Jump to content


Photo

Trojan.Vundo


  • This topic is locked This topic is locked
17 replies to this topic

#1 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 03 June 2007 - 03:23 AM

Hello, this is my first time posting on this forum. I've read some other posts and you guys seem great at helping, and since I haven't been able to fix this problem myself, I've decided to come here. I've read the FAQ and hopefully am not doing anything wrong in this post. If there's something wrong/missing please tell me. Thanks in advance for any and all help.

The problem I am having now is the Vundo Trojan. I had Errorsafe and Broadcaster.com popups earlier, but after updating and running Spybot S&D, those problems seem to have disappeared. Spybot S&D also took care of something called Smitfraud-C.Toolbar888. I am using Norton Internet Security 2007 and it keeps auto-protecting against Trojan.Vundo. I try to run Symantec's VundoFix, but it has an error halfway through, some kind of runtime error where the library was loaded incorrectly.

(June 9) I've updated Spybot S&D again and it can now find Virtumonde (which is supposed to be another name of Vundo) on my computer. The first time it found 3 .dll files and was able to delete two. The third one (xxyvuuv.dll) could not be deleted because it is being used by a program. xxyvuuv.dll is in C:\WINDOWS\system32, if that helps. I've tried to delete in safe mode, which didn't work, and I've also tried Killbox, but it was also unable to delete the file. I'm not familiar with Killbox, so I only tried the normal delete method of Killbox. Below is the updated HijackThis log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:54:15 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\HiJackThis\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2D4B810B-0081-4055-8911-833F084B0F90} - C:\WINDOWS\system32\cbabx.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D72DA88A-B9B4-42CF-AB16-8349C8B80A39} - C:\WINDOWS\system32\xxyvuuv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: žķ??QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johnnyxvii.sp...ad/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58761FA9-29A6-4DE4-AFB7-CF960D6B5696}: NameServer = 202.120.2.101
O20 - Winlogon Notify: cbabx - C:\WINDOWS\system32\cbabx.dll (file missing)
O20 - Winlogon Notify: xxyvuuv - C:\WINDOWS\SYSTEM32\xxyvuuv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9328 bytes

Edited by lancetronic, 09 June 2007 - 01:55 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 05 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 June 2007 - 05:16 AM

Hi lancetronic,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let's do this first.

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please reboot your computer normally into Windows, and then please post the ComboFix log and a new HijackThis log.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 09 June 2007 - 11:43 PM

Hi Sempurna,

Thanks for the reply, I know you guys are busy. I've found a VundoFix (not Symantec's) and used it. It seems to have cleaned my computer, but just to be safe, should I post another log?

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 10 June 2007 - 02:00 AM

Hi lancetronic, :wave:

You're most welcome, lancetronic. :)

Yes, please go ahead and do the ComboFix scan. The log it creates will show us whether we missed out any Vundo files.

Also, post a new HijackThis log along with the ComboFix log, please.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 25 June 2007 - 09:07 AM

I'm terribly sorry for the long reply, but I was very busy with finals. Now I'm done and I've done what you asked.

This is the ComboFix log:

ComboFix 07-06-18.2 - E:\ComboFix.exe
"owner" - 2007-06-25 21:53:56 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\RLKWM6MT\www.broadcaster.com
C:\DOCUME~1\owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-25 21:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 21:00 94,208 --a--c--- C:\WINDOWS\system32\sysadm.sys
2007-06-20 11:29 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-20 11:29 34,805 --a------ C:\WINDOWS\DIIUnin.dat
2007-06-20 11:29 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-19 11:31 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-19 11:31 249,856 --------- C:\WINDOWS\Setup1.exe
2007-06-17 12:05 <DIR> d-------- C:\Downloads
2007-06-15 14:03 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-06-15 14:03 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-06-15 14:03 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-06-15 14:03 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-06-15 14:03 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-06-14 01:24 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-06-14 01:24 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-06-14 01:24 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-12 12:00 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\My Games
2007-06-11 12:03 <DIR> d-------- C:\WINDOWS\NV34563460.TMP
2007-06-09 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-06-06 23:55 <DIR> d-------- C:\WINDOWS\NV19362528.TMP
2007-06-06 21:46 <DIR> d-------- C:\WINDOWS\NV13602928.TMP
2007-06-06 21:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-06-06 20:50 <DIR> d-------- C:\WINDOWS\NV9401824.TMP
2007-06-06 11:21 <DIR> d-------- C:\Program Files\THQ
2007-06-06 10:23 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-06 00:30 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2007-06-06 00:30 102,400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2007-06-06 00:02 40 --a------ C:\WINDOWS\RSoftInfo.dat
2007-06-06 00:02 352,256 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-06-03 02:18 17,127 --a------ C:\WINDOWS\system32\awtqn.dll
2007-06-01 01:34 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Nokia Multimedia Player
2007-06-01 01:10 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-06-01 01:10 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-06-01 01:10 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-06-01 01:10 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-06-01 01:10 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-05-28 10:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-05-28 01:44 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-28 01:44 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-28 01:44 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-28 01:44 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-28 01:44 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-28 01:43 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-05-28 01:43 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-28 01:43 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-28 01:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-28 01:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-28 01:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-25 11:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-25 10:46 <DIR> d-------- C:\DOCUME~1\owner\APPLIC~1\Lavasoft
2007-05-25 10:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-25 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 17:29:59 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-20 03:36:14 43,520 -c--a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-14 07:36:33 -------- d-----w C:\DOCUME~1\owner\APPLIC~1\VMware
2007-06-12 08:48:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 03:30:08 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-09 07:39:00 62 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-09 05:03:00 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-08 08:16:59 -------- d-----w C:\Program Files\TENCENT
2007-06-05 04:03:46 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-31 17:12:56 -------- d-----w C:\Program Files\Common Files\Nokia
2007-05-31 17:12:55 -------- d-----w C:\Program Files\Nokia
2007-05-24 02:46:09 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-23 15:29:23 -------- d-----w C:\Program Files\Symantec
2007-05-23 15:29:21 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-23 15:29:21 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 14:01:43 -------- d-----w C:\Program Files\Common Files\VMware
2007-05-10 01:38:53 -------- d-----w C:\Program Files\Update
2007-05-09 16:39:41 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 09:10:33 -------- d-----w C:\DOCUME~1\owner\APPLIC~1\AdobeUM
2007-04-19 05:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 05:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 05:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 05:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 05:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 05:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 05:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 05:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 05:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 05:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 05:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 05:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 05:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 05:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 05:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 05:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 05:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 05:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 05:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 05:26:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 05:26:00 159,810 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 05:26:00 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 05:26:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 05:26:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 05:26:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-19 05:26:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 05:26:00 1,236,992 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 05:26:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 14:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-12 22:44:00 929,744 ----a-w C:\WINDOWS\system32\nvucode.bin
2007-04-12 22:44:00 745,472 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-12 22:44:00 5,439,488 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-12 22:44:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-12 22:44:00 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-12 22:44:00 3,645,440 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-12 22:44:00 3,235,840 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-12 22:44:00 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-04-12 22:44:00 2,387,968 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-04-12 22:44:00 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-12 16:51:24 356,352 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-04-12 16:51:24 356,352 -c--a-w C:\WINDOWS\system32\nvudisp.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll [2006-09-06 13:18]
{2D4B810B-0081-4055-8911-833F084B0F90}=C:\WINDOWS\system32\cbabx.dll []
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=D:\Program Files\FlashGet\jccatch.dll [2007-01-29 17:46]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll [2007-05-19 02:17]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{F156768E-81EF-470C-9057-481BA8380DBA}=D:\Program Files\FlashGet\getflash.dll [2007-01-15 11:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 18:42 C:\WINDOWS\soundman.exe]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="D:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 09:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"NvMediaCenter"="NvMCTray.dll" [2007-04-19 13:26 C:\WINDOWS\system32\nvmctray.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbabx]
C:\WINDOWS\system32\cbabx.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3adc8bf0-174c-11dc-bb01-0000e8144b3e}]
1\Command- H:\autorun.pif
2\Command- H:\autorun.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abfdd70-e1c2-11db-baab-000b2f10b21d}]
Auto\command- Cn911.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86a18850-137f-11dc-baf6-005056c00008}]
打开(&O)\command- H:\RECYCLER\UcHelp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a0589a0-c7be-11db-ba95-0000e8144b3e}]
auto\command- 唯一的爱.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL 唯一的爱.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9da052c0-dc5c-11db-baa9-0000e8144b3e}]
Auto\command- H:\Cn911.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6441913-19d2-11dc-bb08-000b2f10b21d}]
打开(&O)\command- RECYCLER\UcHelp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7d84980-f302-11db-babb-000b2f10b21d}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-25 11:59:04 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-22 12:01:04 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - owner.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 21:55:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 21:56:08
C:\ComboFix-quarantined-files.txt ... 2007-06-25 21:55

--- E O F ---

And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:06:44 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Tencent\QQ\QQ.exe
D:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
D:\Program Files\HiJackThis\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2D4B810B-0081-4055-8911-833F084B0F90} - C:\WINDOWS\system32\cbabx.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: ???QQ?? - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ???QQ???? - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: ?QQ??????? - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://johnnyxvii.sp...ad/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58761FA9-29A6-4DE4-AFB7-CF960D6B5696}: NameServer = 202.120.2.101
O20 - Winlogon Notify: cbabx - C:\WINDOWS\system32\cbabx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9940 bytes

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 June 2007 - 11:34 PM

Hi lancetronic, :wave:

No worries about the late reply. We all have real lives outside this forum as well. :)

OK, first of all, please delete your current copy of ComboFix and download a new copy. The old one is a bit dated, and we will need to use the latest one for this fix.

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools -> General Settings.
  • Scroll down and uncheck "Turn on real-time protection (recommended)".
  • After you uncheck this, click on the "Save" button and close Windows Defender.

NEXT:

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

QQ
TENCENT
TENCENT QQ



NEXT:

Before fixing anything, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
(start copying from "@echo off")

@echo off
For %%g in (
C:\WINDOWS\system32\awtqn.dll
H:\Cn911.exe
) do catchme -l nul -k %%g >nul
echo.Please submit the file, catchme.zip located on Desktop
pause
exit

Save this as submit.bat. Choose to "Save as type - All Files" and place it on your desktop.

It should look like this: Posted Image

Double-click on submit.bat and allow it to generate a zipped file on your desktop called catchme.zip.

Please submit catchme.zip to this site -> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

NOTE: The file must be uploaded before proceeding to the next step.


NEXT:

For this next step, please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")


    File::
    C:\WINDOWS\NV34563460.TMP
    C:\WINDOWS\NV19362528.TMP
    C:\WINDOWS\NV13602928.TMP
    C:\WINDOWS\NV9401824.TMP
    C:\WINDOWS\RSoftInfo.dat
    C:\WINDOWS\popcinfo.dat
    C:\WINDOWS\system32\awtqn.dll
    H:\Cn911.exe
    
    Folder::
    C:\Program Files\TENCENT
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D4B810B-0081-4055-8911-833F084B0F90}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbabx]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3adc8bf0-174c-11dc-bb01-0000e8144b3e}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abfdd70-e1c2-11db-baab-000b2f10b21d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86a18850-137f-11dc-baf6-005056c00008}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a0589a0-c7be-11db-ba95-0000e8144b3e}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9da052c0-dc5c-11db-baa9-0000e8144b3e}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6441913-19d2-11dc-bb08-000b2f10b21d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7d84980-f302-11db-babb-000b2f10b21d}]
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {2D4B810B-0081-4055-8911-833F084B0F90} - C:\WINDOWS\system32\cbabx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: ???QQ?? - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ???QQ? - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ?? - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: ?QQ? - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: ???QQ???? - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: ???QQ????? - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: ???QQ?? - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: ?QQ??????? - D:\Program Files\Tencent\QQ\SendMMS.htm
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - Winlogon Notify: cbabx - C:\WINDOWS\system32\cbabx.dll (file missing)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

How are things running now?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 27 June 2007 - 07:34 AM

I think I forgot to mention something. QQ is actually a chat program I use. It is actually the descendant of OICQ or something like that. Therefore, I can't uninstall it. Is it doing something to my computer that it shouldn't be?

#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 27 June 2007 - 11:59 PM

Hi lancetronic,

QQ comes bundled with spyware. It used to be one of the worst infections vectors from China. Now, there are others which are even worse than it. :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 29 June 2007 - 01:18 PM

Yeah, I definitely believe that. I've always been suspicious of it infecting my computer with viruses. However, it is quite essential to me keeping in touch with my Chinese friends. If we leave this part out, will it affect me much?

#11 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 29 June 2007 - 01:56 PM

Well, you would have to live with the risk of getting reinfected again and again. That can be a real pain, for you and for the people helping you clean out your system. :(
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#12 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 29 June 2007 - 10:07 PM

I'm sorry to keep this going on, but is there any way to remove the spyware without removing QQ? Also, what exactly has it done to my computer?

#13 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 29 June 2007 - 10:08 PM

I'm sorry to keep this going on, but is there any way to remove the spyware without removing QQ? Also, what exactly has it done to my computer?

#14 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 29 June 2007 - 10:09 PM

I'm sorry to keep this going on, but is there any way to remove the spyware without removing QQ? Also, what exactly has it done to my computer?

#15 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 30 June 2007 - 02:38 AM

Nope, there is no other way. :(

Sure, we could continue working on your system, but there is no point as long as you have a program in your system that will continue to reinfect it. Kinda like a waste of precious volunteer time, don't ya think? :)

It is bundled with spyware. You installed it yourself. It may drop other things, and it may also download other nasties.

Keep in touch with your buddies using another messenger system or via email or via Skype. There are alternatives in every situation.

Let me know what you decide to do.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#16 lancetronic

lancetronic

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 02 July 2007 - 11:35 AM

Yes, I'm terribly sorry for wasting your time. I did not anticipate this kind of result. Hopefully in time I can get rid of QQ, but for now it needs to stay on my computer. So I will have to postpone this fix, but thank you very much for all your help. Once I get rid of it, the first thing I will do is come back here and ask for help. Sorry again for all the trouble.

#17 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 July 2007 - 11:29 PM

No worries, lancetronic. :)

Have a good one, :wave:
Sempurna
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#18 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 July 2007 - 07:55 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button