cssrss creating HQS Trojan at startup

calvin333 · 06-11-2008, 04:27 AM

Hello, I found out that this process cssrss would create a trojan "intermittently" (does not create everytime at system startup)
When the syz file was created then NOD would find it and delete it, but the source is still there and so the .syz file keeps getting created.

I have follow your instruction to run Panda, log attached, and also used its "disinfect" function in the free registration.

I have also run DSS and the logs are attached. Please let me know what else I can do to help your analysis. Thank you in advance for your help.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-11 19:02:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
30: 2008-06-11 11:02:58 UTC - RP49 - Deckard's System Scanner Restore Point
29: 2008-06-05 18:08:06 UTC - RP48 - Installed Windows Installer Clean Up
28: 2008-06-04 15:26:41 UTC - RP47 - 系統檢查點
27: 2008-06-03 03:22:47 UTC - RP46 - 系統檢查點
26: 2008-06-01 23:10:00 UTC - RP45 - 系統檢查點

-- First Restore Point --
1: 2008-03-11 03:33:02 UTC - RP20 - 系統檢查點

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-11 19:04:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTTrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\桌面\dss.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} () -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{59F718DE-A39F-4E97-9633-7C359ED5B9B5}: NameServer = 218.102.62.71 205.252.144.126
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe

--
End of file - 5794 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-05 12:57:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-11 18:10:05 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-11 15:46:40 0 d-------- C:\Program Files\Panda Security
2008-06-11 15:46:39 0 d-------- C:\WINDOWS\LastGood
2008-06-06 02:08:08 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-06-06 02:07:45 0 d-------- C:\Program Files\MSECACHE
2008-05-23 17:22:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 17:22:13 0 d-------- C:\Program Files\SpywareBlaster
2008-05-21 01:14:28 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-14 09:20:42 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-11 04:32:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-05-11 04:31:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-11 04:31:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla

-- Find3M Report ---------------------------------------------------------------

2008-05-19 20:58:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-05-12 00:36:35 138326 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-12 00:36:35 47010 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-07 01:02:42 0 d-------- C:\Program Files\Audacity
2008-05-06 22:44:36 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-05-06 00:04:44 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/12 下午 08:00]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/05/11 上午 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 上午 04:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/01 下午 12:35]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/12 下午 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"VTTimer"="VTTimer.exe" [2006/08/03 下午 02:53 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006/08/30 下午 05:44 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006/11/17 上午 05:42 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001/07/09 下午 06:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/12 下午 03:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/31 下午 11:13]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005/10/26 下午 04:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 下午 08:00]
"Custom.exe"="C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" [2007/02/01 下午 01:37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-06-11 19:04:58 ------------

sorry about the Chinese in the log, my system was installed with Chinese traditional and I can't switch to English.

Here's a quick translation:
系統檢查點 = system check point
桌面 = desktop
匯出至 = export to
主控台 = main control
參考資料 = reference data

calvin333 · 06-15-2008, 12:38 PM

Bump for placement

Ried · 06-16-2008, 10:20 PM

Hello calvin333,

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.

Press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Run a new scan with dss.exe

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
main.txt

calvin333 · 06-17-2008, 05:32 AM

First of all thank you for your help.

Report.txt:

SDFix: Version 1.193
Run by Administrator on ??? 2008/06/17 at ?? 08:08

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\ed47fa.$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 20:15:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"柟s^L?\xe48ecf?????"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"柟s^L?\xe48ecf?????"=str(7):"1\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"?}vr???"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"Kb??1??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"Kb??2??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"P`??"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"n?_??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\ac襠??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
">e'Y"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"?OY?"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"??r????"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper]
"0}\16f??"=dword:00008088
"0}\16f???"=dword:00000088
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"\31jwi? ?(?T?r?u?e?T?y?p?e?)??"="KAIU.TTF"
"0}\16f? ?&? ?0}\16f? ?(?T?r?u?e?T?y?p?e?)????"="MINGLIU.TTC"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"J?j4X?"="Dl?\J4"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE:*:Enabled:HotSyncr Manager Application"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"c:\\3cl2et.exe"="c:\\3cl2et.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!

Main.txt:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-17 20:18:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 20:19:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\nod32kui.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTTrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Administrator\桌面\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} () -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe

--
End of file - 5794 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 20:05:50 0 d-------- C:\WINDOWS\ERUNT
2008-06-17 20:03:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-11 15:46:40 0 d-------- C:\Program Files\Panda Security
2008-06-06 02:08:08 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-06-06 02:07:45 0 d-------- C:\Program Files\MSECACHE
2008-05-23 17:22:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 17:22:13 0 d-------- C:\Program Files\SpywareBlaster
2008-05-21 01:14:28 0 d-------- C:\WINDOWS\system32\appmgmt

-- Find3M Report ---------------------------------------------------------------

2008-05-19 20:58:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-05-14 09:20:43 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-12 00:36:35 138326 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-12 00:36:35 47010 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-11 04:32:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-05-11 04:31:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-11 04:31:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-07 01:02:42 0 d-------- C:\Program Files\Audacity
2008-05-06 22:44:36 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-05-06 00:04:44 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/12 下午 08:00]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/05/11 上午 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 上午 04:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/01 下午 12:35]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/12 下午 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"VTTimer"="VTTimer.exe" [2006/08/03 下午 02:53 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006/08/30 下午 05:44 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006/11/17 上午 05:42 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001/07/09 下午 06:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/12 下午 03:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/31 下午 11:13]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005/10/26 下午 04:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 下午 08:00]
"Custom.exe"="C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" [2007/02/01 下午 01:37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

-- End of Deckard's System Scanner: finished at 2008-06-17 20:19:38 ------------

Ried · 06-17-2008, 07:32 PM

Hi calvin,

This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean--for now, I only want to see a Report of what it finds.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, we need to change the default settings.
In the Menu Bar, Go to Options>Change Settings.
Click on the Actions tab
Using the drop down menus, change each item under Objects and Malware to Report
Next, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'No to All' if it asks if you want to cure/move the file.
After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Post the contents of the log from Dr.Web you saved previously in your next reply.

--------------------------------------------

I'd also like you to download mbr.exe and save it to your desktop. Double click to run it. it will produce a log on your desktop named mbr.log. Please post the contents of that log as well.

calvin333 · 06-17-2008, 09:36 PM

Hi Reid - just a quick note that I was from Ohio too, lived in Dayton for 5 years and Columbus for 10.

Re DrWeb I got the Chinese version so a quick summary is that it found and deleted BackDoor.MaosBoot from memory and fixed BackDoor.MaosBoot from the Master Boot Record.

The DrWeb.csr file is attached, not posted because I'm not sure if copy & paste would capture everything in a csr/excel file.
I also want to mention that the interface is slighly different from your description (probably a newer release) but I didn't take any corrective action after the full scan.

The mbr log :

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
malicious code @ sector 0xdf8f900 size 0x1a8 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Ried · 06-17-2008, 09:46 PM

Hi calvin,

This is a very serious infection of your actual boot sector of your hard drive. I do not see the Dr web report attached, and it's important that I see it. Could you please try again to attach?

calvin333 · 06-18-2008, 08:24 AM

Hi, I have re-run Dr. Web as per instructed but the csv file is very short (4 rows), is it normal?

This is the content:

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\桌面\SDFix.exe;Tool.Prockill;;

SDFix.exe;C:\Documents and Settings\Administrator\桌面;Archive contains infected objects;;

NMYV5MDA.NQF;C:\Program Files\ESET\infected;Trojan.NtRootKit.1177;;

Process.exe;C:\SDFix\apps;Tool.Prockill;;

Ried · 06-18-2008, 09:29 AM

I wanted to see the original report, not a second run.

Please run mbr.exe again and post the contents of the mbr.log

calvin333 · 06-18-2008, 01:19 PM

Oops... here goes:

original Dr. Web log
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\桌面\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\桌面;Archive contains infected objects;;
NMYV5MDA.NQF;C:\Program Files\ESET\infected;Trojan.NtRootKit.1177;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;

New mbr.log

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0xdf8f900 size 0x1a8 !
copy of MBR has been found in sector 62 !

Ried · 06-18-2008, 01:41 PM

Ok, what I want you to do is move mbr.exe directly to the C:\ drive.

Click Start>My Computer and double click on C:\

Once it's opened simply drag and drop mbr.exe into and empty spot in that window.

After it's been moved to the C:\drive....

Click Start>Run and copy/past the following into the Run box and click OK:

mbr.exe -f

It will produce a report at C:\mbr.log. Please post the contents of that new log.

calvin333 · 06-18-2008, 10:54 PM

Hi Ried (finally got that right, sorry about that)

So I moved mbr into c drive then attempted to run but then sytem responded with "can't find it". So I clicked the browse and found that default location from start/run is "Administrator"...

So I did a "C:\mbr.exe -f" and the log is below.
This is like the movie Groundhog Day as for a few days I've been running mbr and it kept giving me that short log

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0xdf8f900 size 0x1a8 !
copy of MBR has been found in sector 62 !

Ried · 06-19-2008, 07:13 AM

Hi,

I'd like to clarify before we go further. This log you just posted is the mbr.log that was located on the C:\ drive correct?

To minimize confusion, delete the mbr.log that is on your desktop.

Navigate to C:\mbr.exe and double click it to run it. Please post the fresh mbr.log.

calvin333 · 06-19-2008, 08:32 AM

1. Removed log from desktop
2. Removed log from C:
3. Went to C: and double clicked on mbr icon

Result Log:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0xdf8f900 size 0x1a8 !
copy of MBR has been found in sector 62 !

Ried · 06-19-2008, 06:48 PM

Thanks calvin.

The mbr rootkit has been effectively cleaned. It would seem DrWeb may have left a remnant, but it no longer poses a threat. The MBR is clean, as verified by the mbr.log:

Quote:

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

-----------------------------------------

Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Under SCANNING OPTIONS, use the following Settings:

Action options - Report only
Second option - Report only

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply

calvin333 · 06-19-2008, 08:47 PM

Hi Ried - first of all thanks for staying with me, here's what I did:

I started scanning forgetting to do "report only" so the scanner deleted two files from the ESET quarantined areas. Then I realized the boo-boo and stopped scan and did report only and retarded, I mean, restarted...

Here's the log:

BitDefender Online Scanner

Scan report generated at: Fri, Jun 20, 2008 - 11:35:45

Scan path: C:\;

Statistics

Time
00:18:41

Files
121360

Folders
2430

Boot Sectors
3

Archives
955

Packed Files
6971

Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0

Engines Info

Virus Definitions
1262175

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
42

Unpack plugins
7

E-mail plugins
6

System plugins
5

Scan Settings

First Action
Report

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\System Volume Information\_restore{CB2D8209-4CCD-4B94-A4F8-AAF4DD0DB234}\RP48\A0037719.exe
Infected with: Trojan.Peed.Gen

Ried · 06-19-2008, 08:51 PM

You are making this fun.

All that needs to be done is flush System Restore, but before we do that - how is the system behaving? Any more troubles?

calvin333 · 06-19-2008, 08:54 PM

no system is working fine
the only strange thing is auto update is disabled ... you know got that red shield?
I used to get that when firewall was turned off, but after cleaning the red shield went away until now.

Ried · 06-19-2008, 08:57 PM

Please run a new scan with dss.exe and post a fresh main.txt

calvin333 · 06-19-2008, 09:01 PM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-20 11:59:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-20 11:59:38
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\nod32kui.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTTrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Administrator\桌面\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} () -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe

--
End of file - 6046 bytes

-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-20 11:01:53 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-20 11:01:51 0 d-------- C:\WINDOWS\LastGood
2008-06-20 03:17:01 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-19 13:37:43 66048 --a------ C:\mbr.exe
2008-06-18 10:44:15 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-06-17 20:05:50 0 d-------- C:\WINDOWS\ERUNT
2008-06-11 15:46:40 0 d-------- C:\Program Files\Panda Security
2008-06-06 02:08:08 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-06-06 02:07:45 0 d-------- C:\Program Files\MSECACHE
2008-05-23 17:22:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 17:22:13 0 d-------- C:\Program Files\SpywareBlaster
2008-05-21 01:14:28 0 d-------- C:\WINDOWS\system32\appmgmt

-- Find3M Report ---------------------------------------------------------------

2008-05-19 20:58:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-05-14 09:20:43 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-12 00:36:35 138326 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-05-12 00:36:35 47010 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-05-11 04:32:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-05-11 04:31:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-11 04:31:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-07 01:02:42 0 d-------- C:\Program Files\Audacity
2008-05-06 22:44:36 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-05-06 00:04:44 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/12 下午 08:00]
"CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57]
"PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/05/11 上午 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 上午 04:25]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/01 下午 12:35]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/12 下午 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00]
"VTTimer"="VTTimer.exe" [2006/08/03 下午 02:53 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006/08/30 下午 05:44 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006/11/17 上午 05:42 C:\WINDOWS\SOUNDMAN.EXE]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001/07/09 下午 06:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/12 下午 03:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/31 下午 11:13]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005/10/26 下午 04:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 下午 08:00]
"Custom.exe"="C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" [2007/02/01 下午 01:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

-- End of Deckard's System Scanner: finished at 2008-06-20 11:59:55 ------------

06-15-2008, 12:38 PM	#2 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Bump for placement

06-16-2008, 10:20 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Hello calvin333, Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- Run a new scan with dss.exe -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt main.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-17-2008, 05:32 AM	#4 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup First of all thank you for your help. Report.txt: SDFix: Version 1.193 Run by Administrator on ??? 2008/06/17 at ?? 08:08 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\Temp\ed47fa.$ - Deleted Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$ Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$ Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-17 20:15:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions] "柟s^L?\xe48ecf?????"=str(7):"1\0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions] "柟s^L?\xe48ecf?????"=str(7):"1\0" scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes] "?}vr???"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,"" "Kb??1??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"" "Kb??2??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,"" "P`??"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,"" "n?_??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"" "\ac襠??"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"" ">e'Y"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,"" "?OY?"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,"" "??r????"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper] "0}\16f??"=dword:00008088 "0}\16f???"=dword:00000088 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts] "\31jwi? ?(?T?r?u?e?T?y?p?e?)??"="KAIU.TTF" "0}\16f? ?&? ?0}\16f? ?(?T?r?u?e?T?y?p?e?)????"="MINGLIU.TTC" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups] "J?j4X?"="Dl?\J4" scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE::Enabled:HotSyncr Manager Application" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe::Disabled:RealPlayer" "c:\\3cl2et.exe"="c:\\3cl2et.exe::Enabled:DHCP Client" "C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe::Enabled:DHCP Client" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files : C:\WINDOWS\Temp\bca4e2da.$$$ Found C:\WINDOWS\Temp\fa56d7ec.$$$ Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Finished! Main.txt: Deckard's System Scanner v20071014.68 Run by Administrator on 2008-06-17 20:18:50 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 448 MiB (512 MiB recommended). -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-06-17 20:19:20 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ESET\nod32krn.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\ESET\nod32kui.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTTrayp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Documents and Settings\Administrator\桌面\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} () - O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe -- End of file - 5794 bytes -- Files created between 2008-05-17 and 2008-06-17 ----------------------------- 2008-06-17 20:05:50 0 d-------- C:\WINDOWS\ERUNT 2008-06-17 20:03:06 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-06-11 15:46:40 0 d-------- C:\Program Files\Panda Security 2008-06-06 02:08:08 0 d-------- C:\Program Files\Windows Installer Clean Up 2008-06-06 02:07:45 0 d-------- C:\Program Files\MSECACHE 2008-05-23 17:22:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-23 17:22:13 0 d-------- C:\Program Files\SpywareBlaster 2008-05-21 01:14:28 0 d-------- C:\WINDOWS\system32\appmgmt -- Find3M Report --------------------------------------------------------------- 2008-05-19 20:58:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound 2008-05-14 09:20:43 1160 --a------ C:\WINDOWS\mozver.dat 2008-05-12 00:36:35 138326 --a------ C:\WINDOWS\system32\prfh0404.dat 2008-05-12 00:36:35 47010 --a------ C:\WINDOWS\system32\prfc0404.dat 2008-05-11 04:32:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-05-11 04:31:52 0 --a------ C:\WINDOWS\nsreg.dat 2008-05-11 04:31:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-05-07 01:02:42 0 d-------- C:\Program Files\Audacity 2008-05-06 22:44:36 0 d-------- C:\Program Files\Mp3 My Mp3 2.0 2008-05-06 00:04:44 0 d-------- C:\Program Files\Java -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/12 下午 08:00] "CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57] "PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/05/11 上午 03:06] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 上午 04:25] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/01 下午 12:35] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/12 下午 08:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00] "VTTimer"="VTTimer.exe" [2006/08/03 下午 02:53 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2006/08/30 下午 05:44 C:\WINDOWS\system32\VTTrayp.exe] "SoundMan"="SOUNDMAN.EXE" [2006/11/17 上午 05:42 C:\WINDOWS\SOUNDMAN.EXE] "NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001/07/09 下午 06:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/12 下午 03:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/31 下午 11:13] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005/10/26 下午 04:17] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 下午 08:00] "Custom.exe"="C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" [2007/02/01 下午 01:37] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background -- End of Deckard's System Scanner: finished at 2008-06-17 20:19:38 ------------

06-17-2008, 07:32 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Hi calvin, This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean--for now, I only want to see a Report of what it finds. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to change the default settings. In the Menu Bar, Go to Options>Change Settings. Click on the Actions tab Using the drop down menus, change each item under Objects and Malware to Report Next, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'No to All' if it asks if you want to cure/move the file. After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Post the contents of the log from Dr.Web you saved previously in your next reply. -------------------------------------------- I'd also like you to download mbr.exe and save it to your desktop. Double click to run it. it will produce a log on your desktop named mbr.log. Please post the contents of that log as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-17-2008, 09:36 PM	#6 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Hi Reid - just a quick note that I was from Ohio too, lived in Dayton for 5 years and Columbus for 10. Re DrWeb I got the Chinese version so a quick summary is that it found and deleted BackDoor.MaosBoot from memory and fixed BackDoor.MaosBoot from the Master Boot Record. The DrWeb.csr file is attached, not posted because I'm not sure if copy & paste would capture everything in a csr/excel file. I also want to mention that the interface is slighly different from your description (probably a newer release) but I didn't take any corrective action after the full scan. The mbr log : Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully malicious code @ sector 0xdf8f900 size 0x1a8 ! copy of MBR has been found in sector 62 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

06-17-2008, 09:46 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Hi calvin, This is a very serious infection of your actual boot sector of your hard drive. I do not see the Dr web report attached, and it's important that I see it. Could you please try again to attach? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-18-2008, 08:24 AM	#8 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Hi, I have re-run Dr. Web as per instructed but the csv file is very short (4 rows), is it normal? This is the content: SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\桌面\SDFix.exe;Tool.Prockill;; SDFix.exe;C:\Documents and Settings\Administrator\桌面;Archive contains infected objects;; NMYV5MDA.NQF;C:\Program Files\ESET\infected;Trojan.NtRootKit.1177;; Process.exe;C:\SDFix\apps;Tool.Prockill;;

06-18-2008, 09:29 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup I wanted to see the original report, not a second run. Please run mbr.exe again and post the contents of the mbr.log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-18-2008, 01:19 PM	#10 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Oops... here goes: original Dr. Web log SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\桌面\SDFix.exe;Tool.Prockill;; SDFix.exe;C:\Documents and Settings\Administrator\桌面;Archive contains infected objects;; NMYV5MDA.NQF;C:\Program Files\ESET\infected;Trojan.NtRootKit.1177;; Process.exe;C:\SDFix\apps;Tool.Prockill;; New mbr.log Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0xdf8f900 size 0x1a8 ! copy of MBR has been found in sector 62 !

06-18-2008, 01:41 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Ok, what I want you to do is move mbr.exe directly to the C:\ drive. Click Start>My Computer and double click on C:\ Once it's opened simply drag and drop mbr.exe into and empty spot in that window. After it's been moved to the C:\drive.... Click Start>Run and copy/past the following into the Run box and click OK: mbr.exe -f It will produce a report at C:\mbr.log. Please post the contents of that new log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-18-2008, 10:54 PM	#12 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Hi Ried (finally got that right, sorry about that) So I moved mbr into c drive then attempted to run but then sytem responded with "can't find it". So I clicked the browse and found that default location from start/run is "Administrator"... So I did a "C:\mbr.exe -f" and the log is below. This is like the movie Groundhog Day as for a few days I've been running mbr and it kept giving me that short log Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0xdf8f900 size 0x1a8 ! copy of MBR has been found in sector 62 !

06-19-2008, 07:13 AM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Hi, I'd like to clarify before we go further. This log you just posted is the mbr.log that was located on the C:\ drive correct? To minimize confusion, delete the mbr.log that is on your desktop. Navigate to C:\mbr.exe and double click it to run it. Please post the fresh mbr.log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-19-2008, 08:32 AM	#14 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup 1. Removed log from desktop 2. Removed log from C: 3. Went to C: and double clicked on mbr icon Result Log: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0xdf8f900 size 0x1a8 ! copy of MBR has been found in sector 62 !

06-19-2008, 08:47 PM	#16 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Hi Ried - first of all thanks for staying with me, here's what I did: I started scanning forgetting to do "report only" so the scanner deleted two files from the ESET quarantined areas. Then I realized the boo-boo and stopped scan and did report only and retarded, I mean, restarted... Here's the log: BitDefender Online Scanner Scan report generated at: Fri, Jun 20, 2008 - 11:35:45 Scan path: C:\; Statistics Time 00:18:41 Files 121360 Folders 2430 Boot Sectors 3 Archives 955 Packed Files 6971 Results Identified Viruses 1 Infected Files 1 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 0 Engines Info Virus Definitions 1262175 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 42 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Report Second Action None Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\System Volume Information\_restore{CB2D8209-4CCD-4B94-A4F8-AAF4DD0DB234}\RP48\A0037719.exe Infected with: Trojan.Peed.Gen

06-19-2008, 08:51 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup You are making this fun. All that needs to be done is flush System Restore, but before we do that - how is the system behaving? Any more troubles? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-19-2008, 08:54 PM	#18 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup no system is working fine the only strange thing is auto update is disabled ... you know got that red shield? I used to get that when firewall was turned off, but after cleaning the red shield went away until now.

06-19-2008, 08:57 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Re: cssrss creating HQS Trojan at startup Please run a new scan with dss.exe and post a fresh main.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-19-2008, 09:01 PM	#20 (permalink)
calvin333 Registered User Join Date: May 2008 Posts: 27 OS: xp	Re: cssrss creating HQS Trojan at startup Deckard's System Scanner v20071014.68 Run by Administrator on 2008-06-20 11:59:07 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-06-20 11:59:38 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\ESET\nod32kui.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTTrayp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ESET\nod32krn.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Documents and Settings\Administrator\桌面\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 連結 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Custom.exe] "C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: 參考資料 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} () - O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe -- End of file - 6046 bytes -- Files created between 2008-05-20 and 2008-06-20 ----------------------------- 2008-06-20 11:01:53 0 d-------- C:\WINDOWS\BDOSCAN8 2008-06-20 11:01:51 0 d-------- C:\WINDOWS\LastGood 2008-06-20 03:17:01 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-06-19 13:37:43 66048 --a------ C:\mbr.exe 2008-06-18 10:44:15 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb 2008-06-17 20:05:50 0 d-------- C:\WINDOWS\ERUNT 2008-06-11 15:46:40 0 d-------- C:\Program Files\Panda Security 2008-06-06 02:08:08 0 d-------- C:\Program Files\Windows Installer Clean Up 2008-06-06 02:07:45 0 d-------- C:\Program Files\MSECACHE 2008-05-23 17:22:30 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-23 17:22:13 0 d-------- C:\Program Files\SpywareBlaster 2008-05-21 01:14:28 0 d-------- C:\WINDOWS\system32\appmgmt -- Find3M Report --------------------------------------------------------------- 2008-05-19 20:58:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound 2008-05-14 09:20:43 1160 --a------ C:\WINDOWS\mozver.dat 2008-05-12 00:36:35 138326 --a------ C:\WINDOWS\system32\prfh0404.dat 2008-05-12 00:36:35 47010 --a------ C:\WINDOWS\system32\prfc0404.dat 2008-05-11 04:32:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2008-05-11 04:31:52 0 --a------ C:\WINDOWS\nsreg.dat 2008-05-11 04:31:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-05-07 01:02:42 0 d-------- C:\Program Files\Audacity 2008-05-06 22:44:36 0 d-------- C:\Program Files\Mp3 My Mp3 2.0 2008-05-06 00:04:44 0 d-------- C:\Program Files\Java -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004/08/12 下午 08:00] "CJIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2003/07/14 下午 10:57] "PHIMETIPSYNC"="C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2003/07/14 下午 10:57] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007/05/11 上午 03:06] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 上午 04:25] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008/02/01 下午 12:35] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004/08/12 下午 08:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004/08/12 下午 08:00] "VTTimer"="VTTimer.exe" [2006/08/03 下午 02:53 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2006/08/30 下午 05:44 C:\WINDOWS\system32\VTTrayp.exe] "SoundMan"="SOUNDMAN.EXE" [2006/11/17 上午 05:42 C:\WINDOWS\SOUNDMAN.EXE] "NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001/07/09 下午 06:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/02/12 下午 03:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/31 下午 11:13] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005/10/26 下午 04:17] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 下午 08:00] "Custom.exe"="C:\PROGRAM FILES\WINPENJR\WIN32\CUSTOM.EXE" [2007/02/01 下午 01:37] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background -- End of Deckard's System Scanner: finished at 2008-06-20 11:59:55 ------------