PDA

View Full Version : Smitfraud-C.KooWo


tykily
2007-06-08, 19:28
Hello. I have recently had this virus that is incredibly difficult to get rid of, so that is why I'm here. I ran the SpybotSD and got results of Smitfraud and Smitfraud-C.KooWo. This KooWo thing is very annoying, it changes my homepage to some chinese website every startup, installs the toolbar in the background without any consent, and gives numerous popups to chinese websites.

I've ran the online AntiVirus scanner and was confused about how to save the log/report so this is just basically what it found:

hosts Win32/Hostblock cannot delete C:\WINDOWS\system32\drivers\etc\
hosts.20050608-114729.backup Win32/Hostblock deleted C:\WINDOWS\system32\drivers\etc\
hosts.20050608-114738.backup Win32/Hostblock deleted C:\WINDOWS\system32\drivers\etc\
hosts.20050608-122306.backup Win32/Hostblock deleted C:\WINDOWS\system32\drivers\etc\
hosts.20050608-122312.backup Win32/Hostblock deleted C:\WINDOWS\system32\drivers\etc\

And here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:45 PM, on 6/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\dgd4bs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tjjgvf\Desktop\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ala.union123.com/indaxxx.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe vbjava.exe
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
pskelley
2007-06-09, 14:48
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.

Welcome to Safer Networking, you have some dangerous trojans on the computer including this one:
http://www.sophos.com/security/analyses/trojqqhelpdx.html

You are running this computer with no antivirus program, no Service Pack, no critical updates for your browser. Doing this is cyber-suicide.

Install an antivirus program, here is a free one if yu need it:
http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5

Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

Thanks
tykily
2007-06-09, 22:51
:sad: My computer is getting worse and worse as time goes by, I need to get this fixed asap!
Here is my new HJT log after updating to Service Pack 1 and getting an antivirus program:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:09 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\dgd4bs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\VuN\Local Settings\Temp\tempaq
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\syssbyou4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dgd4bs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\dgd4bs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Temp\tempaq
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\Program Files\Common Files\system\Updaterun.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\VuN\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cqking.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ala.union123.com/indaxsx.html
F2 - REG:system.ini: Shell=Explorer.exe vbjava.exe
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\System32\e3f1.dll
O4 - HKLM\..\Run: [SpyStopperPro] C:\Program Files\SpyStopper Pro\ssp.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IE Helper] C:\DOCUME~1\VuN\LOCALS~1\Temp\iexplore3.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118357305123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118357294373
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
pskelley
2007-06-09, 23:16
OK, well listen, since you are the one that was running the computer with no antivirus program and no critical updates or service pack, it is hard for me to get excited about the big hurry you are in to clean it up all of a sudden.

Follow the directions carefully!!

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

(wait to post these logs until after combofix is run)


Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the report from SDFix, the combofix log and a new HJT log.

Thanks
tykily
2007-06-10, 00:42
SDFix Log
SDFix: Version 1.86

Run by VuN - Thu 06/09/2005 - 18:17:17.45

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\\ydfelhl.exe"="\\ydfelhl.exe:*:Enabled:pop"
"C:\\WINDOWS\\System32\\zfeihgk.exe"="C:\\WINDOWS\\System32\\zfeihgk.exe:*:Enabled:pop"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\81646C40.EXE
C:\WINDOWS\system32\systemm.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\~de1E.tmp
C:\~de1F.tmp
C:\~de23.tmp
C:\~de24.tmp
C:\~de25.tmp
C:\~de26.tmp
C:\~de29.tmp
C:\~de7D.tmp
C:\~de7F.tmp
C:\~de95.tmp

Combofix Log
ComboFix 07-06-09.5 - C:\Documents and Settings\VuN\Desktop\ComboFix.exe
"VuN" - 2005-06-09 18:26:15 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\~de1E.tmp
c:\~de1F.tmp
c:\~de23.tmp
c:\~de24.tmp
c:\~de25.tmp
c:\~de26.tmp
c:\~de29.tmp
c:\~de31.tmp
c:\~de34.tmp
c:\~de7D.tmp
c:\~de7F.tmp
c:\~de95.tmp
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\Microsoft\PCTools
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\Microsoft\PCTools\pctools.dll
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\a1008.dat
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\109.lz
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\111.lz
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d3e7021b8\click.js
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d3e7021b8\index.htm
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d735d3b8\click.js
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d735d3b8\index.htm
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d74badb6\click.js
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\ad\d74badb6\index.htm
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\b1008.dat
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\k1008.dat
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\p1008.dat
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1.\t\r1008.dat
C:\Program Files\Common Files\system\updaterun.exe
C:\WINDOWS\f2.exe
C:\WINDOWS\g3.exe
C:\WINDOWS\system32\7e1.dll
C:\WINDOWS\system32\81646C40.EXE
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\agxwm.dll
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dgd4bs.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\msqmx.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\oglcl.sys
C:\WINDOWS\system32\e3f1.dll
C:\WINDOWS\system32\iudoo.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\njagf.dll
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\qtzsb.dll
C:\WINDOWS\system32\qukpg.dll
C:\WINDOWS\system32\qyylq.dll
C:\WINDOWS\system32\rjjav.dll
C:\WINDOWS\system32\rkdqj.dll
C:\WINDOWS\system32\rwxcl.dll
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\systemm.exe
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wbem\ckmoh.dll
C:\WINDOWS\system32\wbem\fjncj.dll
C:\WINDOWS\system32\wbem\irkhm.dll
C:\WINDOWS\system32\wbem\kbphp.dll
C:\WINDOWS\system32\wbem\kvzzw.dll
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\wbem\oqcuc.dll
C:\WINDOWS\system32\wbem\pghjf.dll
C:\WINDOWS\system32\wbem\vyvnp.dll
C:\WINDOWS\system32\wbem\wuvsy.dll
C:\WINDOWS\system32\wbem\xbazn.dll
C:\WINDOWS\system32\wbem\ziaao.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wtpcf.dll
C:\WINDOWS\system32\yiapq.dll
d:\autorun.inf
d:\rising.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_MSQMX
-------\LEGACY_NPF
-------\LEGACY_OGLCL
-------\LEGACY_SHIPING
-------\acpidisk
-------\NPF
-------\oglcl
-------\Patterns
-------\SHipING


((((((((((((((((((((((((( Files Created from 2005-05-10 to 2005-06-10 )))))))))))))))))))))))))))))))


2005-06-09 18:30 26,417 --a------ C:\WINDOWS\system32\dgd4bs.exe
2005-06-09 18:30 11,392 --a------ C:\WINDOWS\system32\431118367022.dat
2005-06-09 18:28 8,493 --a------ C:\WINDOWS\system32\u1118366914k.exe
2005-06-09 18:25 49,152 --a------ C:\WINDOWS\nircmd.exe
2005-06-09 18:22 9,977 --a------ C:\WINDOWS\system32\k11183665363.exe
2005-06-09 18:22 134,656 --a------ C:\WINDOWS\system32\syssbyou3.exe
2005-06-09 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\{42A2F05F-E171-4CEF-852F-02475F698C24}
2005-06-09 17:26 <DIR> C:\Program Files\E¥EöA,(S)
2005-06-09 17:03 39 --a------ C:\WINDOWS\system32\MSZHQZG.DLL
2005-06-09 16:41 12,897 --a------ C:\WINDOWS\system32\k11183604863.exe
2005-06-09 16:40 43,351 --a------ C:\WINDOWS\system32\k11183604562.exe
2005-06-09 16:40 11,437 --a------ C:\WINDOWS\system32\k11183604573.exe
2005-06-09 16:03 137,728 --a------ C:\WINDOWS\system32\k11183582251.exe
2005-06-09 15:48 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2005-06-09 15:48 41,240 --a------ C:\WINDOWS\system32\wups.dll
2005-06-09 15:48 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2005-06-09 15:48 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2005-06-09 15:48 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2005-06-09 15:48 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2005-06-09 15:48 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2005-06-09 15:42 <DIR> d---s---- C:\DOCUME~1\VuN\UserData
2005-06-08 23:46 737,280 --a------ C:\WINDOWS\iun6002.exe
2005-06-08 23:39 11,344 --a------ C:\WINDOWS\system32\431118299161.dat
2005-06-08 23:33 <DIR> d-------- C:\Program Files\iPod
2005-06-08 23:33 <DIR> d-------- C:\DOCUME~1\VuN\APPLIC~1\Apple Computer
2005-06-08 23:32 <DIR> d-------- C:\Program Files\iTunes
2005-06-08 23:31 <DIR> d-------- C:\Program Files\QuickTime
2005-06-08 23:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer
2005-06-08 23:20 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2005-06-08 23:20 <DIR> d-------- C:\Program Files\MUSICMATCH
2005-06-08 23:19 593,920 --a------ C:\WINDOWS\system32\zfeihgk.exe
2005-06-08 23:09 87,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2005-06-08 23:09 108,168 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2005-06-08 23:09 <DIR> d-------- C:\Program Files\Symantec
2005-06-08 23:08 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2005-06-08 23:08 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2005-06-08 23:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Symantec
2005-06-08 23:03 2,665 --a------ C:\WINDOWS\system32\431118297030.dat
2005-06-08 22:53 18,432 --a------ C:\WINDOWS\system32\webprint.exe
2005-06-08 22:53 18,432 --a------ C:\WINDOWS\system32\webpnt.exe
2005-06-08 22:45 379,392 --a------ C:\WINDOWS\system32\vbjava.exe
2005-06-08 22:44 11,390 --a------ C:\WINDOWS\system32\431118295842.dat
2005-06-08 22:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2005-06-08 22:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1.VU\APPLIC~1\Simply Super Software
2005-06-08 22:20 524,288 --ah----- C:\DOCUME~1\ADMINI~1.VU\NTUSER.DAT
2005-06-08 22:14 17,277 --a------ C:\WINDOWS\system32\u1118294041k.exe
2005-06-08 22:14 11,390 --a------ C:\WINDOWS\system32\431118294039.dat
2005-06-08 22:10 604 --a------ C:\WINDOWS\system32\tmp.reg
2005-06-08 22:05 9,965 --a------ C:\WINDOWS\system32\431118293536.dat
2005-06-08 21:59 11,390 --a------ C:\WINDOWS\system32\431118293173.dat
2005-06-08 21:57 796,672 --a------ C:\WINDOWS\GPInstall.exe
2005-06-08 21:57 16,896 --a------ C:\WINDOWS\ssuninst.exe
2005-06-08 21:57 <DIR> d-------- C:\Program Files\SpyStopper Pro
2005-06-08 21:55 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2005-06-08 21:54 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2005-06-08 21:54 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2005-06-08 21:54 <DIR> d-------- C:\DOCUME~1\VuN\APPLIC~1\Simply Super Software
2005-06-08 21:30 67 --a------ C:\WINDOWS\system32\OUBISAHPW.DLL
2005-06-08 21:30 4,586 --a------ C:\WINDOWS\system32\syssbyou4.exe
2005-06-08 21:30 379,392 --a------ C:\WINDOWS\system32\vbjava.exe.ren
2005-06-08 21:30 1,015,808 --a------ C:\WINDOWS\system32\vbjs.dll
2005-06-08 21:29 43,351 --a------ C:\WINDOWS\system32\ks8j3jsisd.exe
2005-06-08 21:29 37,351 --a------ C:\WINDOWS\system32\df33sdg.dll
2005-06-08 21:29 20,480 --a------ C:\WINDOWS\system32\syssbyou1.exe
2005-06-08 21:29 171,493 --a------ C:\WINDOWS\system32\syssbyou2.exe
2005-06-08 21:29 11,392 --a------ C:\WINDOWS\system32\sddftj.dat
2005-06-08 21:29 1,266 --a------ C:\WINDOWS\system32\kuFeuTXJ0.dll
2005-06-08 21:28 137,728 --a------ C:\WINDOWS\system32\k11182913371.exe
2005-06-08 21:28 12,958 --a------ C:\WINDOWS\system32\3623DB64.DLL
2005-06-08 21:27 <DIR> d-------- C:\Downloads
2005-06-08 21:23 1,310,720 --ah----- C:\DOCUME~1\VuN\NTUSER.DAT
2005-06-08 21:23 <DIR> d--hs---- C:\WINDOWS\Installer
2005-06-08 21:20 241,664 --ah----- C:\DOCUME~1\NETWOR~1.NTA\NTUSER.DAT
2005-06-08 21:20 241,664 --ah----- C:\DOCUME~1\LOCALS~1.NTA\NTUSER.DAT
2005-06-08 21:13 241,664 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2005-06-08 21:13 <DIR> d-------- C:\WINDOWS\system32\xircom
2005-06-08 21:12 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2005-06-08 21:11 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2005-06-08 21:11 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2005-06-08 21:11 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2005-06-08 21:10 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2005-06-08 21:10 <DIR> d-------- C:\WINDOWS\system32\Macromed
2005-06-08 21:10 <DIR> d-------- C:\WINDOWS\system32\DirectX
2005-06-08 21:10 <DIR> d-------- C:\WINDOWS\srchasst
2005-06-08 21:09 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2005-06-08 21:09 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2005-06-08 21:09 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys
2005-06-08 21:09 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2005-06-08 21:09 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2005-06-08 21:09 47,616 --a------ C:\WINDOWS\system32\inetres.dll
2005-06-08 21:09 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2005-06-08 21:09 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2005-06-08 21:09 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2005-06-08 21:09 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2005-06-08 21:09 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2005-06-08 21:09 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2005-06-08 21:09 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2005-06-08 21:09 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2005-06-08 21:09 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2005-06-08 21:09 11,264 --a------ C:\WINDOWS\system32\atrace.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 23:31:33 -------- d-----w C:\Program Files\messenger
2006-10-04 02:47:52 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2006-09-19 21:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2005-11-15 20:29:32 83,752 ----a-w C:\WINDOWS\system32\pds.dll
2005-11-15 20:29:30 83,752 ----a-w C:\WINDOWS\system32\nts.dll
2005-11-15 20:29:30 46,896 ----a-w C:\WINDOWS\system32\msgsys.dll
2005-11-15 20:29:28 83,696 ----a-w C:\WINDOWS\system32\loc32vc0.dll
2005-11-15 20:29:28 34,600 ----a-w C:\WINDOWS\system32\cba.dll
2005-11-15 20:28:12 43,760 ----a-w C:\WINDOWS\system32\NavLogon.dll
2005-10-20 00:39:10 534,160 ----a-w C:\WINDOWS\system32\SymNeti.dll
2005-10-20 00:39:08 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
2005-10-20 00:39:04 195,728 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2005-10-20 00:38:58 24,720 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2005-10-20 00:38:54 31,888 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2005-10-20 00:38:50 28,304 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2005-10-20 00:38:46 109,200 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2005-10-20 00:38:40 12,944 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2005-06-10 01:22:55 -------- d-----w C:\Program Files\ËÑË÷À¸(S)
2005-06-08 20:43:07 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2005-05-26 11:16:24 75,544 ----a-w C:\WINDOWS\system32\cdm.dll
2005-05-26 11:16:24 198,424 ----a-w C:\WINDOWS\system32\iuengine.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{FA91DE7A-D85F-4F35-8204-4D7C957A154B}=C:\Program Files\ËÑË÷À¸(S)\sobar.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyStopperPro"="C:\Program Files\SpyStopper Pro\ssp.exe" [2005-06-08 22:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 12:42]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 13:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"System"="C:\Program Files\Common Files\system\Updaterun.exe" [2002-08-29 03:41]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
Patterns


Contents of the 'Scheduled Tasks' folder
2005-06-10 01:21:32 C:\WINDOWS\tasks\8634cStqDjRMKLbrakZ.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2005-06-09 18:30:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

? [1528]
? [1536]
? [1160]
? [1608]
? [1800]
? [288]


scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\iqmzi.dll
**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SHipING]
"ImagePath"="C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE C:\WINDOWS\SYSTEM32\WBEM\PRGHU.DLL,Export 1087"

Completion time: 2005-06-09 18:32:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2005-06-09 18:32

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:41:37 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\dgd4bs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\VuN\Local Settings\Temp\tempaq
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Temp\tempaq
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\VuN\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ala.union123.com/indaxsx.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe vbjava.exe
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\System32\e3f1.dll
O4 - HKLM\..\Run: [SpyStopperPro] C:\Program Files\SpyStopper Pro\ssp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118357305123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118357294373
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: 2C488C3C - Unknown owner - C:\WINDOWS\System32\81646C40.EXE (file missing)
O23 - Service: 4B39E53C - Unknown owner - C:\WINDOWS\System32\81646C40.EXE (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
pskelley
2007-06-10, 01:29
Do you have any idea what this is: C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE This is what I get from Google:
http://www.google.com/search?hl=en&q=RUNDLLFOROUR.EXE&btnG=Search

If you don't know it, I suggest you get rid of it, let's proceed like this:

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe vbjava.exe
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\System32\e3f1.dll
O23 - Service: 2C488C3C - Unknown owner - C:\WINDOWS\System32\81646C40.EXE (file missing)
O23 - Service: 4B39E53C - Unknown owner - C:\WINDOWS\System32\81646C40.EXE (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

vbjava.exe <<< search for and delete that file

C:\WINDOWS\System32\dgd4bs.exe <<< delete that file

C:\Documents and Settings\VuN\Local Settings\Temp\ <<< delete the contents of tthat folder (NOT THE FOLDER)

C:\WINDOWS\red"]Temp\ <<< delete the contents of that folder ([/B]NOT THE FOLDER)

C:\WINDOWS\system32\iqmzi.dll <<< delete that file

C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE <<< delete that file

C:\WINDOWS\System32\81646C40.EXE <<< delete that file

5) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the scan results from AVG Anti-Spyware and a new HJT log.

Thanks
tykily
2007-06-10, 07:46
No I don't know what this RUNDLLFOROUR.exe is but I believe it has something to do with rundll32.exe which keeps showing up. After some googling I have found that rundll32.exe is associated with some kind of virus/trojan/worm/spyware.
http://www.google.com/search?hl=en&q=rundll32.exe

For some strange reason after scanning with the AVG Anti-Spyware, the "save report" button wasn't available and no log was saved under the "Reports" tab, so I cannot include the log for it. I followed the instructions very carefully and even retraced my steps many times, but I couldn't find out why I can't save a log. Nevertheless, the results of the scan weren't so good. It included plenty of trojans, tracking cookies, adware, and the like.

Here is the HJT log after a reboot; it seems everything I delete just keeps coming back :(

Logfile of HijackThis v1.99.1
Scan saved at 1:27:55 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SpyStopper Pro\ssp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\VuN\Desktop\New Folder\HijackThis.exe
C:\Program Files\QuickTime\tdidhle.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\VuN\Local Settings\Temp\tempaq
C:\WINDOWS\Temp\iexplore2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Temp\tempaq
C:\WINDOWS\Temp\iexplore7.exe
C:\WINDOWS\1D.tmp
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ala.union123.com/indaxsx.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ala.union123.com/indaxsx.html
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\System32\e3f1.dll
O4 - HKLM\..\Run: [SpyStopperPro] C:\Program Files\SpyStopper Pro\ssp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [tdidhle] C:\Program Files\QuickTime\tdidhle.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - Global Startup: ydfelh.lnk = C:\Program Files\Windows Media Player\ydfelhl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118357305123
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118357294373
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Machine Manager (SHipING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Accounts Driver (windows_22) - Unknown owner - C:\WINDOWS\System32\310.exe (file missing)
pskelley
2007-06-10, 10:37
Please follow the directions carefully, you said:
Nevertheless, the results of the scan weren't so good. It included plenty of trojans, tracking cookies, adware, and the like
If AVG Anti-Spyware found the junk you mention and you followed the directions, then it would have deleted the junk. Since you did not follow the directions and save the scan report so I can see the results, I have no idea what was done.
This time I want you to take the time to read the tutorial for the program and follow the directions.

Proceed like this:

1) Download HostsXpert v4.0 - Hosts File Manager.
http://www.funkytoad.com/download/HostsXpert.zip
Unzip HostsXpert 4.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.0 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

2) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165 <<< follow the instructions

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) C:\Program Files\SpyStopper Pro\ <<< I do not have instructions, but I want you to disable this program, it may block the changes we must make and block HJT from removing the junk.
(Do you own this program?)

5) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

(if you do not follow the directions in 4 and 5, we are wasting our time trying to use HJT!)

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\System32\e3f1.dll
O4 - HKLM\..\Run: [tdidhle] C:\Program Files\QuickTime\tdidhle.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - Global Startup: ydfelh.lnk = C:\Program Files\Windows Media Player\ydfelhl.exe
O23 - Service: Security Machine Manager (SHipING) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
O23 - Service: Windows Accounts Driver (windows_22) - Unknown owner - C:\WINDOWS\System32\310.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\QuickTime\tdidhle.exe <<< delete that file

C:\Program Files\Common Files\system\Updaterun.exe <<< delete that file

(the next three instructions, you are NOT to delete the folders, just the contents)

C:\Documents and Settings\VuN\Local Settings\ Temp\ <<< delete the total contents of that Temp folder(there may be a few old files that will not delete)

C:\WINDOWS\Temp\ <<< delete the total contents of that TEMP folder(there may be a few old files that will not delete)

C:\Windows\Prefetch\ <<< delete the contents of that Prefetch folder(there may be a few old files that will not delete)

C:\WINDOWS\1D.tmp <<< delete that file

C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE <<< delete that file

C:\WINDOWS\System32\310.exe <<< delete that file

8) Follow these instruction to run cleanmgr
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post the scan results of AVG Anti-Spyware and a new HJT log.

Thanks
tashi
2007-06-18, 20:28
This topic has been archived due to lack of a response. :spider:

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.