Help! me to remove the trojan

Thanks a lot, Geri. Here is the report of Jotti's:

Service load: 0% 100%

File: UnInstall.dll
Status: OK
MD5: f2327a366388bfd5b69bf04d49b32abf
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 12 Sep 2007 15:42:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: Funy.html (MD5: 447254b72e61fe36971110991167950d, size: 1877 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir VBS/Bumba.a
ArcaVir X
Avast X
AVG Antivirus VBS/Voodoo
BitDefender VBS.NoName.A
ClamAV VBS.Voodoo.c
CPsecure VBS.Voodoo.C
Dr.Web VBS.Generic.202
F-Prot Antivirus VBS/Voodoo.F
F-Secure Anti-Virus VBS/Voodoo.F
Fortinet X
Kaspersky Anti-Virus Virus.VBS.Bumba.a
NOD32 probably unknown SCRIPT
Norman Virus Control X
Panda Antivirus VBS/Voodoo.C
Rising Antivirus X
Sophos Antivirus X
VirusBuster VBS.Orochi.A
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

 

I have done step by step according to Geri's instructions.

Here is the report of OTMoveIt. Since it says "File/Folder C:\Document and Settings\Tianxi Wang\Local Settings\Temporary Internet Files\Content.IE5\OXQ1LC8U not found," I suppose my computer is not clean now.

File/Folder C:\Document and Settings\Tianxi Wang\Local Settings\Temporary Internet Files\Content.IE5\OXQ1LC8U not found.
File/Folder C:\Documents and Settings\Tianxi Wang\blin\blin.exe not found.
C:\Program Files\SpywareBot\Log moved successfully.
C:\Program Files\SpywareBot moved successfully.
C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent\QQDownload\115248456\Torrents moved successfully.
C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent\QQDownload\115248456\Setting moved successfully.
C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent\QQDownload\115248456 moved successfully.
C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent\QQDownload moved successfully.
C:\DOCUME~1\TIANXI~1\APPLIC~1\Tencent moved successfully.

Created on 09/12/2007 17:51:19

 

Here is the report of ComboFix after the run of OTMoveIt.

ComboFix 07-09-10.6 - "Tianxi Wang" 2007-09-12 17:57:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.146 [GMT 1:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 17:43 <DIR> drahs---- C:\autorun.inf
2007-09-12 17:42 51,200 --a--c--- C:\WINDOWS\nircmd.exe
2007-09-11 11:46 <DIR> d-------- C:\DOCUME~1\YANLI~1\Local Settingsocal Settings
2007-09-10 11:47 <DIR> d-------- C:\Deckard
2007-09-08 22:57 4,514 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-08 22:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-08 22:03 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\SpywareBot
2007-09-04 01:51 1,343,592 --a------ C:\WINDOWS\UnInstall.dll
2007-09-04 01:51 <DIR> d-------- C:\Program Files\British Telecom
2007-09-04 01:49 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\InstallShield
2007-09-04 01:49 <DIR> d-------- C:\WINDOWS\tmp.0000
2007-09-04 01:49 <DIR> d-------- C:\WINDOWS\220V.0000
2007-09-04 01:48 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2007-09-04 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-04 01:47 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2007-09-04 01:47 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2007-09-04 01:46 <DIR> d----c--- C:\DOCUME~1\TIANXI~1\APPLIC~1\Yahoo!
2007-09-04 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-09-04 01:42 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-09-04 01:42 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-09-04 01:42 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-09-04 01:42 <DIR> d-------- C:\WINDOWS\Motive
2007-09-04 01:42 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-04 01:41 <DIR> d-------- C:\Program Files\btbb_wcm
2007-09-04 01:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-09-04 01:40 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-04 01:39 <DIR> d-------- C:\Program Files\Motive
2007-09-04 01:39 <DIR> d-------- C:\Program Files\BTTotalBroadband220V

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-04 01:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 07:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 00:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 15:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [2001-10-12 07:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv "= "tp4serv.exe" [2002-12-03 12:09 C:\WINDOWS\system32\tp4serv.exe]
"ATIModeChange "= "Ati2mdxx.exe" [2001-09-05 01:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 08:56 C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-01-22 00:05]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 10:32]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 10:32]
"BCONSET "= "regedit /s C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg" []
"QCWLICON "= "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-01-08 11:50]
"TPKMAPMN "= "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2003-02-17 09:30]
"TP4EX "= "tp4ex.exe" [2002-09-04 10:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 11:01]
"AGRSMMSG "= "AGRSMMSG.exe" [2002-11-21 23:17 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-12-14 19:03]
"UC_SMB "=" " []
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 23:52]
"Acrobat Assistant 7.0 "= "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 11:12]
"StormCodec_Helper "= "D:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2005-12-05 19:08]
"IMSCMig "= "C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2003-07-14 23:57]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06]
"ShStatEXE "= "D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"Network Associates Error Reporting Service "= "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"Motive SmartBridge "= "C:\PROGRA~1\BTTOTA~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52]
"btbb_wcm_McciTrayApp "= "C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-08 07:45]
"YBrowser "= "C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 23:52]
"pyjj "= "D:\Program Files\jj4\jjsvr4.exe" [2005-12-29 15:23]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 17:11]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe [2006-01-31 16:40:37]
BT Broadband Desktop Help.lnk - C:\Program Files\BTTotalBroadband220V\Help\bin\matcli.exe [2007-09-04 01:40:04]

R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\D:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1abfca03-4d71-11dc-afce-00061bc9e2c2}]
play\command- "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

.
Contents of the 'Scheduled Tasks' folder
"2007-03-04 12:04:58 C:\WINDOWS\Tasks\BMMTask.job "
"2007-09-08 21:03:48 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job "
- C:\Program Files\SpywareBot\SpywareBot.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 18:00:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 18:02:04
C:\ComboFix-quarantined-files.txt ... 2007-09-12 18:01
C:\ComboFix2.txt ... 2007-09-11 11:46
.
--- E O F ---

 

Hi Foodbird

Do you know what this is?
[pyjj] D:\Program Files\jj4\jjsvr4.exe

Please run OTMoveIt again, add this to files to move and click move it.
C:\WINDOWS\UnInstall.dll

Please Download ATF cleaner.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Then please run a on-line scan.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please let me know if you know what the program is.

Please post the Panda scan results.

Thanks
Geri

 

Hi Foodbird


Please also do this.

Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: check.bat
Save as type: All Files (*.*)

Double click check.bat to run it. It will open check.txt when it completes. Please post it's contents.


Open "NotePad" Copy the contents of the quote box below to the blank NotePad.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\[COLOR="Black"]Services[/COLOR]\SharedAccess\Parameters\FirewallPolicy\[COLOR="Black"]StandardProfile[/COLOR]\AuthorizedApplications\List]
 "C:\Documents and Settings\Tianxi Wang\blin\blin.exe "=-

Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: Blin.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "Blin.reg file" and let it merge with the registry.

Thanks
Geri

 

Thank Geri. Pyjj is a soft for typing Chinese. I think it is innocent. I will do the other things as you instructs soon.

 

Here is the report after Panda-scanning, which takes more than two hours. And I have done all the other things that Geri instructs.


Incident Status Location

Adware:Adware/Borlander Not disinfected d:\program files\ringz studio\storm codec\stormset.exe
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/emediacodec Not disinfected Windows Registry
Hacktool:HackTool/EvID Not disinfected C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\antivirus\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected D:\antivirus\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\antivirus\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected D:\antivirus\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Yok Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][YOK_SuperSearch.dll]
Potentially unwanted tool:Application/Yok Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][yoksch.htm]
Adware:Adware/KoolBar Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Virus:Generic Malware Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\Flash_Disinfector.exe[nircmd.exe]
Adware:Adware/BaiduBar Not disinfected D:\JJPack\JJPack.msi[unk_0034][_58BD506B970B44A28A91534501169936][BDSrHook.dll]
Hacktool:HackTool/EvID Not disinfected D:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe][2è?]

 

And here is the report of running check.bat:

Directory of C:\DOCUME~1\YANLI~1

11/09/2007 11:46 <DIR> .
11/09/2007 11:46 <DIR> ..
02/08/2006 00:58 <DIR> Application Data
09/09/2007 19:46 <DIR> Cookies
02/08/2006 00:11 <DIR> Desktop
01/02/2007 02:52 <DIR> Favorites
27/09/2002 02:06 <DIR> Local Settings
12/09/2007 18:02 <DIR> Local Settingsocal Settings
01/02/2007 02:52 <DIR> My Documents
27/09/2002 02:06 <DIR> NetHood
27/09/2002 02:06 <DIR> PrintHood
01/02/2007 02:58 <DIR> Recent
15/02/2006 15:35 <DIR> SendTo
27/09/2002 02:06 <DIR> Start Menu
27/09/2002 02:06 <DIR> Templates
02/08/2006 01:46 <DIR> UserData
31/01/2006 13:46 <DIR> WINDOWS
0 File(s) 0 bytes
17 Dir(s) 694,886,400 bytes free

 

Hi Foodbird

OK, Panda found no "viruses ".

But a number of programs you have are considered Adware
Do you use these?

ringz studio\storm codec <<This one is not good
windowenhancer
emediacodec
Synacast\SynaLive
eMule
BaiduBar
Borlander StormCodec5.

Lets run a tool to see which ones it will clean. The others should be removed also.

Please follow these instructions exactly as given.

Now download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Did you name/rename a folder?....
12/09/2007 18:02 <DIR> Local Settingsocal Settings

Please post the AVG AS report.
Thanks
Geri

 

Thanks a lot, Geri. Sorry for late. Today I am too busy.

I am sure Synacast\SynaLive, eMule, BaiduBar, Borlander StormCodec5 are innocent. The others I do not know.

I will do the scan tomorrow. I am afraid of safe mode. Once a time I entered safe model, in the end a black-background window (like DOS) comes out. Then I do not know what to do. But I will try it.

 

Hi
You will get a window like DOS which shows drivers loading, that is normal.
just wait for the prompts and select ok for "safe mode "

To get out of safe mode all you need to do is click "start ", turn off computer, and click restart.

Geri

 

Hi, Geri,

I have done, exactly I think, what you instruct. The scan takes about two hours and 21 spywares are found.

But a little error happens. In the end, there is no report generated. After the scan finishes, I click tab "report ", it returns "no report available ". I do not know why that happens. I do select "automatically generate a report after each scan" and deselect "report only if there is threat ".

Do you want me to HijackThis scan my computer and then post the report?

 

Hi Foodbird

Thats OK, They have changed their set up, So I need to change the way I have people do the set up.

I would like to see a new Panda scan if you would.
Also please let me know if you are getting any more warnings and how things are running.

Thanks
Geri

 

Hi, Geri,

Here is the report. It looks not bood. 31 spywares and one virus are found. What should I do next?


Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/emediacodec Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@ads.addynamix[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@adserver.easyad[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@adultfriendfinder[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@bs.serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@counter3.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@counter4.sextracker[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@ehg-ads.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@fastclick[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@int.sitestat[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@int.sitestat[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@media.adrevolver[3].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@mediaplex[1].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@pacificpoker[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@serving-sys[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@sextracker[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@tribalfusion[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tianxi Wang\Cookies\tianxi_wang@www.drivecleaner[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\antivirus\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected D:\antivirus\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\antivirus\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected D:\antivirus\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Yok Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][YOK_SuperSearch.dll]
Potentially unwanted tool:Application/Yok Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][yoksch.htm]
Adware:Adware/KoolBar Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Virus:Generic Malware Not disinfected D:\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\Flash_Disinfector.exe[nircmd.exe]
Adware:Adware/BaiduBar Not disinfected D:\JJPack\JJPack.msi[unk_0034][_58BD506B970B44A28A91534501169936][BDSrHook.dll]
Hacktool:HackTool/EvID Not disinfected D:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe][2è?]

 

Hi Foodbird
OK This is what is going on. You said this....

This is what Panda says...

Adware:Adware/KoolBar Not disinfected D:\eMule
Virus:Generic Malware Not disinfected D:\eMule
Adware:Adware/BaiduBar
Hacktool:HackTool/EvID Not disinfected D:\Program Files\PPLive TV\SynaLive
Adware:Adware/Borlander Not disinfected D:\StormCodec5

So we can remove these because Panda says they are bad. or we can leave them because you say they are innocent.

What do you want to do? It is your computer you have to make the choice.

Let me know how you want to proceed with the above.

I see you have "smitfraudfix" installed. Please delete that one and download this new version.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe


You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter ".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Run ATF cleaner to remove the cookies.

Post the smitfraud log,
and let me know how you want to handle the above Adware.

Thanks
Geri

 

Thanks, Geri.

How about I want to delete eMule and BaiduBar, but keep the others? I do want to learn something here. Below is the report of SmitFraudFix:

SmitFraudFix v2.225

Scan done at 11:39:15.92, 18/09/2007
Run from D:\antivirus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

换换换换换换换换换换换换 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

换换换换换换换换换换换换 Killing process


换换换换换换换换换换换换 hosts



换换换换换换换换换换换换 Generic Renos Fix

GenericRenosFix by S!Ri


换换换换换换换换换换换换 Deleting infected files


换换换换换换换换换换换换 DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{08BF4B52-5C30-49EC-80E8-738BF588BB72}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{08BF4B52-5C30-49EC-80E8-738BF588BB72}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{08BF4B52-5C30-49EC-80E8-738BF588BB72}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


换换换换换换换换换换换换 Deleting Temp Files


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


换换换换换换换换换换换换 Registry Cleaning

Registry Cleaning done.

换换换换换换换换换换换换 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 End

 

Is my computer clean enough now?

 

Hi Foodbird

OK, Your computer, Your choice.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please post one more Panda scan, Run ATF Cleaner just before the scan to remove cookies.

Then we will clean up the tools and files/folders they created.

Thanks
Geri

 

Thanks a lot, Geri. And sorry for replying late.

From the report, is my computer clean?


Incident Status Location

Adware:adware/emediacodec Not disinfected Windows Registry
Adware:adware/iebar Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tianxi Wang\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Tianxi Wang\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Yok Not disinfected C:\_OTMoveIt\MovedFiles\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][YOK_SuperSearch.dll]
Potentially unwanted tool:Application/Yok Not disinfected C:\_OTMoveIt\MovedFiles\eMule-0.46c-VeryCD0913Install.exe[VeryCD_SuperSearch_Silent.exe][yoksch.htm]
Adware:Adware/KoolBar Not disinfected C:\_OTMoveIt\MovedFiles\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Virus:Generic Malware Not disinfected C:\_OTMoveIt\MovedFiles\eMule-0.46c-VeryCD0913Install.exe[assist4.exe][2è?]
Adware:Adware/BaiduBar Not disinfected C:\_OTMoveIt\MovedFiles\JJPack\JJPack.msi[unk_0034][_58BD506B970B44A28A91534501169936][BDSrHook.dll]
Potentially unwanted tool:Application/Processor Not disinfected D:\antivirus\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected D:\antivirus\SmitfraudFix\restart.exe
Virus:Generic Malware Disinfected D:\ComboFix.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\Flash_Disinfector.exe[nircmd.exe]
Hacktool:HackTool/EvID Not disinfected D:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected D:\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe]
Adware:Adware/Borlander Not disinfected D:\StormCodec5.12RC3_PConline.exe[StormSet.exe][mms.exe][2è?]

 

Moreover, could I ask few questions on how to deal with the spyware by myself?

If McAfee warns me of some trojans, could I simply run SmitfraudFix in Safe Mode to clear them?