Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
HJT log lifefor 'Trojanclicker' HJT log lifefor 'Trojanclicker'
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 02-01-2007, 09:24 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 33
OS: WinXP


HJT log lifefor 'Trojanclicker'
Hi, there.. (sorry i didn't catch your name).

Last time i posted a thread of having problem with my computer logging automatically on web every time i connect to the internet, and my AV always pops up 'infiltration found'.. Alright, here's the log file from HJT that i've done:

System information:
Microsoft Windows XP Professional version 2002 (Service Pack 1)
Intel (R) Pentium (R) 4 CPU 2.66 GHz 480 MB of RAM

Logfile of HijackThis v1.99.1
Scan saved at 11:29:01, on 02/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\UCAFAF.EXE
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [TheSage] C:\Program Files\TheSage\TheSage.exe
O4 - HKCU\..\Run: [WordWeb thesaurus_dictionary] C:\Program Files\WordWeb\wweb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe




Faithfully yours,

JO.
eagerJO is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-02-2007, 09:43 AM   #2 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Hello eagerJO, and welcome to TSF


The infection I suspect you have, a variant of vundo, recognizes HijackThis and prevents HJT from reading the registry locations where it
resides as well as hiding other infections in those locations.


I'd like you to rename HijackThis.exe to doom.exe.
  • Navigate to C:\HJT\HijackThis.exe
  • Right click on HijackThis.exe
  • Select 'Rename'
  • Type in doom.exe
  • Press Enter.


Please run a scan with the newly renamed doom.exe and post the new log here.


In addition, I can find no record of these IP Addresses. They are assigned to the Asia-Pacific Network.
Can you identify them or provide me with the name of your ISP.

202.134.0. 155,202.134.2.5
__________________
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-05-2007, 11:37 AM   #3 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Another log file with 'doom'.exe

--------------------------------------------------------------------------------

Hi, there..

now my computer does not only log on to my-not-preferred websites anymore, but it's also getting pretty much slower than usual. Could you tell me what can possibly cause this?

I'm in Indonesia (South East Asian Country).
This is my ISP 203.130.206.250; alternate 202.134.0.155; if you mean the name, it'll be TELKOM or SPEEDY or TELKOMSPEEDY...sorry, but i'm not that familiar with it. Hopefully you can suggest some solution. (would you mind letting me know how or who to address you? ^_^

Best regards,

JO.


Logfile of HijackThis v1.99.1
Scan saved at 14:50:08, on 05/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JRC3E6.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system\dllhost.exe
C:\HJT\doom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {59031199-EFE2-4200-90E1-2CD2F32AFF3E} - C:\WINDOWS\System32\jkkjk.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B22CE870-2D05-4FDA-99EE-7A101875189A} - C:\WINDOWS\System32\ljjkkjk.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [TheSage] C:\Program Files\TheSage\TheSage.exe
O4 - HKCU\..\Run: [WordWeb thesaurus_dictionary] C:\Program Files\WordWeb\wweb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O20 - Winlogon Notify: jkkjk - C:\WINDOWS\System32\jkkjk.dll
O20 - Winlogon Notify: ljjkkjk - C:\WINDOWS\SYSTEM32\ljjkkjk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
__________________
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-05-2007, 11:44 AM   #4 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

Alternative link Cleanup Alt


*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5



Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"




  1. Install AVG Anti-Spyware 7.5.
  2. Double-click the icon on Desktop to launch AVG A-S 7.5
  3. On the top of the main screen click Shield
  4. Click the word active to change it to inactive
  5. On the top of the main screen click Update.
  6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.



SDFix

Download SDFix and save it to your desktop.

We will use this later.



ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX





2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v jkkjk ljjkkjk



3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

SDFix
  • Right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file
    Report.txt back onto the forum with a new HijackThis log

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5
  • Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
    This scan can take quite a while to run, so be prepared.
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.



  • When the scan is complete click Recommended Action and change it to Quarantine (1),
  • If not click Recommended Action and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\combofix.txt
SDFix Log
AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
__________________
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-07-2007, 02:36 AM   #5 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 33
OS: WinXP


log file after scanning with various steps
combofix logfile:

"Pengurus Inti" - 07-02-07 13:38:09 Service Pack 1
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Pengurus Inti\desktop"
Command switches used :: /v jkkjk ljjkkjk

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\ljjkkjk.dll
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\52242234101.exe
C:\WINDOWS\system32\mysvcc.exe
C:\INSTALL.LOG


((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-07 13:40 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-07 13:28 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-07 13:28 <DIR> d-------- C:\Program Files\Grisoft
2007-02-05 14:10 58,308 -r-hs---- C:\WINDOWS\system\dllhost.exe
2007-02-03 16:05 1,328 --a------ C:\WINDOWS\desctemp.dat
2007-02-02 11:26 <DIR> d-------- C:\HJT
2007-02-01 14:27 22,087 ---hs---- C:\WINDOWS\system32\jkkklii.dll
2007-01-30 20:18 <DIR> d-------- C:\WINDOWS\pss
2007-01-30 19:07 76,412 --a------ C:\WINDOWS\system32\xtrpeedb.dll
2007-01-30 19:07 118,804 --a------ C:\WINDOWS\system32\ytgacrcs.dll
2007-01-28 14:54 <DIR> d-------- C:\spybot
2007-01-28 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Spybot - Search & Destroy
2007-01-26 12:56 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\Application Data\TEMP
2007-01-26 12:56 <DIR> d-------- C:\DOCUME~1\PENGUR~1\Application Data\Google
2007-01-26 12:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Google
2007-01-25 12:02 71,168 --a------ C:\DOCUME~1\PENGUR~1\1.exe
2007-01-22 15:58 <DIR> d-------- C:\extra pro
2007-01-19 19:37 <DIR> d-------- C:\Program Files\Google
2007-01-18 22:32 <DIR> d-------- C:\Program Files\NotePad SX
2007-01-18 10:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Yahoo! Companion
2007-01-18 10:27 <DIR> d-------- C:\Program Files\Yahoo!
2007-01-18 10:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Yahoo!
2007-01-13 17:09 183 --a------ C:\WINDOWS\system32\imon1.dat
2007-01-13 16:26 8,704 --a------ C:\WINDOWS\winsys.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-03 11:11 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\google
2007-01-08 11:34 -------- d-------- C:\Program Files\videozilla
2006-12-30 05:46 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\macromedia
2006-12-29 15:29 -------- d-------- C:\Program Files\Common Files\symantec shared
2006-12-29 13:45 -------- d-------- C:\Program Files\free wma to mp3 converter
2006-12-29 08:30 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\webshots
2006-12-26 03:26 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\adobeum
2006-12-26 03:21 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-23 15:25 -------- d-------- C:\Program Files\webshots
2006-12-21 14:19 -------- d-------- C:\Program Files\symantec
2006-12-21 14:11 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-12-21 14:11 274432 --a------ C:\WINDOWS\system32\imon.dll
2006-12-17 13:12 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\corel
2006-12-17 12:35 -------- d---s---- C:\Documents and Settings\Pengurus Inti\Application Data\microsoft
2006-12-17 12:35 -------- d-------- C:\Program Files\typing assistant
2006-12-17 08:11 -------- d-------- C:\Program Files\corel
2006-12-17 08:01 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\adobe
2006-12-17 07:43 -------- d-------- C:\Program Files\microsoft works
2006-12-10 10:33 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\apple computer
2006-12-10 10:10 -------- d-------- C:\Program Files\thesage
2006-12-09 13:55 -------- d-------- C:\Documents and Settings\Pengurus Inti\Application Data\ulead systems
2006-12-09 13:12 -------- d--h----- C:\Program Files\installshield installation information
2006-12-09 13:11 -------- d-------- C:\Program Files\smartsound software
2006-12-09 13:10 -------- d-------- C:\Program Files\windows media components
2006-12-09 13:10 -------- d-------- C:\Program Files\quicktime
2006-12-09 13:08 -------- d-------- C:\Program Files\ulead systems
2006-12-09 13:08 -------- d-------- C:\Program Files\Common Files\ulead systems
2006-12-09 13:08 -------- d-------- C:\Program Files\Common Files\installshield


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RealPopup"="\"C:\\Program Files\\RealPopup\\RealPopup.exe\" BOOT"
"TheSage"="C:\\Program Files\\TheSage\\TheSage.exe"
"WordWeb thesaurus_dictionary"="C:\\Program Files\\WordWeb\\wweb32.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Typing Assistant"="C:\\Program Files\\Typing Assistant\\Typing Assistant.exe"
"UVS10 Preload"="C:\\Program Files\\Ulead Systems\\Ulead VideoStudio 10\\uvPL.exe"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"CorelDRAW Graphics Suite 11b"="C:\\Program Files\\Corel\\Corel Graphics 12\\Languages\\EN\\Programs\\Registration.exe /title=\"CorelDRAW Graphics Suite 12\" /date=010107 serial=DR12WEX-1504397-KTY lang=EN"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Babylon Client"="C:\\Program Files\\Babylon\\Babylon.exe -AutoStart"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WordWeb.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\WordWeb.lnk"
"backup"="C:\\WINDOWS\\pss\\WordWeb.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WordWeb\\wweb32.exe "
"item"="WordWeb"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pengurus Inti^Start Menu^Programs^Startup^Webshots.lnk]
"path"="C:\\Documents and Settings\\Pengurus Inti\\Start Menu\\Programs\\Startup\\Webshots.lnk"
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ytgacrcs"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\System32\\ytgacrcs.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pccntmon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheSage]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TheSage"
"hkey"="HKCU"
"command"="C:\\Program Files\\TheSage\\TheSage.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=dword:0000000b
"NoSharedDocuments"=hex:00,00,00,00
"NoTrayItemsDisplay"=hex:00,00,00,00
"NoFolderOptions"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MCHINJDRV


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-07 13:43:35


SD fix logfile

SDFix: Version 1.63

07/02/2007 - 14:01:03,57

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Pengurus Inti\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
DLLHOST32
new_drv

Path:
"C:\WINDOWS\system\dllhost.exe"
\??\C:\WINDOWS\new_drv.sys

DLLHOST32 Deleted
new_drv Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system\dllhost.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\winsys.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\PENGUR~1\Desktop\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\jkkklii.dll
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL0428.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL1486.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL1695.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL2889.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL3015.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL3368.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL3564.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL3796.tmp
C:\Documents and Settings\Pengurus Inti\Application Data\Microsoft\Word\~WRL3883.tmp
C:\WINDOWS\system32\config\system.tmp.LOG

Finished



AVG A/S:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:55:30 07/02/2007

+ Scan result:



D:\My Pictures\Fantasy Animal Art Painting by Schim Schimmel - wallcoo_net_files\close.js -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\My Pictures\WINNIE THE POOH\close.js -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\My Pictures\Zodiac star_files\close.js -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\My Pictures\bee1_files\close.js -> Downloader.IstBar.ai : Cleaned with backup (quarantined).


::Report end


Panda scan:

Incident Status Location

Virus:Trj/Mailbot.AH Disinfected C:\Documents and Settings\Pengurus Inti\1.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix\apps\Process.exe
Virus:W32/Oscarbot.NG.worm Disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix\backups\backups.zip[backups/dllhost.exe]
Virus:W32/Sdbot.ftp.worm Disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix\backups\backups.zip[backups/i]
Virus:Trj/Clicker.WX Disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix\backups\backups.zip[backups/winsys.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Pengurus Inti\Desktop\SDFix.zip[SDFix.exe][SDFix\apps\Process.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkklii.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\xtrpeedb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ytgacrcs.dll

New HJT normal mode:
Logfile of HijackThis v1.99.1
Scan saved at 16:17:22, on 07/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\TEMP\FL704D.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\HJT\doom.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [TheSage] C:\Program Files\TheSage\TheSage.exe
O4 - HKCU\..\Run: [WordWeb thesaurus_dictionary] C:\Program Files\WordWeb\wweb32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{46766EB0-0CC8-4BA5-A9D6-A5795BB2D192}: NameServer = 203.130.206.250 202.134.0.155
O17 - HKLM\System\CS1\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{010344E4-4298-4B71-8F42-EF2E382ACAA1}: NameServer = 202.134.0.155,202.134.2.5
O20 - Winlogon Notify: jkkjk - C:\WINDOWS\System32\jkkjk.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

------------------------------------------------------------------------
Those logs above are all u requested from me after a long day of doing ur instruction. My computer is getting back to its normal behaviour, it's not as good as it was though..anyway, it's faster than yesterday.

From the logfiles, i can see that my computer is not really cleaned yet, am i rite? what should be done next?
O yeah, when i did the scan with AVG, i turned the shield to 'inactive'; now can i turn it back to 'active'?
One more, when i did the HJT in safe mode, i couldn't any of the files that u mentioned before, starting '09-extra button......', instead i could see '09-extra button-research...(as u can see from the log)'. is that ok?

looking forward to ur reply,


Regards,

JO.
eagerJO is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-07-2007, 11:49 AM   #6 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The 09 entries are not showing in your current log. You can also turn AVG back to active. We still have some junk to clean out, though.


----------------------------------------

DOWNLOADS


REGISTRY FIX

Download the attached eager.zip file at the bottom of this post to your desktop. Double click on the zip folder,
then double click on the .reg file within.
Click yes to allow it to merge into your registry.

----------------------------------------

FIXES AND DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\system32\jkkklii.dll
C:\WINDOWS\system32\xtrpeedb.dll
C:\WINDOWS\system32\ytgacrcs.dll

C:\Documents and Settings\Pengurus Inti\1.exe

>>>If the files resist deletion, boot to Safe Mode and delete

----------------------------------------

ON-LINE SCANS

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan----------------------------------------

FOLLOW-UP

----------------------------------------

Please return and post these items in the order listed:

Kaspersky scan
Attached Files
File Type: zip eager.zip (213 Bytes, 2 views)
__________________
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2007, 01:43 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 33
OS: WinXP


scan with kaspersky
i didn't find one file that u mentioned in the path
c:\windows\system32\jkkklii.dll in red; and also the folder:
c:\document and setting\pengurus inti\1.exe in blue. Does it mean they are not exist?

Here's the report file from kaspersky scan:
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 08, 2007 3:38:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/02/2007
Kaspersky Anti-Virus database records: 265991


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 99584
Number of viruses found 10
Number of infected objects 18 / 0
Number of suspicious objects 0
Duration of the scan process 0142

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Local Settings\History\History.IE5\MSHist012007020820070209\index.dat Object is locked skipped

C:\Documents and Settings\Pengurus Inti\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Pengurus Inti\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Pengurus Inti\ntuser.dat.LOG Object is locked skipped

C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

C:\Program Files\ESET\infected\2M3CK3DA.NQF Infected: Trojan-Clicker.Win32.Agent.hz skipped

C:\Program Files\ESET\infected\3D0YHJCA.NQF Infected: Virus.Win32.VB.bl skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF/WISE0069.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF/WISE0071.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF/WISE0072.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF WiseSFX: infected - 3 skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF WiseSFX Dropper: infected - 3 skipped

C:\Program Files\ESET\infected\GUXYBJAA.NQF PE-Crypt.XorPE: infected - 3 skipped

C:\Program Files\ESET\infected\RWDLXHAA.NQF Infected: Trojan-Clicker.Win32.Small.kj skipped

C:\Program Files\ESET\logs\virlog.dat Object is locked skipped

C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB0 Infected: Virus.Win32.Delfer.a skipped

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB1 Infected: Virus.Win32.Delfer.a skipped

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB2 Infected: Virus.Win32.Delfer.a skipped

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB3 Infected: Virus.Win32.Delfer.a skipped

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB4 Infected: Virus.Win32.Delfer.a skipped

C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20070208.log Object is locked skipped

C:\RECYCLER\S-1-5-21-1078081533-861567501-682003330-1006\Dc2.dll Infected: Trojan-Spy.Win32.VBStat.h skipped

C:\RECYCLER\S-1-5-21-1078081533-861567501-682003330-1006\Dc3.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped

C:\System Volume Information\_restore{D9D1CACF-3EC3-4B69-B7D3-A94FAADEECE2}\RP7\A0000133.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\jkkklii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.


What next, Fredmh?
eagerJO is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2007, 12:26 PM   #8 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


They could be gone or they could be hidden. Let's give try and delete them this way, added with the Kaspersky results:


UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

FIXES AND DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\system32\jkkklii.dll
C:\WINDOWS\system32\xtrpeedb.dll
C:\WINDOWS\system32\ytgacrcs.dll

C:\Documents and Settings\Pengurus Inti\1.exe

C:\Program Files\ESET\ \2M3CK3DA.NQF
C:\Program Files\ESET\ \3D0YHJCA.NQF
C:\Program Files\ESET\ \GUXYBJAA.NQF
C:\Program Files\ESET\ \GUXYBJAA.NQF Dropper
C:\Program Files\ESET\ \GUXYBJAA.NQF PE-Crypt.XorPE
C:\Program Files\ESET\ \RWDLXHAA.NQF

C:\Program Files\Trend Micro\OfficeScan Client\Backup\CHIP.RB0
C:\Program Files\Trend Micro\OfficeS