Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help me out with my comp! :(

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help me out with my comp! :(

Unread postby beyondconception » September 21st, 2008, 2:35 am

I don't know what i should do now :/

Log from:
Logfile of Trend Micro HijackThis v2.0.2 :x
Scan saved at 14:34: VIRUS ALERT!, on 2008-9-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\360Safebox\SafeBoxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
F:\cl\HiJackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: QXK Olive - {8B93A89B-7332-4B4B-830C-72EB6323D0DB} - C:\WINDOWS\vmgspntbvlw.dll
O3 - Toolbar: fqbewlna - {32678B97-2C98-4D22-A8F6-55C35572E946} - C:\WINDOWS\fqbewlna.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\SafeBoxTray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F80BF475-FC52-4DEC-AEA2-DBD6C485A9E6}: NameServer = 210.22.70.3
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O21 - SSODL: mgxfebsq - {CCE60A1B-EB41-4F37-B207-6704E2BEBB05} - C:\WINDOWS\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {E8391A92-FEE7-4DF4-BD7F-D39A31D37AAC} - C:\WINDOWS\dtseqrxk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 卡巴斯基反病毒软件6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: WatchData ccb V3.2 (WDMonitorCCB) - Beijing WatchData System Co., Ltd. - C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 3521 bytes





Log from:-
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 2

2008-9-21 14:31:41
mbam-log-2008-09-21 (14-31-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 102991
Time elapsed: 15 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 4
Registry Data Items Infected: 16
Folders Infected: 3
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\dtseqrxk.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e8391a92-fee7-4df4-bd7f-d39a31d37aac} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{1602adb5-58df-43bd-a3e4-3947a9be174d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a86c8f0e-1e00-48d0-b7ba-0167a7b7e003} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{32678b97-2c98-4d22-a8f6-55c35572e946} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{288a8d1d-6cec-4064-ad78-04d31d5b6213} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b68e00cc-072b-40d5-95a4-b6dff98ab3c2} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{cce60a1b-eb41-4f37-b207-6704e2bebb05} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{cb367c75-6190-4ce0-a255-7c1199f0358e} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2f9b1a90-1e69-41eb-ad33-6202aad9a554} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3a412635-30fd-42d0-a704-c9493be88b9c} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fqbewlna.bemv (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dtseqrxk (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{32678b97-2c98-4d22-a8f6-55c35572e946} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55661-640-3033732-23029) -> No action taken.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (H:mm:ss) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> No action taken.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.

Files Infected:
C:\Program Files\360safe\修复工具.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> No action taken.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> No action taken.
C:\WINDOWS\system32\Dt2hlKaf.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\dtseqrxk.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\fqbewlna.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mqgldfvo.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\vmgspntbvlw.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\new\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\new\桌面\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\new\桌面\Privacy Protector.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\new\桌面\Error Cleaner.url (Rogue.Link) -> No action taken.
C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> No actio
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am
Advertisement
Register to Remove

Re: Please help me out with my comp! :(

Unread postby mz30 » September 21st, 2008, 11:07 am

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby mz30 » September 21st, 2008, 1:56 pm

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby beyondconception » September 21st, 2008, 6:03 pm

Hi Mz30 thank you so much for helping me out.
Here is the report.txt as you requested.

SDFix: Version 1.227
Run by new on ??? 2008-09-22 at 05:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\new\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\lwpwer.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp17.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3E.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp12.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp39.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp42.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp19.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp1B.tmp - Deleted
C:\WINDOWS\system32\x.exe - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\sfsrv.exe - Deleted
C:\WINDOWS\system32\xp.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 05:58:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StormII\\Storm.exe"="C:\\Program Files\\StormII\\Storm.exe:*:Enabled:暴风影音"
"C:\\Program Files\\StormII\\stormliv.exe"="C:\\Program Files\\StormII\\stormliv.exe:*:Enabled:暴风影音媒体控制中心"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Tencent\\qq\\QQ.exe"="C:\\Program Files\\Tencent\\qq\\QQ.exe:*:Enabled:QQ"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\AVP.EXE"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\AVP.EXE:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\QvodPlayer\\QvodTerminal.exe"="C:\\Program Files\\QvodPlayer\\QvodTerminal.exe:*:Enabled:QVOD"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 5 May 2001 94,292 ..SHR --- "C:\COMMAND.COM"
Sun 21 Sep 2008 2,516 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Wed 17 Sep 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Application Data\C6771782F6.sys"
Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Mon 28 Nov 2005 16,384 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setup.dll"
Fri 25 Nov 2005 12,880 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sat 20 Sep 2008 2,516 A.SH. --- "C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0000084.sys"
Sun 21 Sep 2008 2,516 A.SH. --- "C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0001106.sys"

Finished!
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am

Do as requested and post a new Hijack log.

Unread postby beyondconception » September 21st, 2008, 6:07 pm

Hi Mz30 thank you so much for helping me out.
Here is the report.txt as you requested.
SDFix: Version 1.227
Run by new on ??? 2008-09-22 at 05:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\new\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\lwpwer.exe.bat - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp17.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp3E.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp12.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp39.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp42.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp19.tmp - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\tmp1B.tmp - Deleted
C:\WINDOWS\system32\x.exe - Deleted
C:\DOCUME~1\new\LOCALS~1\Temp\sfsrv.exe - Deleted
C:\WINDOWS\system32\xp.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 05:58:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StormII\\Storm.exe"="C:\\Program Files\\StormII\\Storm.exe:*:Enabled:暴风影音"
"C:\\Program Files\\StormII\\stormliv.exe"="C:\\Program Files\\StormII\\stormliv.exe:*:Enabled:暴风影音媒体控制中心"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Tencent\\qq\\QQ.exe"="C:\\Program Files\\Tencent\\qq\\QQ.exe:*:Enabled:QQ"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\AVP.EXE"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\AVP.EXE:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\QvodPlayer\\QvodTerminal.exe"="C:\\Program Files\\QvodPlayer\\QvodTerminal.exe:*:Enabled:QVOD"
"C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"="C:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe:*:Enabled:Thunder"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 5 May 2001 94,292 ..SHR --- "C:\COMMAND.COM"
Sun 21 Sep 2008 2,516 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Wed 17 Sep 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Application Data\C6771782F6.sys"
Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Mon 28 Nov 2005 16,384 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setup.dll"
Fri 25 Nov 2005 12,880 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sat 20 Sep 2008 2,516 A.SH. --- "C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0000084.sys"
Sun 21 Sep 2008 2,516 A.SH. --- "C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0001106.sys"

Finished!
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am

Re: Please help me out with my comp! :(

Unread postby mz30 » September 21st, 2008, 8:08 pm

Hi, could you please post a fresh hjt log also could you keep all your responses in this topic.

Thanks
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby beyondconception » September 22nd, 2008, 12:42 am

Alright. Here is my new HJT.
Please advice. thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:09, on 2008-9-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\360Safebox\SafeBoxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
d:\download\CorelDRAW Graphics Suite X4\PROGRAMS\CORELDRW.EXE
C:\WINDOWS\system32\8xc5KvO6.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Program Files\Adobe\Adobe Help Viewer\1.1\ahv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
F:\cl\HiJackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\SafeBoxTray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F80BF475-FC52-4DEC-AEA2-DBD6C485A9E6}: NameServer = 210.22.70.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 卡巴斯基反病毒软件6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: WatchData ccb V3.2 (WDMonitorCCB) - Beijing WatchData System Co., Ltd. - C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 3298 bytes
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am

Re: Please help me out with my comp! :(

Unread postby mz30 » September 22nd, 2008, 6:05 am

Optional fix
These are restrictions. Set by you using a software like Spybot Search & Destroy, SpywareBlaster or another similar protection software, set by your system administrator.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

If you have not set it please follow the below instructions.


Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

-------------------------------------

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select any instances of "Privacy Protection" you find in there and press the delete button on the right. Hit ok below > apply in previous window.


---------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\8xc5KvO6.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.


-----------------------------------


Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby beyondconception » September 22nd, 2008, 3:45 pm

Service load: 0% 100%

File: 8xc5KvO6.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 31c7e2e422fec6432c60391db7050737
Packers detected: -

Scanner results
Scan taken on 22 Sep 2008 19:42:49 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.ULPM.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found Trojan.Adclicker.HB
ClamAV Found nothing
CPsecure Found Troj.W32.Agent.wro
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.ahdb
Ikarus Found Trojan.Adclicker.HB
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.ahdb
NOD32 Found a variant of Win32/TrojanClicker.Agent.NEB
Norman Virus Control Found nothing
Panda Antivirus Found Generic
Sophos Antivirus Found Mal/HckPk-A
VirusBuster Found nothing
VBA32 Found Win32.Trojan-Downloader (probable variant)



------------------------------------------



Tuesday, September 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 13:53:54
Records in database: 1250477


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 73316
Threat name 9
Infected objects 30
Suspicious objects 0
Duration of the scan 01:16:21

File name Threat name Threats count
C:\WINDOWS\system32\eXCk5V5f.dll/C:\WINDOWS\system32\eXCk5V5f.dll Infected: Trojan-Downloader.Win32.BHO.pe 1

8xc5KvO6.exe\8xc5KvO6.exe/8xc5KvO6.exe\8xc5KvO6.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\WINDOWS\system32\8xc5KvO6.exe/C:\WINDOWS\system32\8xc5KvO6.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\WINDOWS\system32\YUR267.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\WINDOWS\system32\YUR268.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\WINDOWS\system32\8xc5KvO6.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\WINDOWS\system32\YUR269.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\WINDOWS\system32\8xc5KvO6.exe_ Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\WINDOWS\system32\eXCk5V5f.dll Infected: Trojan-Downloader.Win32.BHO.pe 1

C:\WINDOWS\快速关机.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c 1

C:\Program Files\MicroAV\MicroAV.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cp 1

C:\Program Files\MicroAV\MicroAV.exe Infected: not-a-virus:FraudTool.Win32.SpywarePreventer.y 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002083.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002084.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002085.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002086.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002087.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002088.exe Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cp 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002088.exe Infected: not-a-virus:FraudTool.Win32.SpywarePreventer.y 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002089.exe Infected: Backdoor.Win32.Frauder.fb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002099.sys Infected: Hoax.Win32.Agent.fu 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP3\A0002110.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP4\A0002112.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP4\A0002121.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP4\A0002193.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP4\A0003151.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP5\A0003214.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\System Volume Information\_restore{4A868894-65BC-436D-BE76-14D2EF42B7AA}\RP7\A0003295.exe Infected: Trojan-Downloader.Win32.Agent.ahdb 1

C:\Ghost\reboot.exe Infected: Trojan-Dropper.Win32.Agent.tsb 1

D:\soft\music_kwun1053.exe.td Infected: not-a-virus:Downloader.Win32.SwiftCleaner.d 1

The selected area was scanned.





-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:39:42, on 2008-9-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\8xc5KvO6.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Maxthon2\Maxthon.exe
F:\cl\HiJackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\eXCk5V5f.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\SafeBoxTray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F80BF475-FC52-4DEC-AEA2-DBD6C485A9E6}: NameServer = 210.22.70.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 卡巴斯基反病毒软件6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: WatchData ccb V3.2 (WDMonitorCCB) - Beijing WatchData System Co., Ltd. - C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe

--
End of file - 3551 bytes
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am

Re: Please help me out with my comp! :(

Unread postby mz30 » September 22nd, 2008, 4:05 pm

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby beyondconception » September 22nd, 2008, 4:23 pm

If i'm designing my website now at the moment, will the hackers get to do anything to it?
I don't know what i should do now. If i have to format my comp, i don't have a disc drive. Is there any way for me to format without the disc drive?
beyondconception
Active Member
 
Posts: 6
Joined: September 21st, 2008, 2:23 am

Re: Please help me out with my comp! :(

Unread postby mz30 » September 23rd, 2008, 4:10 am

Hi beyondconception,

Unfortunately,the infection you have allows the hackers to take complete control of your computer and anything ,you do with said computer.

You will need your xp installation disc and a functioning disc drive to complete a re-format,however in some special cases you can get a downloadable disc image from msdn/technet service but only if your a customer.Also if it is a drive you are missing you maybe able to buy or borrow an external disc drive which will do the job.


Sorry for the bad news.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool

Re: Please help me out with my comp! :(

Unread postby Shaba » September 28th, 2008, 6:54 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware