Thanks Caperjack. Yes I reset the router/modem but didn't work. I am 80% sure the problem is not with the router/modem as it works fine with my iPhone and iPad for connecting to internet. I have checked that the driver on my laptop is current. JK
foxkueh 0 Junior Poster
Greetings.
My laptop was working fine with connection to internet through my home modem. However, all of a sudden it refused to detect the modem, although it has no problem detecting other modems in the vicinity. Could it be caused by virus. I have it scanned with reports attached. Pls help me to identify the problem. I have no problem connecting to the modem with other devices such as iPad and iPhone. Thank you.
Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.16.07
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19019
JK :: JK-PC [administrator]
Protection: Enabled
16/08/2012 11:47:14 p.m.
mbam-log-2012-08-16 (23-47-14).txt
Scan type: Full scan (C:\|D:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 586422
Time elapsed: 3 hour(s), 24 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-16 10:43:54
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.2AC1
Running: v8tci4bx.exe; Driver: C:\Users\JK\AppData\Local\Temp\pxldypoc.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x92DB1744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self … foxkueh 0 Junior Poster
Hi...
I suspect this pc has a virus. It automatically sends out email to people in the contact list with offer of iphone 3 Gs, recently from www.eeook.com and www.ayoeft.com. It also run very slowly. I installed MBAM, Spybot S&D, and Ad-aware one week ago but were automatically uninstalled. I installed MBAM again but cannot instal Ad-aware and Spybot S&D because some characters cannot be recognised. Scan with McAfee and MBAM didn't find any virus.
Can someone help pls.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:24:35 a.m., on 27/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - …
foxkueh 0 Junior Poster
Thanks Crunchie,
I guess I will let my friend use the pc for awhile and see if there is any more problem.
foxkueh
foxkueh 0 Junior Poster
Thanks Crunchie,
The file that MBA-M found could be a false positive. What could I do?
I've changed the restore, run ATF Cleaner.exe and defraged the drives.
ESET returns no threat.
foxkueh
foxkueh 0 Junior Poster
Hi Crunchie,
In addition to the above, I ran Ad-Aware and MBA-M again and the reports:
Logfile created: 2010-2-8 07:04:32
Lavasoft Ad-Aware version: 8.1.4
User performing scan: Administrator
*********************** Definitions database information ***********************
Lavasoft definition file: 149.148
Genotype definition file version: 2010/02/05 10:29:00
******************************** Scan results: *********************************
Scan profile name: 完全扫描 (ID: full)
Objects scanned: 108503
Objects detected: 53
Type Detected
==========================
Processes.......: 0
Registry entries: 2
Hostfile entries: 0
Files...........: 51
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0
Quarantined items:
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0224522.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0224576.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225573.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225594.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0225651.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0226650.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP720\A0226676.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227675.exe Family Name: Win32.TrojanDownloader.Agent Engine: 1 Clean status: Success Item ID: 519248 Family ID: 1001 MD5: ac68dffc261c8625c5f2a94364ca10c9
Description: C:\System Volume Information\_restore{FBE4B40B-9551-46C0-BF22-DED225BFE29E}\RP721\A0227710.exe … foxkueh 0 Junior Poster
I don't seem to be able to change the default page of IE. No matter what I did, it always went back to the same Chinese webpage. If I close this page, another different Chinese webpage will open.
Other than that, it appears running normally now. I will contact you if I encount problems.
I am so grateful for you help, Crunchie.
foxkueh 0 Junior Poster
Hi Crunchie,
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-08 04:02:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agldapow.sys
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwEnumerateKey [0xF72A2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF72A3340]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF2F4078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF2F40738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF2F4074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF2F407CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF2F40710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF2F40724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF2F4079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF2F40776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF2F40762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2F407F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF2F407E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF2F407B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 84A9D1E8
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
foxkueh 0 Junior Poster
Hi Crunchie,
zip file deleted, but only one found.
DDS doesn't run. Is it important? Tried running Kaspersky again but stalled at 10% scan. How do I proceed?
foxkueh
foxkueh 0 Junior Poster
Do you have particular entries I should delete? Any step I should follow? I will try running DDS.
foxkueh 0 Junior Poster
下载 = Downloads
foxkueh 0 Junior Poster
Hi Crunchie,
KScan Report
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, February 05, 2010 10:54:47
Records in database: 3425944
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 76198
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:22:36
File name / Threat / Threats count
D:\下载\HA-PartitionMagic805-LDR.zip Infected: not-a-virus:AdWare.Win32.Alibabar.c 1
D:\下载\HA-PartitionMagic805-LDR.zip Infected: not-a-virus:AdWare.Win32.Alibabar.a 1
Selected area has been scanned.
foxkueh 0 Junior Poster
c:\documents and settings\LocalService\桌面
C:\C盘临时移出文件
c:\program files\SOFTCH~1.EXE (need the full file name)
c:\program files\快捷方式
c:\program files\快捷上网.url
c:\documents and settings\Administrator\「开始」菜单\程序\启动\快捷方式.lnk
c:\windows\pss\快捷方式.lnkStartup
Here they are:
c:\documents and settings\LocalService\Desktop
C:\Document temporary removed from C(contains eg. sqmdata08.sqm etc.)
c:\program files\SOFTCHANNEL.EXE (could be related to xiezai, I believe not a desireable program from soft.yesky.com.)
c:\program files\快捷方式 (folder contains xiezai.exe etc)
c:\program files\xiezai.url
c:\documents and settings\Administrator\Start menu\program\xiezai.lnk
c:\windows\pss\xiezai.lnkStartup
Crunchie, I hope this helps.
One more thing. When scan with Malwarebytes's Anti-Malware, dialogue boxes with Error Code: 700 (0,0), Error Code: 724 (0,6) and Error Code: 731 (0,6) open, so I think the result may not be conclusive. There was a trojan found but the report didn't show that.
Can I run ComFix again?
foxkueh 0 Junior Poster
This isn't my pc which runs on Chinese Windows XP Crunchie, I am just helping a friend. There are still popups, especially when browsing Chinese web pages. My concern is that when some unnecessary processes are running in the background and slow down the processing of, say a word application. How can this be stopped?
Can you highlight the lines that have some Chinese characters you want to look at, and I will get them translated so you can give proper advice? I do appreciate your help.
foxkueh
foxkueh 0 Junior Poster
Thanks so much Crunchie. I don't know what to do without your guidance.
Oh... Thanks so much for the other thread as well. There are still popups but somehow the user will have to live with it for now, unless it gets really annoying.
foxkueh
foxkueh 0 Junior Poster
I don't experience popups with this pc. Can you see anything undesirable in the HJT log? Is it clean? Otherwise my pc run quite normally now.
foxkueh 0 Junior Poster
Foreign? The format is still the same although some of the stuff is in Chinese. Do we need someone who can read Chinese to help? Can you highlight the lines you don't understand and I will have them translated to English?
Cruhchie, I suspect the Hosts may have something to do with the problem.
foxkueh
foxkueh 0 Junior Poster
Hi Crunchie,
Thank you very much. Here are the two logs:
Malwarebytes' Anti-Malware 1.44
Database version: 3686
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
4/02/2010 4:23:50 p.m.
mbam-log-2010-02-04 (16-23-50).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 355895
Time elapsed: 1 hour(s), 13 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:14 p.m., on 4/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
foxkueh 0 Junior Poster
Thanks Crunchie,
Here are the logs for you advice:
ComboFix 10-02-03.04 - Administrator -02-04 星期四 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.895.322 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* 防毒软件还在运行中
注意 - 这台电脑没有安装恢复控制台 !!
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\BITS
c:\documents and settings\Administrator\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator\Application Data\BITS\ProxyList.ini
c:\program files\StormII
d:\软件\网易闪电邮\Start.exe
.
((((((((((((((((((((((((( 2010-01-04 至 2010-02-04 的新的档案 )))))))))))))))))))))))))))))))
.
2010-02-03 20:06 . 2010-02-03 20:06 126208 ----a-w- c:\windows\system32\SmartPopup.dll
2010-02-03 20:06 . 2010-02-03 20:06 131840 ----a-w- c:\windows\system32\SmartClick.dll
2010-02-02 01:25 . 2010-02-02 01:25 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 01:24 . 2010-02-02 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 06:32 . 2010-02-01 05:40 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 05:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 05:40 . 2010-02-01 05:40 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-01 05:40 . 2010-02-01 05:40 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-01 05:40 . 2010-02-01 05:40 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-01 05:40 . 2010-02-01 05:40 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-01 05:40 . 2010-02-01 05:40 …
foxkueh 0 Junior Poster
Thanks Crunchie,
Here are the logs for you advice:
ComboFix 10-02-03.04 - Administrator -02-04 星期四 9:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.895.322 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\桌面\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* 防毒软件还在运行中
注意 - 这台电脑没有安装恢复控制台 !!
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\BITS
c:\documents and settings\Administrator\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator\Application Data\BITS\ProxyList.ini
c:\program files\StormII
d:\软件\网易闪电邮\Start.exe
.
((((((((((((((((((((((((( 2010-01-04 至 2010-02-04 的新的档案 )))))))))))))))))))))))))))))))
.
2010-02-03 20:06 . 2010-02-03 20:06 126208 ----a-w- c:\windows\system32\SmartPopup.dll
2010-02-03 20:06 . 2010-02-03 20:06 131840 ----a-w- c:\windows\system32\SmartClick.dll
2010-02-02 01:25 . 2010-02-02 01:25 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 01:24 . 2010-02-02 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:24 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 06:32 . 2010-02-01 05:40 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 05:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 05:40 . 2010-02-01 05:40 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-01 05:40 . 2010-02-01 05:40 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-01 05:40 . 2010-02-01 05:40 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-01 05:40 . 2010-02-01 05:40 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-01 05:40 . 2010-02-01 05:40 …
foxkueh 0 Junior Poster
Thanks Crunchie,
Run rkill.scr ok, but dds.scr still didn't run. No txt file.
Run exehelper ok, attach exehelper.txt if any use.
exeHelper by Raktor
Build 20091220
Run at 04:31:12 on 02/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
Need further help from you, mate.
foxkueh
exeHelper by Raktor
Build 20091220
Run at 04:31:12 on 02/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished-- foxkueh 0 Junior Poster
Have replied. Sorry, I got caught up yesterday.
Hi Crunchie
While you are looking at my other thread, can you also take some time to help me with this one? I believe this is not yet solved. Much appreciated.
foxkueh
foxkueh 0 Junior Poster
Thanks Crunchie for the instruction. However I cannot find C:\WINDOWS\Svcpack\XPLODE.EXE for Jotti's to scan. That's number one.
Secondly, the dds.scr would not run. I disable all the protections and disconnect the internet connection. Then I double-click dds.scr, but it just opens the black window and immediately disappears. I checked Task Manager to confirm it is not running.
Pls advise how I can resolve these issures.
Thanks
foxkueh
foxkueh 0 Junior Poster
I experience popups that slows down my processing speed of my other computer. This is my HJT log. I appreciate someone will be able to advise me on what to do.
HJT log as above.
--
End of file - 11762 bytes
This problem occurs with a different pc which I need to solve as soon as possible. Can you help me pls.
Foxkueh
foxkueh 0 Junior Poster
Hi Crunchie,
When you have the time, pls help me with my above HJT #8, and the thread on the HJT of slow speed with popups of a different pc.
Thank you very much.
Foxkueh
foxkueh 0 Junior Poster
Is your other thread for the same pc?
My other thread for another pc which I need to solve asap. I really appreciate if you can help me.
Anyway this is my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:17 p.m., on 2/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashWebSv.exe
E:\PROGRA~1\ANTI-V~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\FlashGet\FlashGet.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Anti-virus\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class …
foxkueh 0 Junior Poster
I would look in add/remove first to see if there is an uninstall option.
Hi Crunchie I can't find anything named AskBar in add/remove. What will it do? and what else can I do to remove it?
Can you help with my other post where I have more problems with popups and slow speed. Much appreciated.
foxkueh 0 Junior Poster
Ask Bar is the only one I can see.
Do you suggest I fix this
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll ?
foxkueh 0 Junior Poster
I need help with identifying nasties in this HJT log. Can someone help?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:49 a.m., on 2/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Anti-virus\Alwil Software\Avast4\ashWebSv.exe
E:\PROGRA~1\ANTI-V~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\FlashGet\FlashGet.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Anti-virus\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class …
foxkueh 0 Junior Poster
I experience popups that slows down my processing speed of my other computer. This is my HJT log. I appreciate someone will be able to advise me on what to do.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 7:29:39, on 2010-2-2
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\软件\storm2\stormliv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\软件\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\wuauclr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe
O1 - Hosts: 60.209.152.204 www.kzdh.com
O1 - Hosts: 60.209.152.204 www.6781.com
O1 - Hosts: 60.209.152.204 www.i2345.cn
O1 - Hosts: 60.209.152.204 www.haokan123.com
O1 - Hosts: 60.209.152.204 www.365wz.net
O1 - Hosts: 60.209.152.204 www.5d5e.com
O1 - Hosts: 60.209.152.204 www.112r.com
O1 - Hosts: 60.209.152.204 www.32e.com
O1 - Hosts: 60.209.152.204
foxkueh 0 Junior Poster
If you installed it and it's not causing problems, then keep it. Some of those poker add-ons cause pop ups etc.
Thanks Crunchie. Appreciate your help.
JK
foxkueh 0 Junior Poster
Thanks Cohen and Crunchie for your help.
My HD is a IDE as my pc is an old one. I remembered it used to be booting up faster. I will try defrag to see if it help.
Thanks again.
JK
foxkueh 0 Junior Poster
Thanks Crunchie and Cohen. Appreciate your help heaps.
Hey, Crunchie you mentioned about Bodog Poker, should I need to do something?
JK
foxkueh 0 Junior Poster
Thanks Crunchie and Cohen,
It seems the pc is a little faster, but rebooting still takes a long time. I had the disc defraged about a month ago. I have also update Java.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:01 p.m., on 19/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.132.10:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
…
foxkueh 0 Junior Poster
I have to disagree with cohen here and say that I cannot see a reason (from your hijackthis log) to run Combofix.
The only thing I may be concerned about is the Bodog Poker entry and I wouldn't think that Combofix would be needed to remove it. Combofix is a powerful tool and should ONLY be run when necessary.The 02 entry can go and your Java does need updating.
How is your PC behaving now?
Thanks Cohen and Crunchie,
I have run CF and when I tried submiting reply, the browser stalled so I have used my first pc to post this. Here are the logs requested by Cohen:
ComboFix 08-12-18.01 - Computer 2008-12-19 19:18:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1020 [GMT 13:00]
Running from: c:\documents and settings\Computer\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.
2008-12-19 18:59 . 2008-12-19 18:58 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 18:59 . 2008-12-19 18:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-19 13:50 . 2008-12-19 13:50 <DIR> d-------- c:\documents and settings\Computer\Application Data\Malwarebytes
2008-12-19 13:49 . 2008-12-19 13:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-19 13:49 . 2008-12-19 13:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-19 13:49 . 2008-12-03 …
foxkueh 0 Junior Poster
Hello,
When you say slow??? what do you mean???
Do you think it could be a virus???I did notice a few things in you HJT log, so might be worth following my instructions below.
Can you pls do the following:
1. - Download Malwarebytes' Anti-Malware (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.Make sure that you restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt2. - Pls run HJT again and post the log.
In your reply, post the logs (in this order):
1. - Malware Bytes Log
2. - Hijackthis LogThanks,
Cohen
Hi Cohen,
Here are the logs. Thanks for your help.
Malwarebytes' Anti-Malware 1.31
Database version: 1517
Windows 5.1.2600 Service Pack 3
19/12/2008 6:30:09 p.m.
mbam-log-2008-12-19 (18-30-09).txt
Scan …
foxkueh 0 Junior Poster
Yes I will do this Crunchie. However I am also running Malwarebytes on this pc.
JK
Hi Crunchie,
Here they are the logs:
Malwarebytes' Anti-Malware 1.31
Database version: 1517
Windows 5.1.2600 Service Pack 3
19/12/2008 5:10:26 p.m.
mbam-log-2008-12-19 (17-10-26).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 355367
Time elapsed: 1 hour(s), 30 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{34cf6660-9bd3-431a-ba32-6b511d4126da} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: …
foxkueh 0 Junior Poster
Run hijackthis again and do a scan and place a check next to the following entries;
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =Now, close ALL Internet Exploder windows and any Windows folders and hit the "Fix Checked" button.
==
Now, download and run Malwarebytes Anti-Malware following the instructions given in the first sticky thread in the forum (I am at work and do not have my canned replies with me).
==
Reboot your computer and post the log from MBAM and a new hijackthis log.
Yes I will do this Crunchie. However I am also running Malwarebytes on this pc.
JK
foxkueh 0 Junior Poster
Thanks Cohen. I am still running the Malwarebytes on the first pc. Will get back when completed.
JK
foxkueh 0 Junior Poster
Hi Crunchie,
No, this is my other computer that I want clean. Pls help.
JK
foxkueh 0 Junior Poster
Can you help me with looking through this HJT log and suggest ways of cleaning it, if unclean. Thanks JK.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:47 a.m., on 19/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Anti-virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Anti-virus\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\vsnpstd3.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Anti-virus\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
foxkueh 0 Junior Poster
Hi
My PC has been running extremely slow nowadays. Can you help me pls.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:06 a.m., on 19/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.132.10:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,System
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in …
foxkueh 0 Junior Poster
Anther one is:
"The original message was received at Thu, 21 Jun 2007 10:05:49 +0800
from mx15.singnet.com.sg [165.21.74.115]
----- The following addresses had permanent fatal errors -----
<audkoh888@pop3.singnet.com.sg>
(reason: 550 5.1.1 User unknown)
----- Transcript of session follows -----
550 5.1.1 <audkoh888@pop3.singnet.com.sg>... User unknown"
with ATT00146.dat (255 bytes) and hi (636 bytes) attached.
foxkueh 0 Junior Poster
Hi...
Recently I have been receiving emails with the following message and two attachments (one is Att00055.dat and the other is a Mail Delivery (failure tslee@magix.com.sg)):
"Subject: [WARNING: VIRUS REMOVED]Returned mail:see transcript for details
The original message was received at Fri, 22 Jun 2007 10:34:44 +0800
from bb220-255-154-243.singnet.com.sg [220.255.154.243]
----- The following addresses had permanent fatal errors -----
<tslee@magix.com.sg>
(reason: 550 5.1.1 <tslee@magix.com.sg>... User unknown)
----- Transcript of session follows -----
... while talking to smtp.magix.com.sg.:
>>> DATA
<<< 550 5.1.1 <tslee@magix.com.sg>... User unknown
550 5.1.1 <tslee@magix.com.sg>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)"
This emails are unsolicited and the addressees are unknown to me. I suspect the attached mails contain viruses and may infect my computer if I open the attached. Can someone help me with this pls.?
Thanks,
foxkueh
foxkueh 0 Junior Poster
Hi,
I suspect my computer is infected with virus. I use Outlook Express for my email, and occasionally I received returned mail from an unfamiliar address I never sent email to, and sometime with a message of virus in the message as follows:
Mapletree's Network Associates WebShield SMTP V4.5 MR2 on hfwww01 detected W32/Netsky.p@MM in attachment application.scr, emailed from <jou.kueh@ihug.co.nz> to <pylee@mapletree.com.sg> (Subject: Re: application), and it was Deleted.
I scanned my computer but didn't find any virus. Can someone help me
with this problem pls.
Thanks,
foxkueh
foxkueh 0 Junior Poster
The usb device should have come with the drivers on a disk for win98,is it a Samesung usb device or just a device with a samsung drive in ,if so what is the brand name of the device .
The device brand name is Edge with Samsung hard drive in to. There is no disk for win98 supply with it. I have no problem with winxp. It just instal without needing an external software.
foxkueh 0 Junior Poster
I am trying to use the external hard drive on a win98se system. It asks for a driver when the startup identifies a new hardware, but I can't find it anywhere, including from winxp disk. Can someone help me with this?
foxkueh
foxkueh 0 Junior Poster
I have also been having problems when I try to play a video on the computer. Whenever I open it, it suddenly goes very slow and laggy. It takes about 1 minute before the Ctrl+Alt+Delete menu comes up after I press it. The videos work on my other computer ok and used to work well on this one before I installed the graphics card. Do you know what the problem could be?
foxkueh 0 Junior Poster
Logfile of HijackThis v1.99.1
Scan saved at 2:28:53 PM, on 12/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\RunDll32.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe
C:\WINXP\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\ups.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\System32\imapi.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 … foxkueh 0 Junior Poster
The Cyberlink PowerDVD program as a whole is legit, but I definitely question the KGB Keylogger program which your log shows to be running from within the Cyberlink folder.
You may know this already, but keylogger programs are used to capture a user's keystrokes on a computer and save that information so that it can be reviewed by, or sent to, someone else. Obviously, unless you specifically installed the keylogger as a "parental control", you definitely don't want it installed on your computer.If you know nothing about the keylogger:
- Leave the Cyberlink software installed for now.
- Have HijackThis fix the "[winlogons.exe]" log entry to disable off the keylogger component.
- Follow my instructions concerning removing "mstool.exe".
- Reboot the computer, run hijackThis again, and post the new log.
Hi DMR,
I have deleted the Cyberlink folder, and here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:17 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\RunDll32.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINXP\System32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\ups.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ins83.tmp
C:\Documents and Settings\user\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start …