Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Pop ups - Win32/BaiduSobar or Win32/Henbang
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-18-2008, 03:01 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Pop ups - Win32/BaiduSobar or Win32/Henbang
I started getting CHINESE pop ups, sometimes they open new window browsers or they are attach to the page i am on. there are also links keep on appearing on my Favorites and other user of this PC. I scanned with:

Symantec Antivirus:
wstdik.dll
EE60714F-AC17-427E-861A-FD60CBDF119A
07.01.2007 20:51:17 - ##### check started #####
07.01.2007 20:51:17 - ### Version: 1.4
07.01.2007 20:51:17 - ### Date: 1/7/2007 8:51:17 PM
07.01.2007 20:51:17 - ##### checking bots #####
07.01.2007 20:54:24 - found: Sogou User settings
07.01.2007 20:54:24 - found: Sogou User settings
07.01.2007 20:54:25 - found: Sogou User settings
07.01.2007 20:54:29 - found: Sogou Temporary file
07.01.2007 20:54:30 - found: Sogou Temporary file
07.01.2007 20:54:31 - found: Sogou Executable
07.01.2007 21:17:15 - found: Troj.PrintSpool Settings
07.01.2007 21:17:16 - found: Troj.PrintSpool Settings
07.01.2007 21:24:49 - ##### check finished #####

Windows Defender:
Win32/Henbang

Win32/BaiduSobar
Resources:
file:
C:\WINDOWS\system32\tflock.exe->(nsis-6-BaiduBar.dll)

file:
C:\WINDOWS\system32\dsgj.exe->(nsis-3-BaiduBar.dll)

containerfile:
C:\WINDOWS\system32\tflock.exe

containerfile:
C:\WINDOWS\system32\dsgj.exe

I listed the Pop ups links:
hxxp://jipiao.kooxoo.com/?fromid=wm19di
hxxp://gg1.18day.com/
hxxp://img.zhangxiu.com/2/394.html?f=3202
hxxp://u.x-push.net/dg/full3/index_mosa_vip_2541_uid__bid_.html
hxxp://u.7town.com/html/778_1740/ly1/index.html?uid=11918&a=&b=&c=&d=&e=&f=
hxxp://cdn.deals.qunar.com/ad/activity/Qunar_DM/flights_dj_mkt5.html?flightDM=mkt5Fday1&hotelDM=mkt5Hday1&ticketDM=mkt5Day1
hxxp://mamabang.pampers.com.cn/default.aspx
hxxp://killer.http://www.myrice.com/default.html?u...=0&c=&d=&e=&f=
hxxp://www.360quan.com/?afid=17&lev1=26460&ac=XXXX&bc=XXXX&
hxxp://www.jiaboo.com/blog/CpmSiteHome.asp
hxxp://adfarm.mediaplex.com/ad/ck/4080-22903-9499-0?aid=38937;lp;15&!mpro=hxxp://www.eachnet.com/landing/99yuan.html?adid=bjmt_mta_01_0_15_38937

I also listed Favorite links (they are written as special character like ÌôÕ½´ðÌâËÍÃâ·ÑQ±Ò) :

hxxp://www.yiqilai.com/?links
hxxp://www.amazon.cn/?source=ad4all_38937
hxxp://www.dangdang.com/league/leagueref.asp?from=P-118711&backurl=http://home.dangdang.com/
hxxp://u.x-push.net/dg/full3/index_mosa_vip_2541_uid__bid_.html
hxxp://travel.elong.com/hotels/default.aspx?campaign_id=4052610
hxxp://u.7town.com/Pub/mms/4/index.html?uid=11918&a=&b=&c=&d=&e=&f=
hxxp://www.qb-qq.com/?uid=1007&a=&b=&c=&d=
hxxp://www.yiqilai.com/?favorite
hxxp://www.eachnet.com/?adid=bjmt_mta_01_0_hp_38937
hxxp://www.zhaodao123.com/?favorite

There was also a extra button with the cut/copy/paste/delete/select all menu. It was labeled as Ò×Ȥ¹ºÎï but it was gone now.

I guess those are all the information i have.

LOG POST

PANDA log Activescan:


Incident Status Location

Adware:adware/baidubar Not disinfected Windows Registry
Virus:Trj/Downloader.RYB Disinfected C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\install.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Charles\Cookies\charles@atdmt[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@ads.addynamix[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@atdmt[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@tribalfusion[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
Possible Virus. Not disinfected C:\WINDOWS\system32\my_70049.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Temp\Cookies\user@atdmt[1].txt
Virus:Trj/Downloader.RWB Disinfected C:\WINDOWS\Temp\nl264b45a.exe
Virus:Trj/Downloader.RWB Disinfected C:\WINDOWS\Temp\nldca4d0.exe


Deckard's System Scanner main.txt:

Deckard's System Scanner v20071014.68
Run by User on 2008-01-18 17:11:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
14: 2008-01-18 22:11:07 UTC - RP201 - Deckard's System Scanner Restore Point
13: 2008-01-18 20:17:39 UTC - RP200 - Software Distribution Service 3.0
12: 2008-01-17 23:22:37 UTC - RP199 - System Checkpoint
11: 2008-01-16 07:29:30 UTC - RP198 - Software Distribution Service 3.0
10: 2008-01-16 02:36:22 UTC - RP197 - System Checkpoint


-- First Restore Point --
1: 2008-01-10 01:03:21 UTC - RP188 - Removed Nero 7 Ultra Edition


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:21 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [x] C:\WINDOWS\system32\x.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [lrzsny] C:\WINDOWS\system32\lrzsny.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7988 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iur99 (iur9) - c:\windows\system32\drivers\iur99.sys
R2 mxdispdr - c:\windows\system32\drivers\mxdispdr.sys
R2 ymze8d - c:\windows\system32\drivers\ymze8d.sys

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S2 sysloader (System Event loader) - "c:\documents and settings\all users\application data\microsoft\office\system\sysloader.exe" <Not Verified; Microsoft; sysloader>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-18 15:16:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-03 13:39:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-18 and 2008-01-18 -----------------------------

2008-01-18 17:13:12 0 d-------- C:\Program Files\Trend Micro
2008-01-18 16:56:07 0 d-------- C:\ZonedOut
2008-01-18 16:55:36 0 d-------- C:\ie-spyad_zo
2008-01-18 16:52:44 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-01-18 16:42:49 0 d-------- C:\Program Files\SpywareBlaster
2008-01-18 16:18:15 0 dr-h----- C:\Documents and Settings\User\Recent
2008-01-18 15:39:55 8576 --a------ C:\WINDOWS\system32\drivers\sntsalcnqmhc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:36:15 8576 --a------ C:\WINDOWS\system32\drivers\rjvescefttgt.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:18:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18:20 0 d-------- C:\WINDOWS\LastGood
2008-01-14 20:31:27 0 d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01:21 0 d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42:33 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42:31 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42:31 0 d-------- C:\Program Files\Xvid
2008-01-11 22:32:28 0 d-------- C:\Documents and Settings\Charles\Application Data\WinRAR
2008-01-10 19:39:12 0 d-------- C:\Program Files\Windows Defender
2008-01-10 15:29:23 0 d-------- C:\Program Files\Windows Live
2008-01-09 19:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-01-09 19:47:33 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-09 00:30:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-06 13:08:00 14 --a------ C:\WINDOWS\system32\-10958-54120
2008-01-06 13:07:46 168388 --a------ C:\WINDOWS\system32\drivers\mxdispdr.sys
2008-01-06 04:08:48 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2008-01-05 11:42:19 20541 --a------ C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2008-01-05 11:04:04 18087 --a------ C:\WINDOWS\system32\comrcinf.dat
2008-01-04 20:03:31 0 d-------- C:\Program Files\Common Files\Ahead
2008-01-04 13:45:48 396 --a------ C:\WINDOWS\system32\cmbinfo.dat
2008-01-04 13:45:43 134144 --a------ C:\WINDOWS\tempaq
2008-01-04 13:45:19 165693 --a------ C:\WINDOWS\system32\dodolook254.exe
2008-01-04 13:45:07 20480 --a------ C:\WINDOWS\system32\my_70049.exe
2008-01-03 23:56:23 0 d-------- C:\Program Files\Microsoft Works
2008-01-03 23:52:40 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-12-21 18:45:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-01-18 16:02:44 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-18 16:00:18 0 d-------- C:\Program Files\iTunes
2008-01-18 15:59:21 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 15:24:03 45056 ---hs---- C:\WINDOWS\bitdot.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files
2008-01-04 19:42:33 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-01-04 19:39:57 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-23 01:03:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-24 17:38:11 116996 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]
01/04/2008 02:10 PM 172032 --a------ C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 09:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 09:31 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 01:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 08:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/2007 07:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"x"="C:\WINDOWS\system32\x.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 07:27 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [08/28/2007 05:11 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"lrzsny"=C:\WINDOWS\system32\lrzsny.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/4/2008 7:40:08 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9be5b1fc-5c22-11dc-85d4-000f1f927d07}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

*Newly Created Service* - RJVESCEFTTGT
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - SNTSALCNQMHC



-- Hosts -----------------------------------------------------------------------

127.0.0.2 localhost


-- End of Deckard's System Scanner: finished at 2008-01-18 17:14:48 ------------

Thank you.
Attached Files
File Type: txt extra.txt (20.3 KB, 6 views)
Last edited by Ried; 02-05-2008 at 08:32 PM. Reason: munged the live links for safety
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 01-23-2008, 04:32 PM   #2 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Bump.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-28-2008, 10:08 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Bump.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-01-2008, 08:59 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
I thought a latter scan log might be better.

PANDA log Activescan:


Incident Status Location

Adware:adware/baidubar Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[1].txt
Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\morelion.exe[MdaSet.exe]

Deckard's System Scanner main.txt:

Deckard's System Scanner v20071014.68
Run by User on 2008-02-01 23:45:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:11 PM, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8025 bytes

-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-02-01 23:05:22 0 dr-h----- C:\Documents and Settings\User\Recent
2008-02-01 22:11:39 0 d-------- C:\ie-spyad_zo
2008-02-01 22:03:22 0 d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52:56 8576 --a------ C:\WINDOWS\system32\drivers\mekyvadoedlc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-01 18:29:57 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18:44 0 d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:16:23 0 d-------- C:\WINDOWS\LastGood
2008-02-01 18:15:46 0 d-------- C:\Program Files\HP
2008-02-01 18:12:07 116970 --a------ C:\WINDOWS\hpoins11.dat
2008-01-30 00:03:25 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-28 01:47:42 0 d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43:04 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:30:03 0 d-------- C:\Program Files\iPod
2008-01-28 01:29:35 0 d-------- C:\Program Files\iTunes
2008-01-28 01:26:17 0 d-------- C:\Program Files\QuickTime
2008-01-28 01:22:10 0 d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08:22 0 d-------- C:\Program Files\Yahoo!
2008-01-25 18:02:18 188960 -----n--- C:\WINDOWS\system\WINGDE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2008-01-25 18:02:18 12800 -----n--- C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-01-25 18:02:18 92208 -----n--- C:\WINDOWS\system\WING.DLL <Not Verified; Microsoft Corporation; WinG>
2008-01-25 18:02:18 44464 -----n--- C:\WINDOWS\system\D2HTOOLS.DLL <Not Verified; WexTech Systems, Inc.; Doc-To-Help®>
2008-01-22 20:20:30 0 d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11:10 298496 -----n--- C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-01-21 15:11:08 0 d-------- C:\Documents and Settings\User\WINDOWS
2008-01-18 17:13:12 0 d-------- C:\Program Files\Trend Micro
2008-01-18 16:52:44 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-01-18 15:36:15 8576 -----n--- C:\WINDOWS\system32\drivers\rjvescefttgt.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:18:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 20:31:27 0 d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01:21 0 d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42:33 765952 -----n--- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42:31 180224 -----n--- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42:31 0 d-------- C:\Program Files\Xvid
2008-01-11 22:32:28 0 d-------- C:\Documents and Settings\Charles\Application Data\WinRAR
2008-01-10 19:39:12 0 d-------- C:\Program Files\Windows Defender
2008-01-10 15:29:23 0 d-------- C:\Program Files\Windows Live
2008-01-09 19:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-01-09 19:47:33 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-09 00:30:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-06 13:08:00 14 -----n--- C:\WINDOWS\system32\-10958-54120
2008-01-06 04:08:48 14 -----n--- C:\WINDOWS\system32\systeminfo3.dll
2008-01-05 11:42:19 20541 -----n--- C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2008-01-05 11:04:04 18087 -----n--- C:\WINDOWS\system32\comrcinf.dat
2008-01-04 13:45:48 396 -----n--- C:\WINDOWS\system32\cmbinfo.dat
2008-01-04 13:45:19 165693 -----n--- C:\WINDOWS\system32\dodolook254.exe
2008-01-03 23:56:23 0 d-------- C:\Program Files\Microsoft Works
2008-01-03 23:52:40 0 d-------- C:\Program Files\Microsoft Visual Studio 8


-- Find3M Report ---------------------------------------------------------------

2008-02-01 23:22:41 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-01 23:19:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-01 18:01:33 0 d-------- C:\Program Files\Common Files
2008-01-28 18:10:47 0 d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 13:14:16 0 d-------- C:\Program Files\Apple Software Update
2008-01-27 23:12:42 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-01-21 15:43:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 15:24:03 45056 ---hs---- C:\WINDOWS\bitdot.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2008-01-05 20:15:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 19:39:57 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]
04/01/2008 02:10 PM 172032 --------- C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/01/2005 09:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/01/2005 09:31 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 01:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/06/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [23/06/2005 07:27 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/01/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 03:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 AM]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [28/08/2007 05:11 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30/08/2007 05:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04/01/2008 7:40:08 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - MEKYVADOEDLC
*Newly Created Service* - VCABIAHBWJXA



-- End of Deckard's System Scanner: finished at 2008-02-01 23:47:24 ------------


Thank you.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-05-2008, 06:35 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Bump.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-05-2008, 08:27 PM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,954
OS: WinXP and Vista


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Hello jusatsking.

Welcome to TSF, and our apologies for the oversigh of your thread.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-06-2008, 09:54 PM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Hi Ried, thank you for your time.

I did the ComboFix procedure and follow the instruction thoroughly (I printed out the instruction) but I don't think the result is what you are looking for. There was no C:\ComboFix.txt but it did gave me a CF-RC.txt.

CF-RC.txt:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


new HijackThis log
hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:39 AM, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6858 bytes

Thank you.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-06-2008, 10:24 PM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,954
OS: WinXP and Vista


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Thank you jusatsking. If you have not rebooted yet (per the RC install instructions) please reboot now.

From Normal Mode:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we may begin cleaning the system.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-07-2008, 01:25 PM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
So that's why I didn't get the log, I thought it was done after the "drag and drop thing". lol Anyways, I followed what you've said and here's the log.

C:\ComboFix.txt:

ComboFix 08-02.05.3 - User 2008-02-07 15:38:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.568 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\iur99.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\6P2nzohpdw_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\AtwFRWIWZc_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\DFiQehr0E9_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\k18NVRc7Kb_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\keWwOL8j35_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\KqlOcagh9x_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\mh79dEPbiS_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\MxUK7IUi16_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\Qa5G3xjmmT_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\QLcY7HR73w_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\sysloader.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\uf0GPYlcZP_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\ydHh9ZbzCA_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\yV8qWKyK0W_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\webbrowser_3103.dll
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dodolook254.exe
C:\WINDOWS\system32\drivers\iur99.sys
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\systeminfo3.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYSLOADER
-------\sysloader


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program
2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard
2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo
2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys
2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP
2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat
2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI
2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2
2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1
2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43 . 2008-02-01 02:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for
2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod
2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes
2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini
2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI
2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL
2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL
2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL
2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL
2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV
2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND
2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386
2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS
2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe
2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys
2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico
2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico
2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico
2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42 . 2008-01-11 22:42 <DIR> d-------- C:\Program Files\Xvid
2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax
2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll
2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-05 16:42 20,541 ------w C:\WINDOWS\system32\detoured.dll
2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat
2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00]
S0 iur99;iur9;C:\WINDOWS\system32\DRIVERS\iur99.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 16:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 16:07:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 21:06:32
.
2008-02-06 00:07:59 --- E O F ---




I just want to know if you have seen this problem (or malware) very dangerous in a way that it hacks or steals password, credit card number, etc.

Thank you.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-07-2008, 07:57 PM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,954
OS: WinXP and Vista


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Hello justasking,

We can't always be sure as malware will mutate and change it's behavior. Given that, it's always a good idea to change login and passwords from another known clean computer, and not use the infected computer until it has been cleaned.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\morelion.exe

Driver::
iur99
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2008, 12:22 AM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Hi, this is what I have:

C:\ComboFix.txt:

ComboFix 08-02.05.3 - User 2008-02-07 23:34:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\morelion.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\morelion.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IUR99
-------\iur99


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-07 00:32 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program
2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard
2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo
2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys
2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP
2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat
2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI
2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2
2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1
2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43 . 2008-02-07 18:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for
2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod
2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes
2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini
2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI
2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL
2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL
2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL
2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL
2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV
2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND
2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386
2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS
2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe
2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys
2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico
2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico
2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico
2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42 . 2008-02-07 16:07 <DIR> d-------- C:\Program Files\Xvid
2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax
2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 04:36 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll
2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat
2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 23:36:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-07 23:39:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 04:39:01
ComboFix2.txt 2008-02-07 21:07:07
.
2008-02-07 21:07:16 --- E O F ---


Kaspersky results:

KASPERSKY ONLINE SCANNER REPORT
Friday, February 08, 2008 3:06:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/02/2008
Kaspersky Anti-Virus database records: 553987


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 39161
Number of viruses found 7
Number of infected objects 39
Number of suspicious objects 0
Duration of the scan process 00:55:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01102008-193920.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{58A32B48-8A91-49AC-94D6-EA7D2ECB2D19} Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008020820080209\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0062NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0096NAV~.TMP Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001/data0001.bin Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll.vir Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir RarSFX: infected - 2 skipped

C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip/iur99.sys Infected: Trojan-Downloader.Win32.Hmir.tk skipped

C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032550.dll Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP243\A0032605.dll Infected: Trojan-Downloader.Win32.Hmir.tk skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D88A4ECF-F01E-4239-89EA-14074A36033A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:31 AM, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7319 bytes


Update on system behavior:

As I've noticed, I'm not getting these pop-ups while browsing the Internet since the first ComboFix operation.

Thank you.
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2008, 06:08 AM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,954
OS: WinXP and Vista


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Hi jusatsking,

That's good to hear as these logs are clean. Kapsersky is only reporting backups that have been created during the course of this fix.

For tidiness sake, let's fix these orphaned entries:

Run a scan with HijackThis and 'check' the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

Click 'Fix Checked' and close HijackThis.

------------------------------------------------------

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2008, 04:56 PM   #13 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang
Ried, I think I'm good to go. I've noticed that no more pop ups popping up and there are no errors coming out during the start up as it always did before (this happened lately that I forgot to inform you, but it's all gone now). I also consider your recommendations for future protection.

I thank you very much on behalf of my family for helping and guiding me to solve this problem. We really really appreciate it.

Once again,

THANK YOU VERY MUCH

Good luck
jusatsking is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-08-2008, 05:16 PM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,954
OS: WinXP and Vista


Re: Pop ups - Win32/BaiduSobar or Win32/Henbang


You're quite welcome. My best to you and your family.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:09 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84