tekmaster Posted December 10, 2010 ID:358962 Share Posted December 10, 2010 I ran the malware and eset, found some threats, and currently also getting a 16big msdos subsystem error.here is my hijack log:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 4:43:05 PM, on 12/9/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\conime.exeC:\Program Files\ESTsoft\ALYac\AYServiceNt.ayeC:\Program Files\QuickDownloadService\qdownagent.exeC:\Program Files\AhnLab\V3Lite\V3LSvc.exeC:\Program Files\AhnLab\V3Lite\V3LTray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\QuickDownloadService\qdownservice.exeC:\Program Files\JJangQ\JJangQSearchBar\JJangQSearchBar.exeC:\Program Files\ESTsoft\ALYac\AYAgent.ayeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Owner\Desktop\HijackThis.exeR3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"O4 - HKLM\..\Run: [AhnLab V3Lite Tray Process] "C:\Program Files\AhnLab\V3Lite\V3LTray.exe" /logonO4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [ALYac] "C:\Program Files\ESTsoft\ALYac\AYUpdate.exe" /runO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [JJangQ] C:\Program Files\JJangQ\JJangQC.exe /RUNO4 - HKCU\..\Run: [JJangQSearchBar] C:\Program Files\JJangQ\JJangQSearchBar\JJangQSearchBarC.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.bigfile.co.krO15 - Trusted Zone: http://*.bigfile.co.krO15 - ESC Trusted Zone: http://*.update.microsoft.comO16 - DPF: {03AF249E-119E-4569-838E-167E929EC6DA} (BigFileControl Control) - http://www.bigfile.co.kr/client/BigFile.cabO16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/activex/SimFileControl.cabO16 - DPF: {31ADE5BE-531D-4894-9D16-4B18974B5C28} (JJangQ Class) - http://sub.jjangq.co.kr/JJangQCtrl.cabO16 - DPF: {55F0958B-C5EB-49E4-8567-E018D2407F55} (Kongdisk Web Control) - http://patch.kongdisk.com/install/KongdiskCtrl.cabO16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cabO16 - DPF: {C342F4EE-6D48-4239-A55D-CF2D0D1F3BC6} (skcaset1 Class) - http://cyimg7.cyworld.com/cymusic/package/skcaset.cabO16 - DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} (NSAppHelperWizrd Class) - http://patch.mnet.com/Mnet/QuickManagerNHN...20100202001.cabO16 - DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} (NaverAXGuide Class) - http://file.naver.com/activex/NaverAXGuide.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: ALYac_PZSrv - Unknown owner - C:\Program.exe (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: QuickDownload Agent - Innogrid, Inc - C:\Program Files\QuickDownloadService\qdownagent.exeO23 - Service: QuickDownload Service - Innogrid, Inc - C:\Program Files\QuickDownloadService\qdownservice.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: TGridService - TGSM - C:\Program Files\JJangQ\TGridManager.exeO23 - Service: V3 Lite Service - AhnLab, Inc. - C:\Program Files\AhnLab\V3Lite\V3LSvc.exe--End of file - 6629 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted December 10, 2010 Staff ID:358967 Share Posted December 10, 2010 Hi,Can you post the log where MBAM found malware?After that, update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
tekmaster Posted December 10, 2010 Author ID:358970 Share Posted December 10, 2010 I actually rebootd my computer and didn't save the log unfortunatly, but hre is the dds log:DDS (Ver_10-12-05.01) - NTFSx86 Run by Owner at 16:48:50.54 on 12/09/2010 ThuInternet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.3063.2385 [GMT -8:00]AV: V3 Lite *On-access scanning enabled* (Outdated) {A5B78720-5B41-4D39-B70F-131ABDA6F977}AV: ?? *On-access scanning enabled* (Updated) {B9431E5A-E196-4B6F-843A-10E01DB25461}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\conime.exeC:\Program Files\ESTsoft\ALYac\AYServiceNt.ayeC:\Program Files\QuickDownloadService\qdownagent.exeC:\Program Files\AhnLab\V3Lite\V3LSvc.exeC:\Program Files\AhnLab\V3Lite\V3LTray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\QuickDownloadService\qdownservice.exeC:\Program Files\JJangQ\JJangQSearchBar\JJangQSearchBar.exeC:\Program Files\ESTsoft\ALYac\AYAgent.ayeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Owner\Desktop\OTL.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Documents and Settings\Owner\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.naver.com/mStart Page = about:blankuURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLLBHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllTB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [JJangQ] c:\program files\jjangq\JJangQC.exe /RUNuRun: [JJangQSearchBar] c:\program files\jjangq\jjangqsearchbar\JJangQSearchBarC.exemRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [RTHDCPL] RTHDCPL.EXEmRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [AhnLab V3Lite Tray Process] "c:\program files\ahnlab\v3lite\V3LTray.exe" /logonmRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRunmRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [ALYac] "c:\program files\estsoft\alyac\AYUpdate.exe" /runIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: bigfile.co.krDPF: {03AF249E-119E-4569-838E-167E929EC6DA} - hxxp://www.bigfile.co.kr/client/BigFile.cabDPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} - hxxp://simfile.chol.com/activex/SimFileControl.cabDPF: {31ADE5BE-531D-4894-9D16-4B18974B5C28} - hxxp://sub.jjangq.co.kr/JJangQCtrl.cabDPF: {55F0958B-C5EB-49E4-8567-E018D2407F55} - hxxp://patch.kongdisk.com/install/KongdiskCtrl.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {C342F4EE-6D48-4239-A55D-CF2D0D1F3BC6} - hxxp://cyimg7.cyworld.com/cymusic/package/skcaset.cabDPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Mnet/QuickManagerNHN/Modules/NSAppHelper.cab/NSAH_20100202001.cabDPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://file.naver.com/activex/NaverAXGuide.cabHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLLNotify: AtiExtEvent - Ati2evxx.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL============= SERVICES / DRIVERS ===============R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2010-10-10 8192]R2 QuickDownload Agent;QuickDownload Agent;c:\program files\quickdownloadservice\qdownagent.exe [2010-10-28 114688]R2 QuickDownload Service;QuickDownload Service;c:\program files\quickdownloadservice\qdownservice.exe [2010-10-28 110592]R2 V3 Lite Service;V3 Lite Service;c:\program files\ahnlab\v3lite\V3LSvc.exe [2010-10-10 321112]R3 AhnFlt2k;AhnFlt2k;c:\windows\system32\drivers\AhnFlt2k.sys [2010-10-10 52960]R3 AhnRec2k;AhnRec2k;c:\windows\system32\drivers\AhnRec2k.sys [2010-10-10 20448]R3 AhnRghNt;AhnRghNt;c:\windows\system32\drivers\AhnRghNt.sys [2010-10-10 53728]R3 AhnSZE;AhnSZE;c:\windows\system32\drivers\ahnsze.sys [2010-10-10 1434064]R3 ASZFltNt;ASZFltNt;c:\progra~1\ahnlab\v3lite\ASZFltNt.sys [2010-10-10 124480]R3 ATamptNt_V3LITE;ATamptNt_V3LITE;c:\progra~1\ahnlab\v3lite\ATamptNt.sys [2010-10-10 159840]R3 CdmDrvNt;CdmDrvNt;c:\windows\system32\drivers\CdmDrvNt.sys [2010-10-10 19616]R3 TfFRegNt;TfFRegNt;c:\program files\ahnlab\v3lite\tffregnt.sys [2010-11-22 55136]R3 TfProcNt;TfProcNt;c:\program files\ahnlab\v3lite\ahawkent.sys [2010-11-22 29280]R3 v3engine;v3engine;c:\windows\system32\drivers\v3engine.sys [2010-10-10 1908432]R3 V3Flt2K;V3Flt2K;c:\progra~1\ahnlab\v3lite\V3Flt2K.sys [2010-10-10 168288]R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-9 38224]S2 TGridService;TGridService;c:\program files\jjangq\TGridManager.exe [2010-10-26 1748144]S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-10-10 20160]S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-10 1684736]=============== Created Last 30 ================2010-12-10 00:22:02 -------- d-----w- c:\program files\ESET2010-12-09 23:54:57 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes2010-12-09 23:54:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-09 23:54:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-12-09 23:54:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-09 23:54:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-03 22:23:04 -------- d-----w- c:\docume~1\owner\applic~1\com.neowiz.bugs.downloadmanager.BugsMusicDownloadManager2010-12-03 22:22:58 -------- d-----w- c:\program files\bugs2010-11-17 03:44:25 1871440 ----a-w- c:\windows\system32\btscan.exe2010-11-15 09:19:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\TGSM2010-11-15 09:18:34 -------- d-----w- c:\program files\JJangQ==================== Find3M ====================2010-10-10 20:43:40 0 ----a-w- c:\windows\ativpsrm.bin2010-10-10 20:08:54 505392 ----a-w- c:\windows\system32\msvcp71.dll============= FINISH: 16:49:16.54 =============== Link to post Share on other sites More sharing options...
Staff screen317 Posted December 11, 2010 Staff ID:359359 Share Posted December 11, 2010 The log should've saved automatically. Can you check in the program under the Logs tab, and take a screenshot of what is there for me?Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted December 27, 2010 Staff ID:366475 Share Posted December 27, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts