Virtumonde and Vundo Problem

[lingra]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 26, 2008 22:09:52
Records in database: 1518838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 63079
Threat name: 7
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:34:44


File name / Threat name / Threats count
C:\WINDOWS\Downloaded Program Files\Eikev.dll Infected: not-a-virus:AdWare.Win32.Agent.r 1
C:\Program Files\Tencent\QQGame\QQGame.exe Infected: Trojan-Spy.Win32.Qeds.g 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1705\A0091323.dll Infected: Trojan.Win32.Pakes.mgc 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1705\A0091330.dll Infected: Trojan.Win32.Pakes.mgc 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1706\A0091358.dll Infected: Trojan.Win32.Pakes.mfs 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1706\A0091365.dll Infected: Trojan.Win32.Pakes.mgc 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1707\A0092385.exe Infected: Trojan.Win32.Monderd.gen 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1725\A0095827.dll Infected: Trojan-PSW.Win32.LdPinch.acjp 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1725\A0095829.dll Infected: Trojan-PSW.Win32.LdPinch.acjp 1
C:\System Volume Information\_restore{155FDCDF-D3F1-4AE8-AEB7-750785FA80AD}\RP1725\A0095830.dll Infected: Trojan.Win32.Pakes.mfu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\frthokbj.dll.vir Infected: Trojan-PSW.Win32.LdPinch.acjp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mrmhawly.dll.vir Infected: Trojan-PSW.Win32.LdPinch.acjp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsfwngqf.dll.vir Infected: Trojan.Win32.Pakes.mfu 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:01, on 2008-12-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\卡卡\rstray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\HW99\HWPEN\HWshell.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\lingra.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\其他软件和杂件（2）\国际快车\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\其他软件和杂件（2）\国际快车\getflash.dll (file missing)
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\PROGRA~1\Kingsoft\FASTAI~1\IEBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [runeip] "D:\卡卡\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -systray -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [KKDelay] D:\卡卡\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HWShell.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &使用快车(FlashGet)下载 - E:\其他软件和杂件（2）\国际快车\jc_link.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - E:\其他软件和杂件（2）\国际快车\jc_all.htm
O8 - Extra context menu item: Easy-WebPrint打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint添加到打印列表 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint预览 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint高速打印 - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\qq\0612\AddToNetDisk.htm
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\qq\0612\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\qq\0612\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\qq\0612\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS.HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - E:\qq\0612\QQ.EXE
O9 - Extra button: 快车 - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: 快车(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\其他软件和杂件（2）\国际快车\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\新建文件夹 (2)\QQIEHelper.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O15 - Trusted Zone: http://*.221.208.242.29
O15 - Trusted Zone: http://*.221.208.250.138
O15 - Trusted Zone: easyabc.95599.cn
O15 - Trusted Zone: www.95599.cn
O15 - Trusted Zone: http://*.cncmax.cn
O15 - Trusted Zone: http://*.cncmax.hl.cn
O15 - Trusted Zone: http://*.cncmax.tj.cn
O15 - Trusted Zone: http://www.icbc.com.cn
O15 - Trusted Zone: http://*.passport.cncmax.cn
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D90741B-F236-4D21-94F6-F70631BF3CA3} (GemOCX Control) - https://mybank.icbc.com.cn/icbc/GemOCX.cab
O16 - DPF: {5467862B-C477-437F-886E-EC5006B37DCA} (PwdEdit Control) - https://ebank.cmbc.com.cn/PwdEdit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6301F3A-5A04-4073-9CF8-CFD570815B08}: NameServer = 202.106.195.68 202.106.46.151
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O20 - AppInit_DLLs: kmon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O24 - Desktop Component 0: (no name) - http://www.cncard.com./images/product_logo/030002.gif

--
End of file - 10456 bytes

 

[Shaba]

I'd like you to check some files for malware.

• Go to VirusTotal or Jotti's

C:\WINDOWS\Downloaded Program Files\Eikev.dll
C:\Program Files\Tencent\QQGame\QQGame.exe

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Save the complete results in a Notepad/Word document on your desktop.
• Repeat for all files on the list.
• Post back results here, please.

 

[lingra]

C:\WINDOWS\Downloaded Program Files\Eikev.dll

a-squared 4.0.0.73 2008.12.27 Riskware.AdWare.Win32.Agent!IK
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.26 ADSPY/Agent.R
Authentium 5.1.0.4 2008.12.27 W32/Adware.NCS
Avast 4.8.1281.0 2008.12.26 -
AVG 8.0.0.199 2008.12.26 Generic.NGW
BitDefender 7.2 2008.12.27 Adware.Agent.R
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 Adware.Tencent.origin
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 Adware.Agent
F-Prot 4.4.4.56 2008.12.26 W32/Adware.NCS
F-Secure 8.0.14332.0 2008.12.27 AdWare.Win32.Agent.r
Fortinet 3.117.0.0 2008.12.27 Adware/Agent
GData 19 2008.12.27 Adware.Agent.R
Ikarus T3.1.1.45.0 2008.12.27 not-a-virus:AdWare.Win32.Agent
K7AntiVirus 7.10.567 2008.12.26 Non-Virus:AdWare.Win32.Agent.r
Kaspersky 7.0.0.125 2008.12.27 not-a-virus:AdWare.Win32.Agent.r
McAfee 5475 2008.12.26 -
McAfee+Artemis 5475 2008.12.26 potentially unwanted program Generic!Artemis
Microsoft 1.4205 2008.12.27 -
NOD32 3718 2008.12.26 probably a variant of Win32/Adware.Agent
Norman 5.80.02 2008.12.26 W32/Agent.ZFM
Panda 9.0.0.4 2008.12.27 Trj/Downloader.MDW
PCTools 4.4.2.0 2008.12.27 Adware.Agent!sd5
Prevx1 V2 2008.12.27 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 Ad-Spyware.Agent.R
Sophos 4.37.0 2008.12.27 Sus/Behav-1010
Sunbelt 3.2.1809.2 2008.12.22 AdWare.Win32.Agent
Symantec 10 2008.12.27 -
TheHacker 6.3.1.4.200 2008.12.26 Adware/Agent.r
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.26 AdWare.Win32.Agent.r
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.26 Adware.Agent.DDAY
Additional information
File size: 144384 bytes
MD5...: c504c0527c519c8648cd011062c9936b
SHA1..: 5bd395c9642b64cfe547d26f3fa69ee917ce2a0b
SHA256: bb3e07b63af0670cdf4e4c11e4411b62b55b16a2e838e387183e38aa57dc39e2
SHA512: 3579ba853024ec4621df0863041bf842687a6aef1fb1702dd0e47f86fdd4f69f
7fc41747ebe9633f7df1665f72a15c64366ee3bd4f655d462c8248011ad370a2
ssdeep: 3072:BCVSWCyneFsUJbVBGUwuqV2PbhvI26JlxtZXwz4kT1y:yVe5bfGt4A2G/ZX
wzPT
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
DirectShow filter (77.7%)
Win32 Executable MS Visual C++ (generic) (14.5%)
Win32 Executable Generic (3.2%)
Win32 Dynamic Link Library (generic) (2.9%)
Generic Win/DOS Executable (0.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10018d71
timedatestamp.....: 0x440bfb56 (Mon Mar 06 09:05:26 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1872a 0x18800 6.16 723c2ecad6fd5cc6f9f953badc42a175
.rdata 0x1a000 0x49fe 0x4a00 5.81 41db3efb9885f3ef967d17f9a594924d
.data 0x1f000 0x2670 0x1600 4.21 5e34ab7dcf15e76283f6cbb2dc484477
.rsrc 0x22000 0x1bd0 0x1c00 4.84 0aa5d4181bde6fa68b4f37a1689c6d09
.reloc 0x24000 0x2b78 0x2c00 6.12 3295b0c90c9a28a9314e8115ea3396d1

( 14 imports )
> SHLWAPI.dll: PathFileExistsW, SHSetValueA, PathAppendA, SHDeleteValueA, SHDeleteKeyA, PathIsUNCA, PathFileExistsA, PathStripToRootA, PathFindFileNameA, PathFindExtensionA, SHGetValueA, PathRemoveFileSpecA, PathRemoveExtensionA, PathRemoveBlanksA, PathRemoveBackslashA
> KERNEL32.dll: Sleep, SetThreadPriority, SetLastError, LoadLibraryA, GetFileAttributesW, OutputDebugStringA, GetModuleHandleW, LoadLibraryW, GetModuleFileNameW, InterlockedDecrement, TlsSetValue, TlsGetValue, SystemTimeToFileTime, GetSystemTime, IsBadWritePtr, TlsAlloc, GetModuleFileNameA, lstrcpynA, CreateThread, GetCurrentThreadId, GetWindowsDirectoryA, FindClose, FindNextFileA, FindFirstFileA, VirtualQuery, lstrcmpiA, VirtualProtect, GetCurrentProcess, WriteProcessMemory, GetCurrentProcessId, CreateToolhelp32Snapshot, Module32First, Module32Next, CloseHandle, GetModuleHandleA, GetSystemInfo, OpenMutexA, CreateMutexA, GetLastError, lstrcmpA, lstrlenW, WideCharToMultiByte, lstrlenA, MultiByteToWideChar, FreeLibrary, WaitForSingleObject, GetVersionExA, TerminateThread, LocalFree, GetPrivateProfileStringA, MoveFileA, GetPrivateProfileIntA, WritePrivateProfileStringA, IsBadStringPtrW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetProcAddress, GetVersion, GlobalSize, lstrcatA, GetSystemDirectoryA, lstrcpyA, IsBadStringPtrA, GlobalLock, TlsFree, InitializeCriticalSection, MoveFileExA, CreateFileA, WriteFile, WritePrivateProfileStructA, GetPrivateProfileStructA, GetShortPathNameA, CreateProcessA, CopyFileA, DeleteFileA, GetTempFileNameA, GetTempPathA, UnmapViewOfFile, InterlockedIncrement, MapViewOfFile, OpenFileMappingA, InterlockedExchange, CreateFileMappingA
> USER32.dll: GetPropA, RegisterWindowMessageA, GetClassNameA, SendMessageA, SetWindowTextA, IsWindow, GetParent, EnumWindows, DialogBoxParamA, GetWindow, GetWindowRect, SystemParametersInfoA, GetClientRect, MapWindowPoints, SetWindowPos, GetDlgItemTextA, MessageBoxA, InvalidateRect, ReleaseDC, DrawTextA, GetWindowTextA, FillRect, GetSysColor, GetWindowThreadProcessId, GetDC, GetKeyState, GetComboBoxInfo, SetWindowsHookExA, UnhookWindowsHookEx, CallNextHookEx, WindowFromPoint, IsWindowVisible, EndDialog, GetWindowTextLengthA, GetDlgItem, EnableWindow, LoadStringA, FindWindowA, EnumChildWindows, SendMessageTimeoutA, GetFocus, DefWindowProcA, CallWindowProcA, FindWindowExA, GetWindowLongA, SetPropA, SetWindowLongA, RemovePropA
> ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegDeleteValueA, RegCreateKeyExA, RegCreateKeyA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegQueryValueA, RegOpenKeyA
> ole32.dll: CoCreateInstance, ReleaseStgMedium, CoCreateGuid, RevokeDragDrop, StringFromCLSID, CoTaskMemFree, CoInitialize, CoUninitialize, RegisterDragDrop
> OLEAUT32.dll: -, -, -
> imagehlp.dll: ImageDirectoryEntryToData
> MSVCRT.dll: _mbschr, _mbsnbicmp, bsearch, fclose, fgets, fopen, _mbclen, _ismbcdigit, malloc, atoi, _vsnprintf, sscanf, _CxxThrowException, rand, srand, time, fwrite, fread, fseek, ftell, __1type_info@@UAE@XZ, strstr, rewind, wcslen, strrchr, _ltoa, _mbstok, __dllonexit, _onexit, _initterm, _adjust_fdiv, strncpy, free, _snprintf, realloc, _mbsrchr, _mbslwr, _mbsstr, _mbscmp, _except_handler3, sprintf, _mbsnbcpy, _purecall, wcscpy, _mbsicmp, __2@YAPAXI@Z, __3@YAXPAX@Z, __CxxFrameHandler, _stricmp, _wcsicmp, _strlwr, fputs
> urlmon.dll: IsValidURL, URLDownloadToFileA
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -
> GDI32.dll: SetBkMode, GetStockObject, DeleteObject, CreateSolidBrush, SetTextColor, GetTextExtentPointA, SetPixel, LineTo, MoveToEx, CreatePen, SelectObject
> SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHGetDesktopFolder, ShellExecuteA, SHGetSpecialFolderPathA
> WININET.dll: InternetCrackUrlA

( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, RegisterMin, Uninstall




C:\Program Files\Tencent\QQGame\QQGame.exe

a-squared 4.0.0.73 2008.12.27 Trojan-Spy.Win32.Qeds.g!IK
AhnLab-V3 2008.12.25.0 2008.12.27 Win-Trojan/Qeds.458801
AntiVir 7.9.0.45 2008.12.26 TR/Spy.Qeds.G
Authentium 5.1.0.4 2008.12.27 W32/Trojan.GAI
Avast 4.8.1281.0 2008.12.26 Win32:Qeds-H
AVG 8.0.0.199 2008.12.26 PSW.Generic6.FCQ
BitDefender 7.2 2008.12.27 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 Trojan.PWS.Qqgame
eSafe 7.0.17.0 2008.12.24 Win32.Qeds.g
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 Logger.Qeds.g
F-Prot 4.4.4.56 2008.12.26 W32/Trojan.GAI
F-Secure 8.0.14332.0 2008.12.27 Trojan-Spy.Win32.Qeds.g
Fortinet 3.117.0.0 2008.12.27 PossibleThreat!012391
GData 19 2008.12.27 Win32:Qeds-H
Ikarus T3.1.1.45.0 2008.12.27 Trojan-Spy.Win32.Qeds.g
K7AntiVirus 7.10.567 2008.12.26 Trojan-Spy.Win32.Qeds.g
Kaspersky 7.0.0.125 2008.12.27 Trojan-Spy.Win32.Qeds.g
McAfee 5475 2008.12.26 Generic PWS.y
McAfee+Artemis 5475 2008.12.26 Generic PWS.y
Microsoft 1.4205 2008.12.27 -
NOD32 3718 2008.12.26 Win32/Spy.Qeds.G
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.27 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 Trojan.Spy.Qeds.G
Sophos 4.37.0 2008.12.27 Mal/Generic-A
Sunbelt 3.2.1809.2 2008.12.22 Trojan-Spy.Win32.Qeds
TheHacker 6.3.1.4.200 2008.12.26 Trojan/Spy.Qeds.g
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.26 Trojan.PWS.Qqgame
ViRobot 2008.12.26.1536 2008.12.26 Trojan.Win32.Qeds.458801
VirusBuster 4.5.11.0 2008.12.26 -
Additional information
File size: 458801 bytes
MD5...: eb31173fa741c54aaee56fc4288387fe
SHA1..: 1c6492a4032bae20b8f4b7a27f3bb49c2d91ae95
SHA256: 97198ab0baea8664fb9527228761c8643ffd9c0c873dc9836f188c65c1716a08
SHA512: 8193615125b38acf217a16e6c02fb12c7a8da5d3a558b6e74dcca62d1aaec687
5cc2fcc93e2293877c8ff8aadddfeb1161bf3a8f53ae3c26a3a7d81a7d61f590
ssdeep: 6144:8rMrVCquYhuf1T8UmjX2FqMKV7EsiHE22YbOBrluU99/jw+J8b+qhnNzrLd
Ze:WcVCZ5PZq7ak22VluUGHnNzrLdZe
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x436d9c
timedatestamp.....: 0x43784b85 (Mon Nov 14 08:32:05 2005)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x43be1 0x44000 6.43 ca9fc23c809e2bc032c414b68301311c
.rdata 0x45000 0x114d0 0x12000 3.74 816aaf55ed686a284fc88ba08cb10887
.data 0x57000 0x59c8 0x5000 5.78 6e9b555cc288639418c0e7014c32db12
.idata 0x5d000 0x290e 0x3000 5.25 c42fce4d50dd386274d1c998eebdfd68
.rsrc 0x60000 0x8718 0x9000 3.63 29563c8503142e3f7b18089ad1fd9eda
.reloc 0x69000 0x754e 0x8000 6.19 054d6bba45c525a84a16492f55f3708f

( 15 imports )
> VHelp.dll: _HAttachWinStyle@8, _HCreateWinStyle@4, _HReleaseWinStyle@4
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _initterm, tolower, _controlfp, _purecall, __CxxFrameHandler, memset, strlen, strcmp, sprintf, atoi, memmove, memcpy, _mbscmp, strncpy, strchr, strstr, strcpy, __RTDynamicCast, _setmbcp, _mkdir, _unlink, _mbsrchr, printf, fprintf, vfprintf, fflush, time, localtime, _stricmp, _mbsinc, __dllonexit, _access, _mbsicmp, fclose, fputc, fopen, rand, strcat, strrchr, _XcptFilter, _exit, _mbsstr, atol, __1type_info@@UAE@XZ, exit, _onexit, _except_handler3, _terminate@@YAXXZ, __set_app_type, _acmdln, __getmainargs, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode
> KERNEL32.dll: GetModuleHandleA, FindResourceA, LoadResource, lstrcatA, WinExec, lstrcpyA, GetWindowsDirectoryA, DeleteFileA, GetFileAttributesA, SetFileAttributesA, lstrlenA, MultiByteToWideChar, VirtualQuery, GetModuleFileNameA, CreateMutexA, OpenProcess, GetLastError, TerminateProcess, LoadLibraryA, GetProcAddress, FreeLibrary, SetUnhandledExceptionFilter, CloseHandle, GetCurrentProcessId, GetCommandLineA, MoveFileA, MulDiv, WritePrivateProfileStringA, CreateDirectoryA, Sleep, GetPrivateProfileStringA, GetPrivateProfileIntA, GlobalFree, GlobalReAlloc, GlobalUnlock, GlobalLock, GlobalAlloc, FindClose, FindFirstFileA, CopyFileA, FindNextFileA, GetShortPathNameA, GetTickCount, GetThreadContext, GetCurrentThread, GetCurrentProcess, GetStartupInfoA, CreateFileA, GetVersionExA, VirtualQueryEx
> USER32.dll: CopyRect, DrawStateA, OffsetRect, LoadImageA, FillRect, InvalidateRect, GetParent, PostMessageA, GetWindowLongA, DestroyIcon, IsWindow, GetNextDlgTabItem, GetWindowRect, GetClientRect, SetCursor, PtInRect, SetWindowLongA, GetIconInfo, GrayStringA, SendMessageA, ReleaseCapture, ReleaseDC, DispatchMessageA, GetMessageA, SetCursorPos, EnableWindow, GetWindowDC, GetDesktopWindow, SetCapture, ClipCursor, GetCapture, SetWindowRgn, TabbedTextOutA, SetWindowPos, IsIconic, IsWindowVisible, GetCursorPos, CreatePopupMenu, DrawTextA, SetActiveWindow, SetForegroundWindow, SetRect, InflateRect, TrackMouseEvent, AppendMenuA, ShowWindow, MoveWindow, ValidateRect, GetFocus, GetWindow, IsRectEmpty, LockWindowUpdate, EqualRect, LoadCursorA, GetActiveWindow, ClientToScreen, FindWindowExA, mouse_event, ShowOwnedPopups, SystemParametersInfoA, GetSystemMetrics, GetClassInfoA, DefWindowProcA, UpdateWindow, GetSysColor, KillTimer, LoadIconA, SetTimer, SetRectEmpty, IntersectRect, DrawFocusRect, DestroyWindow, SetParent, DestroyCursor, CopyIcon, GetMessagePos, MessageBeep, wsprintfA, FrameRect, RedrawWindow, WindowFromPoint, LoadBitmapA, GetKeyState, DrawIconEx, GetDC, ScreenToClient
> GDI32.dll: ExtCreateRegion, CreateDIBSection, DeleteObject, CreateCompatibleDC, CombineRgn, GetPixel, CreateRectRgn, CreateCompatibleBitmap, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, RoundRect, StretchBlt, GetObjectA, DeleteDC, SetTextColor, SetBkColor, SelectObject, CreateBitmap, CreateFontA, GetDeviceCaps, Rectangle, CreateFontIndirectA, CreatePen, SetBkMode, CreateSolidBrush, OffsetRgn, FrameRgn, FillRgn, CreatePolygonRgn, CreateRoundRectRgn, GetBkColor, BitBlt, GetTextColor, GetBkMode, GetClipBox, GetCurrentObject, GetStockObject
> ADVAPI32.dll: RegCreateKeyA, RegOpenKeyExA, RegCloseKey, RegQueryValueExA, RegOpenKeyA, RegQueryValueA, RegSetValueExA
> SHELL32.dll: ShellExecuteA, SHFileOperationA, ShellExecuteExA, SHGetFileInfoA
> COMCTL32.dll: ImageList_Draw, ImageList_GetIcon, ImageList_SetBkColor, ImageList_AddMasked, _TrackMouseEvent, ImageList_GetImageCount
> ole32.dll: CoUninitialize, CLSIDFromString, CLSIDFromProgID, CoFreeLibrary, CoLoadLibrary, CoInitialize
> OLEAUT32.dll: -, -
> WSOCK32.dll: -, -, -, -, -, -, -
> IMAGEHLP.dll: SymInitialize, SymSetOptions, SymLoadModule, SymGetModuleInfo, SymGetSymFromAddr, StackWalk, SymFunctionTableAccess
> WINMM.dll: PlaySoundA
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

( 0 exports )
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=eb31173fa741c54aaee56fc4288387fe' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=eb31173fa741c54aaee56fc4288387fe</a>

 

[Shaba]

Do you recognize this folder?

C:\Program Files\Tencent\QQGame

 

[lingra]

Yes, but I do not need it. Everything in that folder can be deleted.

 

[Shaba]

What I mean that according to results it is a keylogger.

So I recommend to change all online passwords.

Delete these:

C:\Program Files\Tencent\QQGame
C:\WINDOWS\Downloaded Program Files\Eikev.dll

Empty Recycle Bin.

Still problems?

 

[lingra]

I can't see C:\WINDOWS\Downloaded Program Files\Eikev.dll in its folder.

I have already set Windows Explorer to view all hidden files and Windows Search does not detect the file either.

Any tips?

 

[lingra]

Nevermind, I used Run -> cmd to delete it.

 

[Shaba]

Glad to hear that it got sorted out

Still some issues left?

 

[lingra]

Nothing that I can tell.

Thanks for all your help and your prompt replies!

 

[Shaba]

Great

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don''t have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 11

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
  You can use one of these sites to check if any updates are needed for your pc.
  Secunia Software Inspector
  F-secure Health Check
  
• Visit Microsoft''s Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Malwarebytes'' Anti-Malware - Malwarebytes'' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
  
  Malwarebytes'' Anti-Malware Setup Guide
  
  Malwarebytes'' Anti-Malware Scanning Guide
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:

 

[Shaba]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.