Solved System Hijacked

[Resolved] System Hijacked

Hi, my system is windows xp sp2.
Today the screen suddenly displayed by a lot of worm and spyware information by xp internet 2010 security's scanning. It said that system hijacked something. Because it is too expensive so I didn't buy it.
However after I restarted the machine, the nightmare came to me.

I can't access internet even in safe networking mode. Clicking any application the system would let me open it with an application program.

I tryed to install trend's HijackedThis but failed because it asked me open with an app.
Of course, run Malwarebytes was still unsuccessfully in safe mode.

So I could not generate a log file.

Could you please give me an idea?


Appreciate.

 

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/LIST]

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

====

Now, try and run Malwarebytes immediately. If successful, post the log.

 

Rkill ran successfully.
The log from exeHelper is

Code:

exeHelper by Raktor
Build 20091220
Run at 09:31:00 on 03/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

 

One thing I forgot. Before I restarted the machine I did run superantispyware and killed some spywares. And ran Mcafee full scan nothing found. But when I restarted it, I could not start any program.

Now I am running Malwarebytes, it takes time.

 

Okay. Thanks for help.
The log file
Malwarebytes' Anti-Malware 1.44
Database version: 3840
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/16/2010 9:57:23 AM
mbam-log-2010-03-16 (09-57-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 221868
Time elapsed: 20 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\hzhao\Application Data\avdrn.dat (Malware.Trace) -> No action taken.

 

Did you take no action, or did you remove what was found by MBA-M? Also, MBA-M should be run in normal mode for it to be completely effective.
Please do not use code tags .


Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

Yes. I took action. I removed the errors found by MBA-M.
In normal mode, I used MBA-M and SuperAntospyware to scan the computer again. Nothing is found. Perhaps it is already clean??

Anyway, please look the logs. I don't know why Mcafee was still active, I disable it.

ComboFix 10-03-16.01 - hzhao 03/16/2010 17:38:59.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.817 [GMT -4:00]
Running from: c:\documents and settings\hzhao\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\hzhao\Local Settings\Application Data\mtg.exe
c:\windows\eSellerateEngine.dll
c:\windows\system32\NTIRIPPER.dll
c:\windows\system32\uxbqs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AUYNAKW
-------\Service_auynakw


((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 19:02 . 2010-03-16 19:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-16 03:16 . 2010-03-16 03:16 -------- d-----w- c:\documents and settings\hzhao.SNTINC\Application Data\Malwarebytes
2010-03-15 15:03 . 2010-03-15 15:04 -------- d-----w- c:\documents and settings\hzhao\Application Data\Notepad++
2010-03-15 15:03 . 2010-03-15 15:03 -------- d-----w- c:\program files\Notepad++
2010-03-15 14:35 . 2010-03-15 14:35 2217968 ----a-w- c:\documents and settings\hzhao\Application Data\Google\Google Pinyin 2\pinyin-2.2.11.69\GooglePinyinUpdater.exe
2010-03-03 00:06 . 2010-03-03 00:06 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-01 15:03 . 2010-03-01 15:03 -------- d-----w- c:\documents and settings\hzhao\Local Settings\Application Data\Temp
2010-02-23 18:03 . 2010-02-23 18:03 52224 ----a-w- c:\documents and settings\hzhao\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-23 18:03 . 2010-03-16 17:34 117760 ----a-w- c:\documents and settings\hzhao\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 18:02 . 2010-02-23 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 18:02 . 2010-03-16 15:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-23 18:02 . 2010-02-23 18:02 -------- d-----w- c:\documents and settings\hzhao\Application Data\SUPERAntiSpyware.com
2010-02-19 16:16 . 2010-02-19 16:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-19 16:15 . 2010-02-19 16:15 -------- d-----w- c:\documents and settings\hzhao\Local Settings\Application Data\NOS
2010-02-19 16:15 . 2010-02-19 16:15 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-19 16:15 . 2010-02-19 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-19 16:15 . 2010-02-19 16:15 -------- d-----w- c:\program files\NOS
2010-02-18 18:42 . 2010-02-18 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-02-18 18:42 . 2010-02-18 19:00 -------- d-----w- c:\program files\NCH Software
2010-02-18 18:41 . 2010-02-18 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-18 18:41 . 2010-02-18 18:41 -------- d-----w- c:\documents and settings\hzhao\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-16 19:14 . 2008-05-09 14:28 165232 ---ha-w- c:\documents and settings\hzhao\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-03-16 12:51 . 2008-03-17 05:20 141333 ----a-w- c:\windows\system32\nvModes.dat
2010-03-15 13:50 . 2009-11-16 18:37 -------- d-----w- c:\program files\RegCure
2010-03-03 21:32 . 2009-11-17 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-03-01 14:15 . 2008-03-17 05:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-24 14:16 . 2009-10-07 13:40 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 16:30 . 2009-12-21 18:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 21:58 . 2009-11-16 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-02-19 19:53 . 2009-10-07 13:38 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-11 18:56 . 2010-02-11 18:55 -------- d-----w- c:\program files\MP4 Player
2010-02-02 16:58 . 2008-03-17 05:41 -------- d-----w- c:\program files\Google
2010-02-01 19:50 . 2009-09-28 13:19 165232 ---ha-w- c:\documents and settings\hzhao.SNTINC\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-01-29 18:13 . 2008-12-02 21:23 -------- d-----w- c:\documents and settings\hzhao\Application Data\U3
2010-01-29 16:45 . 2008-04-30 20:30 -------- d-----w- c:\documents and settings\hzhao\Application Data\Template
2010-01-29 16:08 . 2010-01-29 16:08 -------- d-----w- c:\documents and settings\hzhao\Application Data\adma
2010-01-22 21:44 . 2009-04-20 23:26 428864 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-07 21:07 . 2009-12-21 18:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-21 18:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 16:24 . 2009-10-23 19:29 108920 ----a-w- c:\documents and settings\hzhao\g2ax_customer_downloadhelper_win32_x86.exe
2008-09-29 13:07 . 2010-01-13 20:19 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2008-03-17 05:35 . 2008-03-17 05:35 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-17 68856]
"MP4 Player "= "c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"NVHotkey "= "nvHotkey.dll" [2007-09-24 67584]
"NvMediaCenter "= "NvMCTray.dll" [2007-09-24 81920]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"DELL Webcam Manager "= "c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-09-24 8466432]
"dellsupportcenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"Google Pinyin 2 Autoupdater "= "c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2010-03-15 1193456]
"McAfeeUpdaterUI "= "c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE "= "c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe "=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP "= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP "= 10426:UDP:SingleClick ICC
"1329:TCP "= 1329:TCP:WWW

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 9:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/13/2010 4:19 PM 67904]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 12:58 PM 135664]
S2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [4/14/2006 9:59 AM 14624]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/13/2010 4:19 PM 64432]
S3 N;N;\??\c:\program files\NewTech Infosystems\NTI Ripper\ --> c:\program files\NewTech Infosystems\NTI Ripper\ [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 16:57]

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 16:57]

2010-03-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 21:36]

2010-02-25 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2009-12-10 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{6596A426-0E85-4E14-B178-92AE59C87500}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{8A8D337B-D9DB-46F8-859E-FCF79288FA00}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} - hxxps://www.acsenterprisesystem.com/CAB%20and%20license%20files/SPR32X60.cab
FF - ProfilePath - c:\documents and settings\hzhao\Application Data\Mozilla\Firefox\Profiles\b4kenezu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\hzhao\Application Data\Mozilla\Firefox\Profiles\b4kenezu.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-dimsntfy - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N]
"ImagePath "= "\??\c:\program files\NewTech Infosystems\NTI Ripper\ "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\úWcwYe^yf[.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@= "{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\locator.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\STacSV.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Google\Google Pinyin 2\GooglePinyinService.exe
.
**************************************************************************
.
Completion time: 2010-03-16 17:51:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-16 21:51
ComboFix2.txt 2009-07-11 22:02
ComboFix3.txt 2009-07-11 13:15
ComboFix4.txt 2009-07-11 02:27

Pre-Run: 18,047,238,144 bytes free
Post-Run: 17,981,509,632 bytes free

- - End Of File - - FA68643F8E30B259FD290873C810AA35



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:23 PM, on 3/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080317
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
O4 - HKLM\..\Run: [Google Pinyin 2 Autoupdater] "C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe "
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F841C1-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0) - https://www.acsenterprisesystem.com/CAB and license files/SPR32X60.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206723978061
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sntinc.local
O17 - HKLM\Software\..\Telephony: DomainName = sntinc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sntinc.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10564 bytes

 

I see that combofix has been run 6 times. Have you run it before? Did you have problems with it running this time?

Go to C:\qoobox and locate all combofix.txt files and post them please.



How are things now with the pc?

 

oop.
I recalled that last year I used Combfix several times. That is the reason of more than once.

CFScript_used_2009-07-11_17.57.33.txt ----- 7/11/2009
CombFix2.txt ----- 7/11/2009
CombFix3.txt ----- 7/11/2009
CombFix4.txt ----- 7/10/2009
ComboFix-quarantine-files.txt ------3/16/2010
Do I have to post all of them?
For today's running result.
The log in ComboFix-quarantine-files.txt

2010-03-16 21:50:38 . 2010-03-16 21:50:38 270 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-dimsntfy.reg.dat
2010-03-16 21:50:37 . 2010-03-16 21:50:37 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
2010-03-16 21:43:16 . 2010-03-16 21:43:16 1,960 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_auynakw.reg.dat
2010-03-16 21:43:16 . 2010-03-16 21:43:16 1,092 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_AUYNAKW.reg.dat
2010-03-16 00:11:17 . 2010-03-16 00:11:17 188,928 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\hzhao\Local Settings\Application Data\mtg.exe.vir
2010-02-26 19:43:02 . 2010-02-26 19:43:02 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\NTIRIPPER.dll.vir
2009-07-11 21:57:34 . 2009-07-11 21:57:34 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-07-11 02:26:19 . 2009-07-11 02:26:19 214 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{9DCB0AE8-633C-B1D2-29E1-3A811115121A}.reg.dat
2009-07-11 02:25:04 . 2010-03-16 21:43:07 11,866 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-07-10 20:44:49 . 2010-03-16 21:37:54 357 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-07-09 19:27:40 . 2005-10-11 19:40:52 356,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\eSellerateEngine.dll.vir
2008-03-28 20:24:47 . 2007-04-16 15:52:53 633,198 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uxbqs.dll.vir
2008-02-20 01:06:10 . 2008-02-20 01:06:10 1,411,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\17f73d.msi.vir

 

No that's fine. They all go back to last year anyway.

So, how is the pc behaving now?

 

It's good enough. Thanks for your nice help.

 

Ok. We just need you to do one other thing please.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color= "blue"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color= "#3333FF"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • [color= "#6666CC"]Extended[/color]
  • Scan Options:
    • [color= "#6666CC"]Scan Archives[/color]
    • [color= "#6666CC"]Scan Mail Bases[/color]
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color= "Navy"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.


To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color= "Navy"]Save as [/color]prompt, [color= "navy"]Save in[/color] area, select: Desktop
In the [color= "navy"]File name[/color] area, use KScan, or something similar
In [color= "navy"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color= "Navy"]Kaspersky Online Scanner Report [/color]in your reply.

====

• Click START then RUN
• Now type Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
  [*]

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, March 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, March 17, 2010 19:27:38
Records in database: 3814812
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 68629
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:56:55

No threats found. Scanned area is clean.

Selected area has been scanned.

 

Looks good. Did you uninstall Combofix?

 

Yes. I uninstall it.

 

No worries