VIRUS... HELP NEEDED

Hi,

I'm so sorry falconv8! I quit helping here for a while and haven't been able to help anyone. I know I left a lot of people hanging, and for this I deeply apologize to you and everyone! I was just lurking around and I see this...

Please post a fresh HjT log since it's been so long and I'll try to get with this again. I can't promise how often I can post, but I know I told I wouldn't give up until you're clean, and I plan on sticking to my word!

 

Logfile of HijackThis v1.99.1
Scan saved at 10:18:56 AM, on 22/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Default\Desktop\Virus-Spyware Fixers\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 7333.5009.cn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O1 - Hosts: 203.191.146.205 www.kuaiso.com
O1 - Hosts: 203.191.146.205 cns.3721.com
O1 - Hosts: 203.191.146.205 seek.3721.com
O1 - Hosts: 203.191.146.205 name.cnnic.cn
O1 - Hosts: 203.191.146.205 toolsbar.kuaiso.com
O1 - Hosts: 203.191.146.205 www.kuaiso.com
O1 - Hosts: 203.191.146.205 kuaiso.com
O1 - Hosts: 203.191.146.205 www.copyso.com
O1 - Hosts: 203.191.146.205 union.copyso.com
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O1 - Hosts: 203.191.146.205 ok.mop-hz.com
O1 - Hosts: 203.191.146.205 www.ncast.cn
O1 - Hosts: 203.191.146.205 www.ads3721.com
O1 - Hosts: 203.191.146.205 360.ads3721.com
O1 - Hosts: 203.191.146.205 www.maohehe.com
O1 - Hosts: 203.191.146.205 www.5566.net
O1 - Hosts: 203.191.146.205 5566.net
O1 - Hosts: 203.191.146.205 www.gjj.cc
O1 - Hosts: 203.191.146.205 gjj.cc
O1 - Hosts: 203.191.146.205 www.9495.com
O1 - Hosts: 203.191.146.205 9495.com
O1 - Hosts: 203.191.146.205 my123.com
O1 - Hosts: 203.191.146.205 www.my123.com
O1 - Hosts: 203.191.146.205 7b.com.cn
O1 - Hosts: 203.191.146.205 www.7b.com.cn
O1 - Hosts: 203.191.146.205 www.qu123.com
O1 - Hosts: 203.191.146.205 www.37021.com
O1 - Hosts: 203.191.146.205 www.37021.net
O1 - Hosts: 203.191.146.205 www.4199.com
O1 - Hosts: 203.191.146.205 4199.com
O1 - Hosts: 203.191.146.205 www.9505.com
O1 - Hosts: 203.191.146.205 9505.com
O1 - Hosts: 203.191.146.205 7939.com
O1 - Hosts: 203.191.146.205 www.7939.com
O1 - Hosts: 203.191.146.205 www.3448.com
O1 - Hosts: 203.191.146.205 3448.com
O1 - Hosts: 203.191.146.205 8925.com
O1 - Hosts: 203.191.146.205 www.8925.com
O1 - Hosts: 203.191.146.205 www.ttmp3.com
O1 - Hosts: 203.191.146.205 ttmp3.com
O1 - Hosts: 203.191.146.205 www.3tg.cn
O1 - Hosts: 203.191.146.205 3tg.cn
O1 - Hosts: 203.191.146.205 123wa.com
O1 - Hosts: 203.191.146.205 www.123wa.com
O1 - Hosts: 203.191.146.205 www.159.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sdmmrnm] D;]XJOEPXT]ufnq]te264/fyf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164786513515
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\reporter.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

Now, where to start, lol. I think it will be best if we start by deleting some registry keys to keep this infection from starting in safe mode(along with others). I'm not even going to try searching any files listed in the ComboFix log yet, it will be a waste of time for me until we remove others first.

Note about those hosts. I'm confused why The Hoster will not help here, so we'll try running it in safe mode and if that doesn't work, we'll just have HjT fix them and then you can then try restoring the originals.

--------------------------------------------------------------------------------------

Copy all the following [bold]bold[/bold] text into Notepad(not Wordpad).

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"sdmmrnm"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6E44887F-5214-41F2-AB46-4728735C4CC6}"=-
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=-
"{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"NetWork"=-

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\amdk5]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\hdfs]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\parcls ]

Make sure there are no blank lines before REGEDIT4.
Name the file [bold]Fix.reg[/bold]
Change the "Save as Type" to [bold]All Files[/bold] and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.


[bold]Note[/bold]: Print or copy these instructions, you'll be in safe mode.
Restart in safe mode.

Open AVGAS and click "[bold]Scanner[/bold]".
Click "[bold]Complete System Scan[/bold]".
When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
Click "[bold]Apply All Actions[/bold]".
Click "[bold]Save Report[/bold]" and save it to the desktop.
Exit AVG AS.

Open the Hoster and try restoring original hosts again. If you receive the prompt again fix all 01 entires with HjT(in safe mode). After fixing, try restoring with the Hoster one more time.

Restart in normal mode.
Download [bold]Rootkit Revealer[/bold] from here.
Create a new folder, named [bold]RKR[/bold], in C:\
Extract the files to the new folder.
Open [bold]RootkitRevealer.exe[/bold].
Close all other windows and click the "[bold]Scan[/bold]".
[bold]Important[/bold]: Leave the computer idle while the scan runs.
When the scan is finished, click File > Save... to save the text file to the C:\RKR\ folder.

Run ComboFix again to get a new log.

Post back with the AVG AS report, a new HijackThis log, the Rootkit Revealer log, and please post the ComboFix log in a separate reply.

Thank you for being patient and I apologize once again.

 

...Well the hosts couldnt be restored in Hoster. And access was denied in HjT....???

 

Access was denied with HijackThis even in safe mode? Hmmm, that's strange. Just please continue with all the other instructions and I'll look into these hosts more. We sure do have our work cut out for us still yet. This may take a few weeks to fully clean and if you don't want to wait so long or if you feel more comfortable saving your files, reformatting your hard drive and reinstalling Windows, just let me know. But, I will research these hosts files for you tonight and I'll let you know what I've found out when you post the logs I requested.

 

"Please, take this and run far away, far away from me.
I am tainted.
And happiness and peace of mind were never meant for me.
In my nothing, you were everything, everything to me."

-T.R.

Good to see you back, You are NOT tainted!!. You will be happyier in the end!!!! And were is a good answer. As I wrote ill be luckey to be alive this time next year. Got to love cancer. Im not in the UK so I had to skip the fish and chips so I settled on those woppers, a large fry and my 1/2 bottle of ketchup. LOL Good to see you back bud!!!!

 

I made vision.dll deleted. Oh, more precisely, at least I don't see it anymore (however it could hide itself, who knows?) See the following page you can get it.

http://www.5starsupport.com/ipboard/index.php?showtopic=5501