Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Solved: Help: Malware (Website redirects, can't remove DLLs)


(!)

Asterixx's Avatar
Asterixx Asterixx is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Oct 2008
Experience: Intermediate
06-Oct-2008, 01:07 PM #1
Solved: Help: Malware (Website redirects, can't remove DLLs)
Hi,

I have a malware that I can't remove from my PC. Symptoms:

1) Two DLL's (cbXQhHbx.dll, mlJYrpQi.dll) were added to the system32 directory. (Can't be deleted)
2) These two DLL's appear in IE's plug-in list. Can't be stopped.
3) These two DLL's were automatically run when Windows starts up (under Registry's RUN section, "rundll32 cbXQhHbx.dll" and "rundll32 mlJYrpQi.dll"). I manually removed these entries, but that didn't solve the problem.
4) When using IE, I got popup windows that redirect to malicious/phishing websites.
5) Ad-aware and Norton Internet Security 2008 can't even detect this malware when running a full scan.

Could anyone help? I am attaching below the HijackThis log. Thank you very much.

Marvin K.



====================================

Logfile of HijackThis v1.99.1
Scan saved at 上午 12:51:05, on 2008/10/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Tmp\Tmp5\HijackThis.exe
O1 - Hosts: HPF65BCE HP0019BBF65BCE
O3 - Toolbar: 顯示 Norton 工具列 - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [106c7278] rundll32.exe "C:\WINDOWS\system32\svbmecjn.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O16 - DPF: {0B891305-3BF4-11D6-939C-001060501170} (XCsp Control) - https://ebank.taipeifubon.com.tw/iba...d/ICReader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {300FD990-15D4-41A4-A7DE-C1ECB8D7371F} (ATMC Class) - https://ebill.ba.org.tw/CPP/Download...ne/ATMCard.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187964098375
O16 - DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} (SendOrder Class) - https://ekey.fbs.com.tw/cab/axekey.cab
O16 - DPF: {8E1D16E3-37B1-48B8-862E-9D646FC0C8FF} (TFBWebATM Control) - https://ebank.taipeifubon.com.tw/iba.../TFBWebATM.cab
O16 - DPF: {8F566902-147A-450F-A492-357155B73836} (DirObj Class) - https://ekey.fbs.com.tw/cab/getdir.cab
O16 - DPF: {A8C1E502-4FCF-4AF2-ADDB-ABF540CA5BA7} (XVideoShow Control) - http://webcam.www.gov.tw/block/xVideoShow.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C7DEAFF2-1DEB-4647-9631-43C09BB8CEC6} (DVSTools Control) - http://webcam.www.gov.tw/block/DVSTools.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 自動 LiveUpdate 排程器 (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,665 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
06-Oct-2008, 04:14 PM #2
Hi and welcome. Please do this first:

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • ...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
Asterixx's Avatar
Asterixx Asterixx is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Oct 2008
Experience: Intermediate
07-Oct-2008, 09:57 AM #3
Thank you, Cheeseball81.

I followed your instructions and executed all the steps. Please note that when I ran ComboFix, I was told that there is a newer version and was asked if I wanted to download the new version. Fearing that it was an interference from the malware, I clicked on "No" then ComboFix started to run.

ComboFix deleted the two malicious DLL's I mentioned, that's great. However, it also deleted a 3rd DLL named svbmecjn.dll in the System32 folder. After ComboFix rebooted my PC and Windows XP starts up, I got a RUNDLL warning message that says there is an error when loading svbmecjn.dll.

Please note that, during the entire process, I have never run Internet Explorer. I am posting this reply using another healthy PC.

Below are the logs. Thank you again for your help.

Marvin K.


== ComboFix Log ========================================

ComboFix 08-10-06.05 - Marvin 2008-10-07 21:08:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.474 [GMT 8:00]
Running from: C:\Documents and Settings\Marvin\??\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Marvin\Application Data\inst.exe
C:\Documents and Settings\Nicolas\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM135f41e4.txt
C:\WINDOWS\BM135f41e4.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXQhHbx.dll
C:\WINDOWS\system32\iQprYJlm.ini
C:\WINDOWS\system32\iQprYJlm.ini2
C:\WINDOWS\system32\mlJYrpQi.dll
C:\WINDOWS\system32\svbmecjn.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.
2008-11-14 23:34 . 2008-11-14 23:34 <DIR> d-------- C:\Documents and Settings\Marvin\Application Data\Symantec
2008-11-14 23:32 . 2008-11-14 23:32 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-11-14 23:31 . 2007-12-27 21:47 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-11-14 23:30 . 2008-06-03 15:04 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-11-14 23:30 . 2008-06-03 15:04 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-11-14 23:30 . 2008-06-03 15:04 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-11-14 23:30 . 2008-06-03 15:04 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-06 21:26 . 2008-10-06 22:57 1,006,671 --ahs---- C:\WINDOWS\system32\njcembvs.ini
2008-10-06 00:37 . 2008-10-06 01:12 <DIR> d-------- C:\Program Files\WiseCleaner
2008-10-05 11:35 . 2008-10-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-05 10:04 . 2008-10-05 21:33 1,006,407 --ahs---- C:\WINDOWS\system32\ncwloraq.ini
2008-10-04 14:36 . 2008-10-04 14:36 1,006,371 --ahs---- C:\WINDOWS\system32\lfeexhca.ini
2008-10-04 14:25 . 2008-10-04 14:27 104,178 --a------ C:\WINDOWS\system32\drivers\4f583d20.sys
2008-09-29 21:20 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-09-17 17:29 . 2008-09-17 17:49 890 --a------ C:\WINDOWS\JuneM-07.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 13:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-06 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-06 13:52 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Skype
2008-09-29 12:12 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Yahoo! KeyKey
2008-09-29 11:21 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Yahoo! KeyKey
2008-09-25 12:40 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Yahoo! KeyKey
2008-09-24 03:39 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Yahoo! KeyKey
2008-08-29 03:17 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Apple Computer
2008-08-27 05:50 --------- d-----w C:\Documents and Settings\Melissa\Application Data\IDMComp
2008-08-27 03:13 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo! KeyKey
2008-08-22 01:43 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Skype
2008-08-11 04:01 --------- d-----w C:\Documents and Settings\Patrick\Application Data\DivX
2008-08-10 14:34 --------- d-----w C:\Documents and Settings\Marvin\Application Data\safenetdrm
2008-08-10 14:33 --------- d-----w C:\Documents and Settings\Marvin\Application Data\CCTV
2008-08-10 14:30 --------- d-----w C:\Documents and Settings\Patrick\Application Data\CCTV
2008-08-10 06:46 --------- d-----w C:\Program Files\Yahoo!
2008-08-09 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-08-09 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-08-09 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-08-09 16:31 --------- d-----w C:\Program Files\Nokia
2008-08-09 16:29 --------- d-----w C:\Program Files\MSXML 6.0
2008-08-09 16:28 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-09 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-08-09 16:25 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Datalayer
2008-08-09 16:25 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Datalayer
2008-08-09 02:33 --------- d-----w C:\Documents and Settings\Melissa\Application Data\HP
2007-09-24 14:35 47,360 ----a-w C:\Documents and Settings\Marvin\Application Data\pcouffin.sys
2001-06-20 08:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
.
Code:
<pre>
----a-w            57,344 2007-01-30 02:13:38  C:\Software\SIS\SignSiS .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"106c7278"="C:\WINDOWS\system32\svbmecjn.dll" [N/A]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.pmp4"= pv3decoder.dll
"vidc.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"15355:TCP"= 15355:TCP:Foxy (192.168.11.128:15355) 15355 TCP
"15355:UDP"= 15355:UDP:Foxy (192.168.11.128:15355) 15355 UDP
R0 m5287;m5287;C:\WINDOWS\system32\drivers\m5287.sys [2005-02-05 85888]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
S1 4f583d20;4f583d20;C:\WINDOWS\system32\drivers\4f583d20.sys [2008-10-04 104178]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 15104]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 EZUSB;EZUSB PC/SC Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ezusb.sys [2004-09-23 57356]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{390a3e7a-5f9c-11dc-8db7-00142a76c331}]
\Shell\AutoRun\command - F:\2y8la.exe
\Shell\explore\Command - F:\2y8la.exe
\Shell\open\Command - F:\2y8la.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{4C856140-C149-4AFA-8CDD-782A82A02B1D} - C:\WINDOWS\system32\mlJYrpQi.dll
BHO-{EA5FB64B-1CA5-4939-A93A-9E76234B0A67} - C:\WINDOWS\system32\cbXQhHbx.dll
ShellExecuteHooks-{EA5FB64B-1CA5-4939-A93A-9E76234B0A67} - C:\WINDOWS\system32\cbXQhHbx.dll
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
O15 -: Trusted Zone: *.webmail.hinet.net
O15 -: Trusted Zone: webmail.hinet.net
O16 -: {0B891305-3BF4-11D6-939C-001060501170} - hxxps://ebank.taipeifubon.com.tw/ibank/component/ICCard/ICReader.cab
C:\WINDOWS\Downloaded Program Files\ICReader.inf
C:\WINDOWS\system32\SVCAPI.dll
C:\WINDOWS\system32\IFDAPI.dll
C:\WINDOWS\system32\GPAPI.dll
C:\WINDOWS\system32\FISCAPI.dll
C:\WINDOWS\system32\XCsp.ocx
O16 -: {300FD990-15D4-41A4-A7DE-C1ECB8D7371F} - hxxps://ebill.ba.org.tw/CPP/Download/Everyone/ATMCard.cab
C:\WINDOWS\Downloaded Program Files\ATMCard.inf
C:\WINDOWS\Downloaded Program Files\ATMCard.dll
O16 -: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} - hxxps://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
C:\WINDOWS\Downloaded Program Files\BOOCATM.inf
O16 -: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} - hxxps://ekey.fbs.com.tw/cab/axekey.cab
C:\WINDOWS\Downloaded Program Files\axekey.inf
C:\WINDOWS\Downloaded Program Files\cryptoki.dll
C:\WINDOWS\Downloaded Program Files\taica.dll
C:\WINDOWS\Downloaded Program Files\pkns32.dll
C:\WINDOWS\Downloaded Program Files\axekey.dll
O16 -: {8E1D16E3-37B1-48B8-862E-9D646FC0C8FF} - hxxps://ebank.taipeifubon.com.tw/ibank/component/ICCard/TFBWebATM.cab
C:\WINDOWS\Downloaded Program Files\TFBWebATM.inf
C:\WINDOWS\system32\TfbCrypt.dll
C:\WINDOWS\Downloaded Program Files\TFBWebATM.ocx
O16 -: {8F566902-147A-450F-A492-357155B73836} - hxxps://ekey.fbs.com.tw/cab/getdir.cab
C:\WINDOWS\Downloaded Program Files\getdir.inf
C:\WINDOWS\Downloaded Program Files\getdir.dll
O16 -: {A8C1E502-4FCF-4AF2-ADDB-ABF540CA5BA7} - hxxp://webcam.www.gov.tw/block/xVideoShow.cab
C:\WINDOWS\Downloaded Program Files\xVideoShow.inf
C:\WINDOWS\Downloaded Program Files\xVideoShow.OCX
O16 -: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
O16 -: {C7DEAFF2-1DEB-4647-9631-43C09BB8CEC6} - hxxp://webcam.www.gov.tw/block/DVSTools.cab
C:\WINDOWS\Downloaded Program Files\DVSTools.inf
C:\WINDOWS\Downloaded Program Files\DVSTools.OCX
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 21:42:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-07 21:46:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 13:46:35
Pre-Run: 194,015,510,528 bytes free
Post-Run: 198,253,121,536 bytes free
220 --- E O F --- 2008-09-11 19:02:51



== HijackThis Log ========================================

Logfile of HijackThis v1.99.1
Scan saved at 下午 09:49:23, on 2008/10/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Tmp\Tmp5\HijackThis.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: 顯示 Norton 工具列 - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [106c7278] rundll32.exe "C:\WINDOWS\system32\svbmecjn.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O16 - DPF: {0B891305-3BF4-11D6-939C-001060501170} (XCsp Control) - https://ebank.taipeifubon.com.tw/iba...d/ICReader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {300FD990-15D4-41A4-A7DE-C1ECB8D7371F} (ATMC Class) - https://ebill.ba.org.tw/CPP/Download...ne/ATMCard.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187964098375
O16 - DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} (SendOrder Class) - https://ekey.fbs.com.tw/cab/axekey.cab
O16 - DPF: {8E1D16E3-37B1-48B8-862E-9D646FC0C8FF} (TFBWebATM Control) - https://ebank.taipeifubon.com.tw/iba.../TFBWebATM.cab
O16 - DPF: {8F566902-147A-450F-A492-357155B73836} (DirObj Class) - https://ekey.fbs.com.tw/cab/getdir.cab
O16 - DPF: {A8C1E502-4FCF-4AF2-ADDB-ABF540CA5BA7} (XVideoShow Control) - http://webcam.www.gov.tw/block/xVideoShow.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C7DEAFF2-1DEB-4647-9631-43C09BB8CEC6} (DVSTools Control) - http://webcam.www.gov.tw/block/DVSTools.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 自動 LiveUpdate 排程器 (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,665 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
07-Oct-2008, 12:18 PM #4
Next step:

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Asterixx's Avatar
Asterixx Asterixx is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Oct 2008
Experience: Intermediate
08-Oct-2008, 11:51 AM #5
Hi Cheeseball81,

During Anti-Malware's scan process, I got a message that says: "An error occurred. Please report the following error code to the MalwareBytes' Anti-Malware support team. Error code: 731 (0, 6)". I clicked "OK" and the tool continued to run, found a dozen malwares, and removed them.

Here are the logs. Thank you.


== MalwareBytes' Log =====================
Malwarebytes' Anti-Malware 1.28
Database version: 1242
Windows 5.1.2600 Service Pack 2
2008/10/8 下午 11:38:06
mbam-log-2008-10-08 (23-38-06).txt
Scan type: Quick Scan
Objects scanned: 58991
Time elapsed: 6 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/atmcard.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4af3fd8f-3350-48ac-9dc8-74dfb6a661bd} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{407652fc-4280-44d4-8b66-c48d95fe5797} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{300fd990-15d4-41a4-a7de-c1ecb8d7371f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{300fd990-15d4-41a4-a7de-c1ecb8d7371f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/tfbwebatm.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e8a77de-c6da-4b5c-8fa2-0728780ad7c9} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{23408c05-e9bc-4054-9538-fcd0ff6af031} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29d84a21-89f5-4dde-adbc-b53b628364a7} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f53390b-94cf-4723-bf11-128dbd23c7ee} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e1d16e3-37b1-48b8-862e-9d646fc0c8ff} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8e1d16e3-37b1-48b8-862e-9d646fc0c8ff} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\ WINDOWS\Downloaded Program Files\ATMCard.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\ WINDOWS\Downloaded Program Files\TFBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\106c7278 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\ATMCard.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\BOOCATM.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\TFBWebATM.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\TFBWebATM.ocx (Trojan.Agent) -> Quarantined and deleted successfully.


== HijackThis Log =========================
Logfile of HijackThis v1.99.1
Scan saved at 下午 11:45:42, on 2008/10/8
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Tmp\Tmp5\HijackThis.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: 顯示 Norton 工具列 - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O16 - DPF: {0B891305-3BF4-11D6-939C-001060501170} (XCsp Control) - https://ebank.taipeifubon.com.tw/iba...d/ICReader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187964098375
O16 - DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} (SendOrder Class) - https://ekey.fbs.com.tw/cab/axekey.cab
O16 - DPF: {8F566902-147A-450F-A492-357155B73836} (DirObj Class) - https://ekey.fbs.com.tw/cab/getdir.cab
O16 - DPF: {A8C1E502-4FCF-4AF2-ADDB-ABF540CA5BA7} (XVideoShow Control) - http://webcam.www.gov.tw/block/xVideoShow.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C7DEAFF2-1DEB-4647-9631-43C09BB8CEC6} (DVSTools Control) - http://webcam.www.gov.tw/block/DVSTools.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 自動 LiveUpdate 排程器 (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,665 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Oct-2008, 03:34 PM #6
Open Notepad and copy and paste the text in the quote box below into it:



Quote:
File::
C:\WINDOWS\system32\njcembvs.ini
C:\WINDOWS\system32\ncwloraq.ini
C:\WINDOWS\system32\lfeexhca.ini


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Asterixx's Avatar
Asterixx Asterixx is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Oct 2008
Experience: Intermediate
09-Oct-2008, 11:25 AM #7
Hi Cheeseball81,

Done. Here are the logs.


== Combofix Log ==================================
ComboFix 08-10-08.05 - Marvin 2008-10-09 23:13:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.499 [GMT 8:00]
Running from: C:\Documents and Settings\Marvin\??\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marvin\??\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
2008-11-14 23:34 . 2008-11-14 23:34 <DIR> d-------- C:\Documents and Settings\Marvin\Application Data\Symantec
2008-11-14 23:32 . 2008-11-14 23:32 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-11-14 23:31 . 2007-12-27 21:47 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-11-14 23:30 . 2008-06-03 15:04 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-11-14 23:30 . 2008-06-03 15:04 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-11-14 23:30 . 2008-06-03 15:04 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-11-14 23:30 . 2008-06-03 15:04 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-08 23:23 . 2008-10-08 23:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-08 23:23 . 2008-10-08 23:23 <DIR> d-------- C:\Documents and Settings\Marvin\Application Data\Malwarebytes
2008-10-08 23:23 . 2008-10-08 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 23:23 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 23:23 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 21:26 . 2008-10-06 22:57 1,006,671 --ahs---- C:\WINDOWS\system32\njcembvs.ini
2008-10-06 00:37 . 2008-10-06 01:12 <DIR> d-------- C:\Program Files\WiseCleaner
2008-10-05 11:35 . 2008-10-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-05 10:04 . 2008-10-05 21:33 1,006,407 --ahs---- C:\WINDOWS\system32\ncwloraq.ini
2008-10-04 14:36 . 2008-10-04 14:36 1,006,371 --ahs---- C:\WINDOWS\system32\lfeexhca.ini
2008-10-04 14:25 . 2008-10-04 14:27 104,178 --a------ C:\WINDOWS\system32\drivers\4f583d20.sys
2008-09-29 21:20 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-09-17 17:29 . 2008-09-17 17:49 890 --a------ C:\WINDOWS\JuneM-07.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-08 15:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-06 13:52 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Skype
2008-09-29 12:12 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Yahoo! KeyKey
2008-09-29 11:21 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Yahoo! KeyKey
2008-09-25 12:40 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Yahoo! KeyKey
2008-09-24 03:39 --------- d-----w C:\Documents and Settings\Nicolas\Application Data\Yahoo! KeyKey
2008-08-29 03:17 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Apple Computer
2008-08-27 05:50 --------- d-----w C:\Documents and Settings\Melissa\Application Data\IDMComp
2008-08-27 03:13 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo! KeyKey
2008-08-22 01:43 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Skype
2008-08-11 04:01 --------- d-----w C:\Documents and Settings\Patrick\Application Data\DivX
2008-08-10 14:34 --------- d-----w C:\Documents and Settings\Marvin\Application Data\safenetdrm
2008-08-10 14:33 --------- d-----w C:\Documents and Settings\Marvin\Application Data\CCTV
2008-08-10 14:30 --------- d-----w C:\Documents and Settings\Patrick\Application Data\CCTV
2008-08-10 06:46 --------- d-----w C:\Program Files\Yahoo!
2008-08-09 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-08-09 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-08-09 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-08-09 16:31 --------- d-----w C:\Program Files\Nokia
2008-08-09 16:29 --------- d-----w C:\Program Files\MSXML 6.0
2008-08-09 16:28 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-09 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-08-09 16:25 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Datalayer
2008-08-09 16:25 --------- d-----w C:\Documents and Settings\Marvin\Application Data\Datalayer
2008-08-09 02:33 --------- d-----w C:\Documents and Settings\Melissa\Application Data\HP
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2007-09-24 14:35 47,360 ----a-w C:\Documents and Settings\Marvin\Application Data\pcouffin.sys
2001-06-20 08:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
.
Code:
<pre>
----a-w            57,344 2007-01-30 02:13:38  C:\Software\SIS\SignSiS .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.pmp4"= pv3decoder.dll
"vidc.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"15355:TCP"= 15355:TCP:Foxy (192.168.11.128:15355) 15355 TCP
"15355:UDP"= 15355:UDP:Foxy (192.168.11.128:15355) 15355 UDP
R0 m5287;m5287;C:\WINDOWS\system32\drivers\m5287.sys [2005-02-05 85888]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S1 4f583d20;4f583d20;C:\WINDOWS\system32\drivers\4f583d20.sys [2008-10-04 104178]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys [2004-08-03 15104]
S3 EZUSB;EZUSB PC/SC Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ezusb.sys [2004-09-23 57356]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{390a3e7a-5f9c-11dc-8db7-00142a76c331}]
\Shell\AutoRun\command - F:\2y8la.exe
\Shell\explore\Command - F:\2y8la.exe
\Shell\open\Command - F:\2y8la.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 23:15:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.
Completion time: 2008-10-09 23:16:51
ComboFix-quarantined-files.txt 2008-10-09 15:16:46
ComboFix2.txt 2008-10-07 13:46:42
Pre-Run: 198,332,387,328 bytes free
Post-Run: 198,322,507,776 bytes free
162 --- E O F --- 2008-09-11 19:02:51



== HijackThis Log ==================================
Logfile of HijackThis v1.99.1
Scan saved at 下午 11:21:03, on 2008/10/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Tmp\Tmp5\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: 顯示 Norton 工具列 - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.webmail.hinet.net
O15 - Trusted Zone: webmail.hinet.net
O16 - DPF: {0B891305-3BF4-11D6-939C-001060501170} (XCsp Control) - https://ebank.taipeifubon.com.tw/iba...d/ICReader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-TW/.../GAME_UNO1.cab
O16 - DPF: {5FFA5501-B770-4301-8FAD-D87DECE0AC62} (BOOCATM Control) - https://eatm.booc.com.tw/eATM-jsfile/jsfile/BOOCATM.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187964098375
O16 - DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} (SendOrder Class) - https://ekey.fbs.com.tw/cab/axekey.cab
O16 - DPF: {8F566902-147A-450F-A492-357155B73836} (DirObj Class) - https://ekey.fbs.com.tw/cab/getdir.cab
O16 - DPF: {A8C1E502-4FCF-4AF2-ADDB-ABF540CA5BA7} (XVideoShow Control) - http://webcam.www.gov.tw/block/xVideoShow.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C7DEAFF2-1DEB-4647-9631-43C09BB8CEC6} (DVSTools Control) - http://webcam.www.gov.tw/block/DVSTools.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 自動 LiveUpdate 排程器 (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,665 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
09-Oct-2008, 11:30 AM #8
How are things now
Asterixx's Avatar
Asterixx Asterixx is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Oct 2008
Experience: Intermediate
10-Oct-2008, 01:53 AM #9
Everything looks fine now. I guess my problem is now solved. Shall I click on "Mark Solved"?

I'd like to let you know how much I'm grateful for your help, Cheeseball81. You guys are great.

Marvin K.
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,665 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
10-Oct-2008, 12:48 PM #10
Yes
You're welcome
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑