDMCon"="F:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe"
"BDOESRV"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdoesrv.exe"
"BDNewsAgent"="\"f:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""
"BDSwitchAgent"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdswitch.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PCSuiteTrayApplication"="F:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"HP Software Update"="\"F:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"F:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NeroCheck"="F:\\WINDOWS\\system32\\\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00, 00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00, 00,9a,00,\
00,00,01,00,00,00
divinewind88
10-29-2006, 12:48 PM
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\5097.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\eqiso_2.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eqiso_2"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\eqiso_2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\service_chang k3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="service_changk3"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\service_changk3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup_012.exe ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup_012"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup_012.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\300r a.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="300ra"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\300ra.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5097 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5680 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5680"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5680.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\bind _40254.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bind_40254"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\bind_40254.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\Setu p-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\setu pzs.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setupzs"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\setupzs.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\tshz 168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\tshz168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\zzh520.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zzh520"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\zzh520.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150476346.job
F:\WINDOWS\tasks\WebReg 20060930011549.job
Completion time: 06-10-29 9:36:29.15
F:\ComboFix.txt ... 06-10-29 09:36
F:\ComboFix2.txt ... 06-10-28 21:51
F:\ComboFix3.txt ... 06-10-27 19:57
divinewind88
10-29-2006, 12:51 PM
Logfile of HijackThis v1.99.1
Scan saved at 00:50, on 06-10-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\cisrv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
f:\windows\pmsgr.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender8\vsserv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
F:\Program Files\Softwin\BitDefender8\bdoesrv.exe
F:\progra~1\softwin\bitdef~1\bdnagent.exe
F:\Program Files\Softwin\BitDefender8\bdswitch.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iriver\iriver plus\iAgent.exe
F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\HijackThis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.feixue.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] F:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] F:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent] "F:\Program Files\iriver\iriver plus\iAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wshcon32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150098701343[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols3/fscax.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
divinewind88
10-29-2006, 12:54 PM
Combofix with wow still can't work.
LSP can't remove wshcon32.dll
Anyways, when I reboot my computer in safe mode, there are two accounts for me to log in - Administrator and My Computer... I have always been doing the combofix wow in My Computer. Do you think theres any problem?
Budfred
10-29-2006, 01:10 PM
Try it from your Admin account, but disconnect from the internet first... literally pull the cable or turn off the modem...
divinewind88
10-30-2006, 03:00 AM
ok wow still cant work in admin either. and i have been doing it with the power supply to my modem turned off all the while...
Budfred
10-30-2006, 09:09 AM
Try this to get rid of that O10...
Download Killbox:
http://www.atribune.org/downloads/KillBox.exe
Then copy/paste this file into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire path into the line for the file... Once entered, click through to kill it...
f:\windows\system32\wshcon32.dll
Run LSPfix again to fix that item...
Use this procedure to restore your internet connection if it is damaged....
Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset catalog
hit enter.
Reboot your computer
I will try to find more info about the primary infection from the developer of the tool... Please post back to tell me how this approach worked...
divinewind88
11-02-2006, 05:02 AM
Sorry for the late reply.
wshcon32.dll still cant be deleted after doing what you told me to.
nothing happened after I hit enter for the netsh winsock reset catalog thing. so i simply just reboot my com after tat. then nothing happened as well when my computer starts up.
thats about it...
Budfred
11-02-2006, 09:01 AM
nothing happened after I hit enter for the netsh winsock reset catalog thing. so i simply just reboot my com after tat. then nothing happened as well when my computer starts up.
That was only to be used if the internet connection was damaged by deleting that file... Did you see a problem with the internet connection after you tried to delete it?? How do you know that it wasn't deleted?? Please give me as much info as possible about what is going on so I can figure out what to do next...
Budfred
11-02-2006, 08:49 PM
The ComboFix author looked over this thread and said that the problem is that the version you are using has a bug and he has since fixed it... Please download the current version from here and use the instructions for running WOW...
http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe
Post the log after you run it...
divinewind88
11-03-2006, 02:46 PM
oh sorry abt that.
I tried killbox in both safe and normal mode and it still cant delete the wshon32.dll cause after my com restarted, wshcon32.dll still remains in my system32 folder.
similarly, i tried LSPfix in both cases but it also cant delete wshcon32.dll. the file would always reappear in the LSPfix window after i deleted it.
I tried combofix with wow in safe mode but it still hangs. does it take more than 2 hours to scan?
so i went to try combofix without wow in normal mode and it works. after that i tried combofix with wow in safe mode again but it still hangs..
thats all
Budfred
11-03-2006, 07:20 PM
Go ahead and post the ComboFix log that you were able to get...
Did you download a fresh copy of each version?? The author updates it up to 4 times each day, so old versions can be more likely to fail as the malware adapts...
Budfred
11-03-2006, 08:34 PM
Try running this:
http://download.bleepingcomputer.com/sUBs/FeixueRemover.exe
and then try the ComboFix with WOW again...
divinewind88
11-05-2006, 01:59 AM
Yong Chen Jin - 06-11-03 14:56:43.51 Service Pack 2
ComboFix 06.10.19 - Running from: "F:\Documents and Settings\Yong Chen Jin\My Documents"
((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))
2006-10-19 21:05 71,370 --a------ F:\WINDOWS\system32\drivers\cdnprot.sys
2006-10-19 10:17 23,040 --a------ F:\WINDOWS\system32\cdnns.dll
2006-10-19 10:05 361,984 -rahs---- F:\WINDOWS\system32\tshz168.exe
2006-10-19 10:05 230,290 -rahs---- F:\WINDOWS\system32\300ra.exe
2006-10-19 10:05 172,032 -rahs---- F:\WINDOWS\system32\5097.exe
2006-10-19 10:05 143,360 -rahs---- F:\WINDOWS\system32\Setup-168.exe
2006-10-19 10:05 120,376 -rahs---- F:\WINDOWS\system32\setupzs.exe
2006-10-18 12:34 331,776 --a------ F:\WINDOWS\system32\cisrv.exe
2006-10-18 12:31 344,064 --a------ F:\WINDOWS\pmsgr.exe
2006-10-17 21:00 22,158 --a------ F:\WINDOWS\system32\drivers\nalwkus.sys
2006-10-12 17:34 114,688 --a------ F:\WINDOWS\system32\raspapi.dll
2006-10-12 17:32 114,688 --a------ F:\WINDOWS\system32\secur.dll
2006-10-10 22:10 60,416 --a------ F:\WINDOWS\ALCFDRTM.EXE
2006-10-08 15:48 114,688 --a------ F:\WINDOWS\system32\wshcon32.dll
2006-10-08 12:04 80,135 -rahs---- F:\WINDOWS\service_changk3.exe
2006-10-08 12:04 460,400 -rahs---- F:\WINDOWS\eqiso_2.exe
2006-10-08 12:04 361,984 -rahs---- F:\WINDOWS\tshz168.exe
2006-10-08 12:04 317,882 -rahs---- F:\WINDOWS\Setup_012.exe
2006-10-08 12:04 26,112 --a------ F:\WINDOWS\system32\drivers\RGWatch.sys
2006-10-08 12:04 230,249 -rahs---- F:\WINDOWS\zzh520.exe
2006-10-08 12:04 176,128 -rahs---- F:\WINDOWS\5097.exe
2006-10-08 12:04 143,360 -rahs---- F:\WINDOWS\Setup-168.exe
2006-10-08 12:04 120,376 -rahs---- F:\WINDOWS\setup.exe
2006-10-08 12:04 114,688 --a------ F:\WINDOWS\system32\quartz32.dll
2006-10-04 12:11 71,370 --a------ F:\WINDOWS\system32\drivers\ffdeeejh.sys
2006-10-04 12:11 71,370 --a------ F:\WINDOWS\system32\drivers\bbfgeicb.sys
2006-09-30 13:14 69,632 --a------ F:\WINDOWS\system32\sysreal32_SZ1018.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2006-10-29 00:11 -------- d-------- F:\Program Files\DeskAdTop
2006-10-26 22:28 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Nokia
2006-10-23 14:55 -------- d-------- F:\Program Files\CCleaner
2006-10-22 21:32 -------- d-------- F:\Program Files\Common Files
2006-10-22 21:31 -------- d-------- F:\Program Files\Common Files\Logitech
2006-10-21 13:55 -------- d-------- F:\Program Files\Logitech
2006-10-21 13:52 -------- d--h----- F:\Program Files\InstallShield Installation Information
2006-10-20 11:00 -------- d-------- F:\Program Files\CAPCOM
2006-10-19 11:10 -------- d-------- F:\Program Files\WinRAR
2006-10-18 14:14 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Kingsoft
2006-10-18 13:47 -------- d-------- F:\Program Files\CNNIC
2006-10-16 14:10 -------- d-------- F:\Program Files\WinZip
2006-10-15 14:42 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Windows Live Safety Center
2006-10-15 11:24 -------- d-------- F:\Program Files\Windows Live Safety Center
2006-10-14 17:31 -------- d-------- F:\Program Files\MSXML 4.0
2006-10-14 15:42 -------- d---s---- F:\Documents and Settings\Yong Chen Jin\Application Data\Microsoft
2006-10-07 12:35 -------- d-------- F:\Program Files\BreakPoint Software
2006-09-30 09:32 -------- d-------- F:\Program Files\LimeWire
2006-09-25 16:47 10240 --a------ F:\WINDOWS\system32\rundll.exe
2006-09-24 21:54 -------- d-------- F:\Program Files\Legend Of Ares
2006-09-13 13:01 1084416 --a------ F:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ F:\WINDOWS\system32\msxml4.dll
2006-09-06 17:28 4608 --a------ F:\WINDOWS\system32\w95inf32.dll
2006-09-06 17:28 2272 --a------ F:\WINDOWS\system32\w95inf16.dll
2006-09-06 17:28 -------- d-------- F:\Program Files\Windows Media Player
2006-08-31 16:53 -------- d-------- F:\Program Files\Common Files\Designer
2006-08-29 21:59 -------- d-------- F:\Program Files\Ahead
2006-08-25 23:45 617472 --a------ F:\WINDOWS\system32\comctl32.dll
2006-08-21 20:21 16896 --a------ F:\WINDOWS\system32\fltlib.dll
2006-08-21 17:14 23040 --a------ F:\WINDOWS\system32\fltmc.exe
2006-08-16 19:58 100352 --a------ F:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"MSMSGS"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"
"iPlusAgent"="\"F:\\Program Files\\iriver\\iriver plus\\iAgent.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"BDMCon"="F:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe"
"BDOESRV"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdoesrv.exe"
"BDNewsAgent"="\"F:\\PROGRA~1\\Softwin\\BITDEF~1\\bdnagent.exe\""
"BDSwitchAgent"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdswitch.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PCSuiteTrayApplication"="F:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"HP Software Update"="\"F:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"F:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NeroCheck"="F:\\WINDOWS\\system32\\\\NeroCheck.exe"
divinewind88
11-05-2006, 01:59 AM
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00, 00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00, 00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\5097.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\eqiso_2.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eqiso_2"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\eqiso_2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\service_chang k3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="service_changk3"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\service_changk3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup_012.exe ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup_012"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup_012.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\300r a.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="300ra"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\300ra.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5097 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5680 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5680"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5680.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\bind _40254.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bind_40254"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\bind_40254.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\Setu p-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\setu pzs.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setupzs"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\setupzs.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\tshz 168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\tshz168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\zzh520.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zzh520"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\zzh520.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150476346.job
F:\WINDOWS\tasks\WebReg 20061031011526.job
Completion time: 06-11-03 15:00:10.40
F:\ComboFix.txt ... 06-11-03 15:00
F:\ComboFix2.txt ... 06-11-03 14:50
F:\ComboFix3.txt ... 06-11-03 13:11
Budfred
11-05-2006, 02:49 AM
It can take up to an hour to analyze a ComboFix log and I really don't want to waste time doing that if you were able to effectively run the tool I asked you to run and then run the ComboFix WOW option... Please let me know what you were able to do... Again, please let me know what you have done and please answer my questions... I am blind without the information you give me....
divinewind88
11-05-2006, 05:37 AM
That feixue remover program cant work for me. When I ran it for the first time, my computer restarted on its own suddenly. When I tried it a second time, the same thing happened. When I finally tried it the third time, my com dint restart and it produced a log, shown below, which is quite empty.
~~~~~~~~~~ Chinese_StartPage_Trojan ~~~~~~~~~~~
~~~~~~~~~~~~~~~ Backups ~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~ END ~~~~~~~~~~~~~~~~~
My default homepage will still be directed to www.feixue.com. That happens even if i changed my homepage in Internet Options to other websites.
After that I tried wow again (in safe mode and all) and it still cant work...
I did download a fresh copy of combofix from the links you provided before I ran wow.
divinewind88
11-05-2006, 06:06 AM
oh erm since it takes so long then perhaps you could tell me when you need to read thru the logs. that way i will scan a fresh one for you, instead of you reading those outdated ones that i scanned days ago.
Budfred
11-05-2006, 01:41 PM
oh erm since it takes so long then perhaps you could tell me when you need to read thru the logs. that way i will scan a fresh one for you, instead of you reading those outdated ones that i scanned days ago.
I usually see the logs within a few hours of when you post them, so if you are posting per the latest instructions I have given you, you would be posting the logs that are needed...
At this point, I need to go back to the author of ComboFix to see what might work... He built that last tool specifically for this problem and I don't know why it didn't work... This chinese pest is hard to kill, but several things should have worked by now... Just keep this thing offline as much as possible for now and we will see what can be done next...
Hello Chen Jin,
I'm sUBs. Budfred ask me to come see if I can be of assistance to you.
I would need for you to do these for me ....
Please download Sysinternal's Autoruns from here > http://download.sysinternals.com/Files/Autoruns.zip
Extract the contents of the zipped file into it's own folder.
Then, download this file > http://download.bleepingcomputer.com/sUBs/AutoCmd.zip
Extract the contents to the same folder as before
Doubleclick on AutoCmd.cmd & select option '1'
It shall produce a log for you. Place it as an attachment in your next reply. Do not post it
---------------
When you have posted the log requested, I shall need you to download this special version of combofix. It's version number is 06.11.6W & the file size is 701KB.
It can be downloaded only from this url > http://download.bleepingcomputer.com/sUBs/zh/combofix.exe
* IMPORTANT !!! Place combofix.exe on your Desktop
http://img.photobucket.com/albums/v666/sUBs/combofix/cfix-run.gif
This copy of combofix can be run from Normal mode.
Go to http://img.photobucket.com/albums/v666/sUBs/StartBtn.gif → Run → copy/paste in the single line command & click OK
"%userprofile%\desktop\combofix.exe" /wow
When finished, it shall produce a log for you. Post that log & a fresh Autorun log in your next reply
Note: It shan't take more than 10 minutes for it to complete it's task.
divinewind88
11-05-2006, 09:59 PM
Hello!
All right the wow thing finally works!
Combofix with wow log:
Yong Chen Jin - 06-11-06 9:36:07.21 Service Pack 2
ComboFix 06.11.6W - Running from: "F:\Documents and Settings\Yong Chen Jin\Desktop"
Command switches used :: /wow
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
F:\WINDOWS\pmsgr.exe
F:\WINDOWS\setup.exe
F:\WINDOWS\system32\cdnns.dll
F:\WINDOWS\system32\cisrv.exe
F:\WINDOWS\system32\nt.sys
F:\WINDOWS\system32\plugin.ini
F:\WINDOWS\system32\rundll.exe
F:\WINDOWS\system32\Score.txt
F:\WINDOWS\system32\wbem\ocmor.dat
F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
F:\WINDOWS\system32\drivers\bbfgeicb.sys
F:\WINDOWS\system32\drivers\ffdeeejh.sys
F:\WINDOWS\system32\drivers\nalwkus.sys
F:\Documents and Settings\All Users\application data\microsoft\UserData\IEHelper_5097.dll
F:\WINDOWS\system32\cdnprot.dat
F:\WINDOWS\system32\quartz32.dll
F:\WINDOWS\system32\drivers\cdnprot.sys
F:\WINDOWS\system32\drivers\RGWatch.sys
F:\WINDOWS\system32\drivers\cdnprot.sys
F:\Program Files\CNNIC
F:\Program Files\DeskAdTop
F:\WINDOWS\system32\wshcon32.dll . . . . failed to delete
((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))
2006-11-06 09:43 <DIR> d-------- F:\WINDOWS\erdnt
2006-11-03 15:10 <DIR> dr-h----- F:\Documents and Settings\Yong Chen Jin\Recent
2006-11-02 16:43 <DIR> d-------- F:\!KillBox
2006-10-23 14:55 <DIR> d-------- F:\Program Files\CCleaner
2006-10-20 11:00 <DIR> d-------- F:\Program Files\CAPCOM
2006-10-19 21:23 <DIR> d-------- F:\WINDOWS\pss
2006-10-19 10:05 361,984 -rahs---- F:\WINDOWS\system32\tshz168.exe
2006-10-19 10:05 230,290 -rahs---- F:\WINDOWS\system32\300ra.exe
2006-10-19 10:05 172,032 -rahs---- F:\WINDOWS\system32\5097.exe
2006-10-19 10:05 143,360 -rahs---- F:\WINDOWS\system32\Setup-168.exe
2006-10-19 10:05 120,376 -rahs---- F:\WINDOWS\system32\setupzs.exe
2006-10-18 14:14 <DIR> d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Kingsoft
2006-10-16 14:09 <DIR> d-------- F:\Program Files\WinZip
2006-10-16 09:42 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2006-10-16 09:42 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-10-15 14:42 <DIR> d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Windows Live Safety Center
2006-10-14 17:31 <DIR> d-------- F:\Program Files\MSXML 4.0
2006-10-13 21:46 <DIR> d-------- F:\Program Files\Windows Live Safety Center
2006-10-12 17:34 114,688 --a------ F:\WINDOWS\system32\raspapi.dll
2006-10-12 17:32 114,688 --a------ F:\WINDOWS\system32\secur.dll
2006-10-10 22:10 60,416 --a------ F:\WINDOWS\ALCFDRTM.EXE
2006-10-10 22:10 <DIR> d-------- F:\WINDOWS\system32\Lang
2006-10-08 15:48 114,688 --a------ F:\WINDOWS\system32\wshcon32.dll
2006-10-08 12:04 80,135 -rahs---- F:\WINDOWS\service_changk3.exe
2006-10-08 12:04 460,400 -rahs---- F:\WINDOWS\eqiso_2.exe
2006-10-08 12:04 361,984 -rahs---- F:\WINDOWS\tshz168.exe
2006-10-08 12:04 317,882 -rahs---- F:\WINDOWS\Setup_012.exe
2006-10-08 12:04 230,249 -rahs---- F:\WINDOWS\zzh520.exe
2006-10-08 12:04 176,128 -rahs---- F:\WINDOWS\5097.exe
2006-10-08 12:04 143,360 -rahs---- F:\WINDOWS\Setup-168.exe
2006-10-08 12:04 <DIR> d-------- F:\WINDOWS\system32\MsServices
2006-10-07 12:35 <DIR> d-------- F:\Program Files\BreakPoint Software
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2006-11-06 09:43 -------- d-------- F:\Program Files\Common Files
2006-11-05 18:33 -------- d-------- F:\Program Files\mIRC
2006-11-02 21:44 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\DataLayer
2006-10-26 22:28 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Nokia
2006-10-22 21:31 -------- d-------- F:\Program Files\Common Files\Logitech
2006-10-21 13:55 -------- d-------- F:\Program Files\Logitech
2006-10-21 13:52 -------- d--h----- F:\Program Files\InstallShield Installation Information
2006-10-19 11:10 -------- d-------- F:\Program Files\WinRAR
2006-10-14 15:42 -------- d---s---- F:\Documents and Settings\Yong Chen Jin\Application Data\Microsoft
2006-10-09 03:12 -------- d-------- F:\Documents and Settings\Yong Chen Jin\Application Data\Azureus
2006-09-30 13:03 69632 --a------ F:\WINDOWS\system32\sysreal32_SZ1018.dll
2006-09-30 09:32 -------- d-------- F:\Program Files\LimeWire
2006-09-24 21:54 -------- d-------- F:\Program Files\Legend Of Ares
2006-09-13 13:01 1084416 --a------ F:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ F:\WINDOWS\system32\msxml4.dll
2006-09-06 17:28 4608 --a------ F:\WINDOWS\system32\w95inf32.dll
2006-09-06 17:28 2272 --a------ F:\WINDOWS\system32\w95inf16.dll
2006-09-06 17:28 -------- d-------- F:\Program Files\Windows Media Player
2006-08-25 23:45 617472 --a------ F:\WINDOWS\system32\comctl32.dll
2006-08-21 20:21 16896 --a------ F:\WINDOWS\system32\fltlib.dll
2006-08-21 17:14 23040 --a------ F:\WINDOWS\system32\fltmc.exe
2006-08-16 19:58 100352 --a------ F:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
divinewind88
11-05-2006, 10:00 PM
Combofix with wow log(second part):
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"MSMSGS"="\"F:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="F:\\WINDOWS\\system32\\ctfmon.exe"
"iPlusAgent"="\"F:\\Program Files\\iriver\\iriver plus\\iAgent.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"BDMCon"="F:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe"
"BDOESRV"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdoesrv.exe"
"BDNewsAgent"="\"f:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""
"BDSwitchAgent"="F:\\Program Files\\Softwin\\BitDefender8\\\\bdswitch.exe"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PCSuiteTrayApplication"="F:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"HP Software Update"="\"F:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"F:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NeroCheck"="F:\\WINDOWS\\system32\\\\NeroCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00, 00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff, ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00, 00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\5097.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\eqiso_2.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eqiso_2"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\eqiso_2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\service_chang k3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="service_changk3"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\service_changk3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup_012.exe ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup_012"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\Setup_012.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\300r a.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="300ra"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\300ra.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5097 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5097"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5097.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5680 .exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5680"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\5680.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\bind _40254.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bind_40254"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\bind_40254.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\Setu p-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\Setup-168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\setu pzs.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setupzs"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\setupzs.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\tshz 168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\system32\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\tshz168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\tshz168.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\zzh520.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zzh520"
"hkey"="HKLM"
"command"="F:\\WINDOWS\\zzh520.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
F:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150476346.job
F:\WINDOWS\tasks\WebReg 20061031011526.job
Completion time: 06-11-06 9:45:25.56
F:\ComboFix.txt ... 06-11-06 09:45
F:\ComboFix2.txt ... 06-11-05 15:45
F:\ComboFix3.txt ... 06-11-05 14:14
divinewind88
11-05-2006, 10:03 PM
AutoRun log after using combofix with wow(I assume that this log is obtained by running the AutoCmd.cmd after running combofix with wow successfully):
Yong Chen Jin - Mon 11/06/2006@9:56:04.39
running from F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\Autoruns\
HKLM\System\CurrentControlSet\Services
bdss
Scans media for viruses and other security threats
f:\program files\common files\softwin\bitdefender scan server\bdss.exe
VSSERV
Scans media for viruses and other security threats
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\vsserv.exe
XCOMM
Ensures proper communication between BitDefender components
(Not verified) Softwin
f:\program files\common files\softwin\bitdefender communicator\xcommsvr.exe
HKLM\System\CurrentControlSet\Services
apimbawp
Disk Driver
(Not verified) Microsoft Corporation
f:\windows\system32\drivers\apimbawp.sys
Dua1
File not found: F:\Documents and Settings\Yong Chen Jin\Desktop\maplestuff\DualEngine\DualEngi.sys
FILESpy
f:\program files\softwin\bitdefender8\filespy.sys
gvu
File not found: F:\WINDOWS\system32\drivers\gvu.sys
LVUSBSta
File not found: system32\drivers\lvusbsta.sys
NUBBER
File not found: F:\DOCUME~1\YONGCH~1\LOCALS~1\Temp\Rar$EX00.687\Nu bEngine\nubbk32.sys
pepifilter
File not found: system32\DRIVERS\lv302af.sys
pfc
Padus(R) ASPI Shell
(Not verified) Padus, Inc.
f:\windows\system32\drivers\pfc.sys
PID_08A0
File not found: system32\DRIVERS\LV302AV.SYS
PxHelp20
Px Engine Device Driver for Windows 2000/XP
(Not verified) Sonic Solutions
f:\windows\system32\drivers\pxhelp20.sys
REGSpy
f:\program files\softwin\bitdefender8\regspy.sys
S12345
File not found: D:\S12345.SYS
XTrapD12
Windows NT/2000 XTrapD11
(Not verified) IntroTrend - www.introtrend.co.kr
f:\program files\legend of ares\xtrap\xtrapd12.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
sockspy.dll
f:\windows\system32\sockspy.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BDMCon
BitDefender Management Console
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\bdmcon.exe
BDOESRV
bdoesrv application
(Not verified) SOFTWIN SRL
f:\program files\softwin\bitdefender8\bdoesrv.exe
BDNewsAgent
f:\program files\softwin\bitdefender8\bdnagent.exe
BDSwitchAgent
f:\program files\softwin\bitdefender8\bdswitch.exe
SunJavaUpdateSched
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
f:\program files\java\jre1.5.0_06\bin\jusched.exe
PCSuiteTrayApplication
PC Suite
(Not verified) Nokia
f:\program files\nokia\nokia pc suite 6\launchapplication.exe
HP Software Update
hpwuSchd
(Not verified) Hewlett-Packard
f:\program files\hp\hp software update\hpwuschd.exe
HP Component Manager
HP Framework Component Manager Service
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\hpcmpmgr.exe
NeroCheck
NeroCheck
(Not verified) Ahead Software Gmbh
f:\windows\system32\nerocheck.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
application/octet-stream
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
application/x-complus
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
application/x-msdownload
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
cdo
Microsoft SharePoint Portal Server Object Model
(Not verified) Microsoft Corporation
f:\program files\common files\microsoft shared\web folders\pkmcdo.dll
cetihpz
HPCETIUI Protocol Handler Module
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\comp\hpuiprot.dll
msnim
MSN Messenger Protocol Handler
(Not verified) Microsoft Corporation
f:\program files\msn messenger\msgrapp.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
0
File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a
Microsoft .NET IE SECURITY REGISTRATION
(Not verified) Microsoft Corporation
f:\windows\system32\mscories.dll
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
Adobe Acrobat SpeedLauncher
(Not verified) Adobe Systems Incorporated
f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
HP Digital Imaging Monitor.lnk
HP Digital Imaging Monitor (CUE)
(Not verified) Hewlett-Packard Co.
f:\program files\hp\digital imaging\bin\hpqtra08.exe
WinZip Quick Pick.lnk
WinZip Executable
(Not verified) WinZip Computing LP
f:\program files\winzip\wzqkpick.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
CDBurn
File not found: CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
iPlusAgent
iriver plus agent
(Not verified) Yurion, Inc.
f:\program files\iriver\iriver plus\iagent.exe
Task Scheduler
HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150476346.job
HP Data Archive Module
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\comp\hpdarc.exe
WebReg 20061031011526.job
WebReg application
(Not verified) Hewlett-Packard Co.
f:\program files\hp\digital imaging\bin\hpqwrg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Adobe PDF Reader Link Helper
Adobe Acrobat IE Helper Version 7.0 for ActiveX
(Verified) Adobe Systems, Incorporated
f:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
SSVHelper Class
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
f:\program files\java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
BitDefender Antivirus v8
BitDefender Shell Extension
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\bdshelxt.dll
Web Folders
Microsoft Web Folders
(Not verified) Microsoft Corporation
f:\program files\common files\microsoft shared\web folders\msonsext.dll
PhoneBrowser
Phone Browser
(Not verified) Nokia
f:\program files\nokia\nokia pc suite 6\phonebrowser.dll
Fusion Cache
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
Shell Extensions for RealOne Player
RealPlayer Shell Extensions
(Not verified) RealNetworks, Inc.
f:\program files\real\realplayer\rpshell.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinRAR shell extension
f:\program files\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
PDF Shell Extension
PDF Shell Extension
(Not verified) Adobe Systems, Inc.
f:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:
F:\WINDOWS\system32\tshz168.exe
F:\WINDOWS\system32\300ra.exe
F:\WINDOWS\system32\5097.exe
F:\WINDOWS\system32\Setup-168.exe
F:\WINDOWS\system32\setupzs.exe
F:\WINDOWS\system32\raspapi.dll
F:\WINDOWS\system32\secur.dll
F:\WINDOWS\system32\wshcon32.dll
F:\WINDOWS\service_changk3.exe
F:\WINDOWS\eqiso_2.exe
F:\WINDOWS\tshz168.exe
F:\WINDOWS\Setup_012.exe
F:\WINDOWS\zzh520.exe
F:\WINDOWS\5097.exe
F:\WINDOWS\Setup-168.exe
F:\WINDOWS\system32\sysreal32_SZ1018.dll
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/submit-malware.php?channel=4
Please include a link to this topic in the message.
Do me a favor & take a peep inside this folder - F:\WINDOWS\system32\MsServices
Tell me what's in there
Do this ONLY AFTER you have submitted the above files
--------------
Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\5097.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\eqiso_2.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\service_chang k3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup-168.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\Setup_012.exe ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\300r a.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5097 .exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\5680 .exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\bind _40254.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\Setu p-168.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\setu pzs.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\system32\tshz 168.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\tshz168.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F:\WINDOWS\zzh520.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_Dlls"="sockspy.dll"
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this: http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Double click on fix.reg & allow it to merge into the registry
--------------
If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK
Locate and delete the following files/folders: (make sure you get ALL of them)
F:\WINDOWS\5097.exe
F:\WINDOWS\eqiso_2.exe
F:\WINDOWS\service_changk3.exe
F:\WINDOWS\Setup-168.exe
F:\WINDOWS\Setup_012.exe
F:\WINDOWS\system32\300ra.exe
F:\WINDOWS\system32\5097.exe
F:\WINDOWS\system32\raspapi.dll
F:\WINDOWS\system32\secur.dll
F:\WINDOWS\system32\Setup-168.exe
F:\WINDOWS\system32\setupzs.exe
F:\WINDOWS\system32\sysreal32_SZ1018.dll
F:\WINDOWS\system32\tshz168.exe
F:\WINDOWS\system32\wshcon32.dll
F:\WINDOWS\tshz168.exe
F:\WINDOWS\zzh520.exe
--------------
Delete your existing copy of FeixueRemover & grab a new copy from this url > http://download.bleepingcomputer.com/sUBs/FeixueRemover.exe
As per earlier instructions, just doubleclick it & it shall reboot the machine automatically.
Hopefully, we'll get more than a blank log this time.
--------------
For your next post, I shall require these logs:
1. Fresh Autoruns log
2. Feixue's log
3. Fresh Hijackthis log
Tell me how the machine is behaving now. It should be working like normal now
divinewind88
11-06-2006, 04:05 AM
Theres only a file called MsService.dll inside the F:\WINDOWS\system32\MsServices folder. I've attached a screenshot of how the file looks like.
Chen Jin, have you preformed the rest of the instructions yet? If so, I will need the logs requested.
Please submit F:\WINDOWS\system32\MsServices\MsService.dll to this website > http://www.bleepingcomputer.com/submit-malware.php?channel=4
divinewind88
11-06-2006, 05:42 AM
I can't delete F:\WINDOWS\system32\5097.exe
When I tried deleting it, an error message would pop up:
"Cannot delete 5097: cannot read from source file or disk."
Feixue remover still gives the same empty log as before and my homepage is still set to feixue.com
divinewind88
11-06-2006, 05:54 AM
Yong Chen Jin - Mon 11/06/2006@17:45:53.65
running from F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\Autoruns\
HKLM\System\CurrentControlSet\Services
bdss
Scans media for viruses and other security threats
f:\program files\common files\softwin\bitdefender scan server\bdss.exe
VSSERV
Scans media for viruses and other security threats
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\vsserv.exe
XCOMM
Ensures proper communication between BitDefender components
(Not verified) Softwin
f:\program files\common files\softwin\bitdefender communicator\xcommsvr.exe
HKLM\System\CurrentControlSet\Services
apimbawp
Disk Driver
(Not verified) Microsoft Corporation
f:\windows\system32\drivers\apimbawp.sys
Dua1
File not found: F:\Documents and Settings\Yong Chen Jin\Desktop\maplestuff\DualEngine\DualEngi.sys
FILESpy
f:\program files\softwin\bitdefender8\filespy.sys
gvu
File not found: F:\WINDOWS\system32\drivers\gvu.sys
LVUSBSta
File not found: system32\drivers\lvusbsta.sys
NUBBER
File not found: F:\DOCUME~1\YONGCH~1\LOCALS~1\Temp\Rar$EX00.687\Nu bEngine\nubbk32.sys
pepifilter
File not found: system32\DRIVERS\lv302af.sys
pfc
Padus(R) ASPI Shell
(Not verified) Padus, Inc.
f:\windows\system32\drivers\pfc.sys
PID_08A0
File not found: system32\DRIVERS\LV302AV.SYS
PxHelp20
Px Engine Device Driver for Windows 2000/XP
(Not verified) Sonic Solutions
f:\windows\system32\drivers\pxhelp20.sys
REGSpy
f:\program files\softwin\bitdefender8\regspy.sys
S12345
File not found: D:\S12345.SYS
XTrapD12
Windows NT/2000 XTrapD11
(Not verified) IntroTrend - www.introtrend.co.kr
f:\program files\legend of ares\xtrap\xtrapd12.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
sockspy.dll
f:\windows\system32\sockspy.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BDMCon
BitDefender Management Console
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\bdmcon.exe
BDOESRV
bdoesrv application
(Not verified) SOFTWIN SRL
f:\program files\softwin\bitdefender8\bdoesrv.exe
BDNewsAgent
f:\program files\softwin\bitdefender8\bdnagent.exe
BDSwitchAgent
f:\program files\softwin\bitdefender8\bdswitch.exe
SunJavaUpdateSched
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
f:\program files\java\jre1.5.0_06\bin\jusched.exe
PCSuiteTrayApplication
PC Suite
(Not verified) Nokia
f:\program files\nokia\nokia pc suite 6\launchapplication.exe
HP Software Update
hpwuSchd
(Not verified) Hewlett-Packard
f:\program files\hp\hp software update\hpwuschd.exe
HP Component Manager
HP Framework Component Manager Service
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\hpcmpmgr.exe
NeroCheck
NeroCheck
(Not verified) Ahead Software Gmbh
f:\windows\system32\nerocheck.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
application/octet-stream
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
application/x-complus
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
application/x-msdownload
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
cdo
Microsoft SharePoint Portal Server Object Model
(Not verified) Microsoft Corporation
f:\program files\common files\microsoft shared\web folders\pkmcdo.dll
cetihpz
HPCETIUI Protocol Handler Module
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\comp\hpuiprot.dll
msnim
MSN Messenger Protocol Handler
(Not verified) Microsoft Corporation
f:\program files\msn messenger\msgrapp.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
0
File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a
Microsoft .NET IE SECURITY REGISTRATION
(Not verified) Microsoft Corporation
f:\windows\system32\mscories.dll
F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
Adobe Acrobat SpeedLauncher
(Not verified) Adobe Systems Incorporated
f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
HP Digital Imaging Monitor.lnk
HP Digital Imaging Monitor (CUE)
(Not verified) Hewlett-Packard Co.
f:\program files\hp\digital imaging\bin\hpqtra08.exe
WinZip Quick Pick.lnk
WinZip Executable
(Not verified) WinZip Computing LP
f:\program files\winzip\wzqkpick.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
CDBurn
File not found: CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
iPlusAgent
iriver plus agent
(Not verified) Yurion, Inc.
f:\program files\iriver\iriver plus\iagent.exe
Task Scheduler
HP DArC Task #Hewlett-Packard#hp psc 1300 series#1150476346.job
HP Data Archive Module
(Not verified) Hewlett-Packard Company
f:\program files\hp\hpcoretech\comp\hpdarc.exe
WebReg 20061031011526.job
WebReg application
(Not verified) Hewlett-Packard Co.
f:\program files\hp\digital imaging\bin\hpqwrg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Adobe PDF Reader Link Helper
Adobe Acrobat IE Helper Version 7.0 for ActiveX
(Verified) Adobe Systems, Incorporated
f:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
SSVHelper Class
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
f:\program files\java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
BitDefender Antivirus v8
BitDefender Shell Extension
(Not verified) SOFTWIN S.R.L.
f:\program files\softwin\bitdefender8\bdshelxt.dll
Web Folders
Microsoft Web Folders
(Not verified) Microsoft Corporation
f:\program files\common files\microsoft shared\web folders\msonsext.dll
PhoneBrowser
Phone Browser
(Not verified) Nokia
f:\program files\nokia\nokia pc suite 6\phonebrowser.dll
Fusion Cache
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
f:\windows\system32\mscoree.dll
Shell Extensions for RealOne Player
RealPlayer Shell Extensions
(Not verified) RealNetworks, Inc.
f:\program files\real\realplayer\rpshell.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
f:\program files\winzip\wzshlstb.dll
WinRAR shell extension
f:\program files\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
PDF Shell Extension
PDF Shell Extension
(Not verified) Adobe Systems, Inc.
f:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
divinewind88
11-06-2006, 05:54 AM
Logfile of HijackThis v1.99.1
Scan saved at 5:49:22 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender8\vsserv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
F:\Program Files\Softwin\BitDefender8\bdoesrv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
F:\Program Files\Softwin\BitDefender8\bdswitch.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iriver\iriver plus\iAgent.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\HijackThis[1]\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.feixue.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] F:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] F:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent] "F:\Program Files\iriver\iriver plus\iAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150098701343[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols3/fscax.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
Sorry about the late response. I wasn't aware that you have replied.
Your logs look reasonably clean. We got rid of most of the major stuff. Just left some file/folder deletions & that niggling feixue problem.
* F:\WINDOWS\system32\MsServices is a bad folder created by the malware. Please delete it.
* Next, start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
In the popup box that appears, copy/paste in: F:\WINDOWS\system32\5097.exe
Click the Open button.
Click YES when prompted to restart your computer.
This leaves us with feixue. It's protected by a boot driver which we need to disable.
For that we have a few options. How we proceed depends on the answer to the next question.
Question - Are you familiar with using the Windows Recovery Console?
http://www.windowsnetworking.com/articles_tutorials/wxprcons.html
Take a look at the above webpage & tell me if you have ever done anything like that. If so, I will teach you some commands for taking care of feixue. This is the safest method of disabling a boot driver. There are other options but they are not without 'risk'. Whenever possible, I would prefer a safer approach.
I have updated feixueremover yesterday night. Please give it one more try before we attempt other methods.
http://download.bleepingcomputer.com/sUBs/FeixueRemover.exe
divinewind88
11-07-2006, 10:15 AM
Erm sorry that webpage looks like Greek to me haha. In fact I dont even know what Windows Recovery Console is about..
Oh and that feixueremover still cant work. It still gives me an empty log and likewise, my homepage is still set to feixue.com
Dont go away. I'm online & should have a reply for you in awhile.
Ever heard of unlocker?
Download & install this program - unlocker1.8.5.exe (http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe)
When that's done, locate this file - f:\windows\system32\drivers\apimbawp.sys
http://ccollomb.free.fr/unlocker/tutorial1.png
Right click on it & select 'Unlocker'
http://ccollomb.free.fr/unlocker/tutorial2.png
In the ensuing window, under the 'no action' drop down menu, select 'delete'
Then click on the [Unlock All] button
If it reports back: 'Deleted', reboot the machine immediately
------------
After rebooting, do a HijackThis scan & place a check next to these items and select "Fix checked":
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.feixue.net
------------
Do another Hijackthis scan & post the resultant log
divinewind88
11-07-2006, 10:23 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:20:59 AM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Softwin\BitDefender8\vsserv.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
F:\Program Files\Softwin\BitDefender8\bdoesrv.exe
F:\Program Files\Softwin\BitDefender8\bdswitch.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Unlocker\UnlockerAssistant.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iriver\iriver plus\iAgent.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\internet explorer\iexplore.exe
F:\Documents and Settings\Yong Chen Jin\My Documents\Unzipped\HijackThis[1]\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] F:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] F:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] "F:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] F:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "F:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iPlusAgent] "F:\Program Files\iriver\iriver plus\iAgent.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150098701343[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols3/fscax.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - F:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
divinewind88
11-07-2006, 10:24 PM
oh. my homepage is no longer feixue.com anymore!
I believe we have passed the worst :)
Let's do an online scan to see if there are any stragglers...
Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner
Answer Yes, when prompted to install an ActiveX component.
The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. We only require a report from it.
It does not provide an option to clean/disinfect.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
divinewind88
11-08-2006, 12:45 AM
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 08, 2006 12:41:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/11/2006
Kaspersky Anti-Virus database records: 239241
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 115717
Number of viruses found 10
Number of infected objects 28 / 0
Number of suspicious objects 0
Duration of the scan process 01:42:20
Infected Object Name Virus Name Last Action
C:\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\windows\SVCH0ST.0XE Infected: Trojan-Downloader.Win32.Delf.asz skipped
C:\windows\system32\wins\SVCH0ST.EXE Infected: Trojan-Downloader.Win32.Delf.asz skipped
F:\!KillBox\wshcon32.dll Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0aa9b5034504 b8823d73ffa6615ff83f_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d944aea526b 9b6a1853a59043663ff4_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ab4e7422b71 e20990ed29f78874bc76_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\23ec049011dc 0ed4aefb90e5f6279959_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\313dd9dbaee5 394c1b2e2bbc4032ee5c_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a5b24b2d8ff 5e609553044bfb873a18_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3bb1bf83c33c 86e49dda47edbabcf729_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\590e5b7cab0f 5775cd6616e15bddc825_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6780a8584450 0f5b3204bea655d51035_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\748d57249f13 4ba9f4887f5433c898f0_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8db082ac4483 0e5b22583f81e51337a5_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f5651a9f79c 27dfaf1980f2a305f342_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\93ecd54ba9a2 3aeb04834f17b9abb06f_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\97976bf7e4fb 08115b9569b07e66dbc7_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9b09ddb8c626 fd806c1d3ebc7348638c_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e85e29d6d8d 9dba5eaeb3a3d05bad2b_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a70e4a1395ea b606912d731e6fc491ce_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a819d2fed96d 56815018306f6ac67082_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac0606a66fa8 7d087fd09fa91512c4b4_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac6cf0198d2b 44ea729b7baf013f4b6a_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e57f7cd49413 9976e1f7e9a4431e3852_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fb1bfb862e70 6307237c269c5ff8f500_d279cf4a-7ea4-4ca5-963e-c021c2b48787 Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/tshz168.exe Infected: Trojan-Dropper.Win32.Agent.ays skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/300ra.exe/data0003 Infected: Trojan-Downloader.Win32.Delf.asz skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/300ra.exe Infected: Trojan-Downloader.Win32.Delf.asz skipped
divinewind88
11-08-2006, 12:45 AM
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/Setup-168.exe Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/setupzs.exe Infected: not-a-virus:AdWare.Win32.Zhongsou.d skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/raspapi.dll Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/secur.dll Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/system32/wshcon32.dll Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/service_changk3.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NewWeb.i skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/service_changk3.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.NewWeb.i skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/service_changk3.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewWeb.i skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/service_changk3.exe/stream Infected: not-a-virus:AdWare.Win32.NewWeb.i skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/service_changk3.exe Infected: not-a-virus:AdWare.Win32.NewWeb.i skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/eqiso_2.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.w skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/eqiso_2.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.w skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/eqiso_2.exe Infected: not-a-virus:AdWare.Win32.Softomate.w skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/tshz168.exe Infected: Trojan-Dropper.Win32.Agent.ays skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/zzh520.exe/data0003 Infected: Trojan-Downloader.Win32.Delf.asz skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/zzh520.exe Infected: Trojan-Downloader.Win32.Delf.asz skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/5097.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.q skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab/F:/WINDOWS/Setup-168.exe Infected: not-a-virus:AdWare.Win32.Agent.ai skipped
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab CAB: infected - 21 skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\094VD4AH\popup[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\63MR6TQV\137[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\63MR6TQV\g1[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\63MR6TQV\index1[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\CDUFUNE3\popup[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\CDUFUNE3\popup[2].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\CDUFUNE3\popup[3].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\ENIZQTIZ\popup[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\QXS14RO7\popup[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\QXS14RO7\popup[2].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\Local Settings\Temporary Internet Files\Content.IE5\TEVP1M46\popup[1].htm Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Yong Chen Jin\ntuser.dat.LOG Object is locked skipped
F:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
F:\Program Files\Softwin\BitDefender8\asdict.dat Object is locked skipped
F:\Program Files\Softwin\BitDefender8\Quarantine\mssapi.dll Object is locked skipped
F:\Program Files\Softwin\BitDefender8\Quarantine\OldUnReg.dll Object is locked skipped
F:\Program Files\Softwin\BitDefender8\Quarantine\svchost.dll Object is locked skipped
F:\Program Files\Softwin\BitDefender8\Quarantine\unreg1.dll Object is locked skipped
F:\Program Files\Softwin\BitDefender8\regspy.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\system32\5097.exe Object is locked skipped
F:\WINDOWS\system32\5680.0XE Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\OLD8F.tmp Infected: Trojan-Dropper.Win32.Agent.awd skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\tmp00007fbd\tmp00000000 Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Chen Jin,
Your machine shall be clean after deleting the following files/folders:
C:\windows\SVCH0ST.0XE
C:\windows\system32\wins\SVCH0ST.EXE
F:\!KillBox\
F:\Documents and Settings\Yong Chen Jin\Desktop\requested-files[2006-11-06_15_51].cab CAB
F:\WINDOWS\system32\OLD8F.tmp
I don't expect any of the above to resist deletions. If you encounter any problems, please let me know
Kindly follow these simple steps in order to keep your computer clean and secure:
CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start → Run → type control sysdm.cpl,,4 & press Enter
Tick on the checkbox - Turn off System Restore on all drives
Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
Untick - Show hidden files and folder
Tick - Hide file extensions for known types
Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
Select the Security tab
Click once on the Internet icon so it becomes highlighted.
Select Custom Level .
Change 'Download signed ActiveX controls' to Prompt
Change 'Download unsigned ActiveX controls' to Disable
Change 'Initialize and script ActiveX controls not marked as safe' to Disable
Change 'Installation of desktop items' to Prompt
Change 'Launching programs and files in an IFRAME' to Prompt
Change 'Navigate sub-frames across different domains' to Prompt
When all these changes have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here: http://www.winpatrol.com/features.html
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html
After doing all these, your system will be optimised against future threats.
It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. http://www.techsupportforum.com/images/smilies/wave.gif
Please respond to this thread one more time so we can mark this thread as resolved.
divinewind88
11-08-2006, 02:16 PM
Yeah. Thanks a million budfred and subs.
I had no problem deleting those files you mention.
Once again, thanks!
Budfred
11-08-2006, 11:11 PM
sUBs deserves the thanks for breaking through the logjam...
As I said earlier, it is a good idea to change passwords and account numbers that you have entered on this computer since the criminals that infected it are likely to have stolen that information... I suggest keeping a close watch on your accounts as well...
Be sure to follow the prevention advice to avoid future infection...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.