Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer

Hijack Analysis Report


Recommended Posts

Logfile of Advanced SystemCare 3 Security Analyzer

Scan saved at 12:33:24 PM, on 22/10/2010

Platform: Windows XP (WinNT 5.1)

MSIE: Internet Explorer v8.0 (8.0.6001.18702)

Boot mode: Normal


Running processes:






C:\Program Files\Windows Defender\MsMpEng.exe


C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe



C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe








C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe


O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [LorraineSpy] C:\WINDOWS\LorraineSpyingOnCecilia.vbs

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264489370171

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264491284687

O16 - DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} (SFClientFree Object) - https://skyfexfree.net/Client/ClientFree.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) - http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Link to comment
Share on other sites

Hello Cecilia, and welcome to the forum :-)


I notice that Lorraine is still spying on you, when you come into work ?


Please don't be spooked... I merely found this info from a topic you opened a few years ago :





We're going to need a bit more information as to what your current problem seems to be, because posting a log without any info doesn't help us help you ;-)


I do notice one strange process running on your machine, so I'll ask you to please have it analysed for me. Just go to this site :



Once there, click on the "Browse..." button, then locate this file :


C:\WINDOWS\Ckyfea.exe <<


Once you've found it, double-click on it, then back on the VirusTotal page, just click the "Send file" button.

If the file has already been analysed, please click on "Reanalyse".

Their server may be busy, and if so, you will be placed in queue. Please be patient and wait for your turn.

Once the analysis is complete, just bookmark the page and then post (copy/paste) the link here so we can have a look.


And please give us more details on your current problems.


Thanks, and see you later !



Link to comment
Share on other sites



WoW! Amazing you manage to locate me....:shock:


No wonder the icon look familiar. Btw I'm having problem with the windows update which not updating and just want to check the computer whether any problems. Otherwise this computer is working properly, like you said after few years :-P


I have clean the registry and others (Maintain Window) using Advanced SystemCare Free 3.7.2


Another problem is with the Internet Explorer and my own laptop that facing the Google Analytics pop-up. Any solution for this?


I'll get to back to you on the analysis on Monday :wink:

Link to comment
Share on other sites

Hi Cecilia :mrgreen:


I'll wait for the analysis results then.


The problem with the laptop is probably a DNS Changer infection and we'll need to look into that as well. The laptop is a different computer than the one you use at the office, correct ? If so, we can start working on it right away if you'd like.


See you soon ;-)



Link to comment
Share on other sites

Hi So_sad,


You see, you are caught by your avatar.:wink:


Well, the Java is still the one used 3 years ago, and it has been advised that it should be updated. (Not forgetting to clean the old Java clutter with JavaRa though.)


BTW, before looking for malware for the connection problems, as using ASC 3.7.2 without the debugged NetworkMon may cause the connection and update problems, please use the procedure in the link below to change the Sup_NetworkMon.exe file.


You can find the link for the debugged version in post #36 of Advanced SystemCare 3.7.2 is released thread in News & Offers section.



Link to comment
Share on other sites

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: Ckyfea.exe

Submission date: 2010-10-24 23:55:32 (UTC)

Current status: queued (#9) queued analysing finished



Result: 32/ 43 (74.4%)

VT Community


not reviewed

Safety score: -


Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.10.24.02 2010.10.24 Win-Trojan/Fakeav.208896.AA

AntiVir 2010.10.24 TR/Crypt.EPACK.Gen2

Antiy-AVL 2010.10.24 Packed/Win32.Katusha.gen

Authentium 2010.10.24 W32/FakeAlert.IC.gen!Eldorado

Avast 4.8.1351.0 2010.10.24 Win32:Trojan-gen

Avast5 5.0.594.0 2010.10.24 Win32:Trojan-gen

AVG 2010.10.25 Generic19.AZJY

BitDefender 7.2 2010.10.25 Gen:Variant.Renos.41

CAT-QuickHeal 11.00 2010.10.22 -

ClamAV 2010.10.25 -

Comodo 6497 2010.10.25 MalCrypt.Indus!

DrWeb 2010.10.25 Trojan.Packed.221

Emsisoft 2010.10.24 -

eSafe 2010.10.24 -

eTrust-Vet 36.1.7929 2010.10.22 Win32/Renos.D!generic

F-Prot 2010.10.24 W32/FakeAlert.IC.gen!Eldorado

F-Secure 9.0.16160.0 2010.10.24 Gen:Variant.Renos.41

Fortinet 2010.10.24 -

GData 21 2010.10.25 Gen:Variant.Renos.41

Ikarus T3. 2010.10.24 -

Jiangmin 13.0.900 2010.10.24 Packed.Katusha.vxw

K7AntiVirus 9.66.2813 2010.10.22 Riskware

Kaspersky 2010.10.25 Packed.Win32.Katusha.o

McAfee 5.400.0.1158 2010.10.25 Downloader-CEW.b

McAfee-GW-Edition 2010.1C 2010.10.24 Heuristic.BehavesLike.Win32.Dropper.H

Microsoft 1.6301 2010.10.24 TrojanDownloader:Win32/Renos.LX

NOD32 5560 2010.10.24 a variant of Win32/Kryptik.HCI

Norman 6.06.10 2010.10.24 -

nProtect 2010-10-24.01 2010.10.24 Trojan/W32.Katusha.208896.L

Panda 2010.10.24 Suspicious file

PCTools 2010.10.25 Trojan.FakeAV

Prevx 3.0 2010.10.25 High Risk Cloaked Malware

Rising 2010.10.24 Trojan.Win32.Generic.523B4D45

Sophos 4.58.0 2010.10.24 Mal/FakeAV-CX

Sunbelt 7133 2010.10.24 VirTool.Win32.Obfuscator.hg!b1 (v)

SUPERAntiSpyware 2010.10.25 Trojan.Agent/Gen-VTSec

Symantec 20101.2.0.161 2010.10.25 Trojan.FakeAV!gen29

TheHacker 2010.10.24 -

TrendMicro 2010.10.24 -

TrendMicro-HouseCall 2010.10.25 -

VBA32 2010.10.22 BScope.Trojan.MTA.01049

ViRobot 2010.10.24.4110 2010.10.24 -

VirusBuster 2010.10.24 Trojan.Kryptik.BHNZ

Additional informationShow all

MD5 : 22826447ee3a4fdb0c40ea25b47468a6

SHA1 : e54954b37f86cb0c6a5d8e36ac7de52e88d4aa31

SHA256: ae4358745d7e151d123794a11c9c0a78d5e994196188371d8d8342cd862162be

ssdeep: 3072:Dd+UhDtI0eIrC3qDCC4t2s4XQcVJJw1FIdLB8/mfwYHMXT6RLIwXJ:DHI0Ju3qDZ4th4Xp


File size : 208896 bytes

First seen: 2010-10-24 23:55:32

Last seen : 2010-10-24 23:55:32


Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)


publisher....: Borland International

copyright....: Silvers

product......: Silvers

description..: Silvers

original name: Silvers.exe

internal name: Silvers

file version.:

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned


PEInfo: PE structure information


[[ basic data ]]

entrypointaddress: 0x40FD

timedatestamp....: 0x4A300C60 (Wed Jun 10 19:41:20 2009)

machinetype......: 0x14c (I386)


[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x2CC49, 0x2D000, 7.06, b38864a1a869f7c162f6cf2fa8f26de6

.rdata, 0x2E000, 0x223, 0x1000, 0.07, 0bf67685f755986a85e9a8c8444832ae

.data, 0x2F000, 0x18B91, 0x1000, 0.00, 620f0b67a91f7f74151bc5be745b7110

.bss, 0x48000, 0x7E4, 0x1000, 1.11, e13d9dd3b5e93a7285cf60e1fc643be9

.rsrc, 0x49000, 0x1518, 0x2000, 2.84, 8435fa7abfe63d511906a20ae7323873


[[ 3 import(s) ]]

comdlg32.dll: GetOpenFileNameA

SHELL32.DLL: SHGetDesktopFolder, SHGetDiskFreeSpaceA, SHGetFolderPathA, Shell_NotifyIconA, SHFileOperationA

KERNEL32.DLL: GetACP, GetCommandLineW, GetModuleHandleA, GetProcAddress, ExitThread, ExitProcess, IsBadHugeReadPtr, GetOEMCP, GetCommandLineA, GetLastError, VirtualAllocEx, lstrlenA, LoadLibraryExA, IsBadReadPtr


Prevx Info:



file metadata

CharacterSet: Unicode

CodeSize: 184320

CompanyName: Borland International

EntryPoint: 0x40fd

FileDescription: Silvers

FileFlagsMask: 0x003f

FileOS: Win32

FileSize: 204 kB

FileSubtype: 0

FileType: Win32 EXE



ImageVersion: 0.0

InitializedDataSize: 20480

InternalName: Silvers

LanguageCode: English (U.S.)

LegalCopyright: Silvers

LinkerVersion: 3.11

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Executable application

OriginalFilename: Silvers.exe

PEType: PE32

ProductName: Silvers



Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2009:06:10 21:41:20+02:00

UninitializedDataSize: 98304




VT Community

Link to comment
Share on other sites

Hi Cecilia,


Thank you for that analysis report ;-)


Nasty file, no doubt. Now, I'll need one more scan just to get a better picture of what's going on with that machine.


Please download DDS from the following link, and save it to your Desktop :



- Run the tool by double-clicking it.

- Once the scan is complete, two logfiles will be created and showing onsreen :

DDS.txt and Attach.txt

- The forum here has a limit on post size, so you won't be able to copy/paste both logs in one post. Please post the content of DDS.txt in one reply, then post the content of Attach.txt in a second reply.


In your second message, you mentionned your own laptop was getting Google Analytics pop-ups : can you please confirm that the laptop is not the computer you use at work ? Just so I know we have two separate issues here.


Thanks, and see you soon :smile:



Link to comment
Share on other sites

DDS (Ver_10-10-21.02) - NTFSx86

Run by Cecilia at 13:25:21.46 on 25/10/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.110 [GMT 8:00]



============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs



C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe







C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe


C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc


C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Outlook Express\msimn.exe


C:\Program Files\TrekNet\PESONA\Pesona.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Cecilia\Desktop\dds.scr


============== Pseudo HJT Report ===============


uStart Page = hxxp://www.bing.com/?scope=web&mkt=en-US&FORM=W0LH

uDefault_Page_URL = hxxp://www.msn.com

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common



BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft


shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet



BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program



TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMan] SOUNDMAN.EXE

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [LorraineSpy] c:\windows\LorraineSpyingOnCecilia.vbs

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program


files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -



LSP: c:\program files\iobit\advanced systemcare 3\lsp.dll

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\http://www.update

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -



DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -



DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} - hxxps://skyfexfree.net/Client/ClientFree.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab

TCP: NameServer =,

TCP: {C99D4C47-DB9A-4BC0-BFA9-E6DDFDACDC62} =,

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet



Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = scecli pwdmon


============= SERVICES / DRIVERS ===============


R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-14 198304]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-14 181920]

R2 ELTNLPT;ELTNLPT;c:\windows\system32\drivers\eltnlpt.sys [2005-2-2 17272]

R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 hsobzr;Boot Image;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]

S2 khweq;Task Update;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]

S2 newycb;Support Time;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-14 79520]

S3 cpuz132;cpuz132;\??\c:\docume~1\cecilia\locals~1\temp\cpuz132\cpuz132_x32.sys -->


c:\docume~1\cecilia\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-9-30 38976]

S3 qqd.sys;qqd.sys; [x]


=============== Created Last 30 ================


2010-10-25 01:35:50 -------- d-----w- c:\docume~1\cecilia\applic~1\Philipp Winterberg

2010-10-25 01:35:42 -------- d-----w- c:\program files\Free RAR Extract Frog

2010-10-25 01:27:12 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-25 01:27:12 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-25 00:14:56 91648 ----a-w- C:\cp1223.nls

2010-10-22 04:19:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-22 04:19:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-13 00:47:05 -------- d-----w- c:\program files\TweakNow RegCleaner

2010-10-13 00:47:05 -------- d-----w- c:\docume~1\cecilia\applic~1\TweakNow RegCleaner

2010-10-13 00:04:55 208896 ----a-w- c:\windows\Ckyfea.exe

2010-10-13 00:04:37 258048 ----a-w- c:\windows\system32\sshnas21.dll

2010-10-12 10:27:37 -------- d-----w- c:\docume~1\cecilia\applic~1\IObit

2010-10-12 10:27:36 -------- d-----w- c:\program files\IObit

2010-10-12 08:50:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure

2010-09-30 04:55:22 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys


==================== Find3M ====================


2010-09-09 07:03:01 0 ----a-w- c:\documents and settings\cecilia\reset.cmd


============= FINISH: 13:27:54.23 ===============

Link to comment
Share on other sites

Good job ;-)


You've got quite a mess on that computer... :cry:


I am going to ask you to run ComboFix, so please refer to the following guide for its usage :



** As stated in the guide, you must first disable your antivirus (Norton) before you run the tool.

Once you run it, you will be prompted to install the Recovery Console for XP ; please go ahead and install it, this is important.


Once the tool has run to completion, please post the content of the log here, in your reply.

If you need two posts to get it all in, just go ahead and use two (or three if needed).


I'm going to bed, so back in 7 or 8 hours from now.


Good luck :smile:



Link to comment
Share on other sites

Hello Cecilia :smile:


I thought this might happen. Your system is bogged down with some pretty serious malware. The infections have possibly been there for a while, too, because I see in the logs that you tried to fix a Windows Update issue back in early September ; SP3 won't install, right ? That could very well be malware related.


Anyway, we may be at this for a while, so roll up your sleeves lol.


This is what I want you to try next :


- First, delete ComboFix.exe that is on your Desktop


- Next, right-click on the "Start" button and choose "Explore" ;

- Click on the "Tools" menu (up top) and then choose "Folder options..." ;

- Select the "View" tab ;

- Remove the checkmark from the checkbox labeled "Hide file extensions for known file types", then click "OK".

- Close the Windows Explorer window.


- Download a new copy of ComboFix from the following link :


- Save it to your Desktop but don't try to run it yet ;

- Right-click on ComboFix.exe and choose "Rename" ;

- Rename the tool to Firefox.exe


- Next, restart your computer in Safe Mode by doing the following :

> Restart the machine and tap the F8 key continously right after the bios loads (after the Beep) ;

> From the menu that appears, use the arrows on your keyboard and choose "Safe Mode with networking" and hit the Enter key.

> Choose your regular account (not "Administrator")


- Once logged in, please run ComboFix again (named Firefox.exe).

- ComboFix will most likely need to restart your computer to delete some difficult to remove files ; this is normal.

- If ComboFix runs to completion, please post the content of its log here. The log is automatically saved at "C:\ComboFix.txt"


If that doesn't work, I have more things for you to try.


Good luck :wink:



Link to comment
Share on other sites

Hi Cecilia :smile:


Well that's weird... You can't see the Cecilia account from Safe Mode ? Is your account a limited user account (meaning not having administrator rights) ? If so, we'll have problems getting the malware off of the machine...

Another possibility : restrictions applied by the employer are preventing you from accessing your account in Safe Mode ? If so, is there any way you can ask for those to be temporarily removed ?

Does your employer have computer maintenance done by an IT firm ? If so, they probably should fix that computer.


Last question : when you booted into Safe Mode, how many accounts did you see there ? Just "Admin" and "Administrator" ? With the screen resolution you get in Safe Mode, some accounts may not be visible onscreen, so you just need to scroll down to see the next one(s)... Just a thought.


While I wait for your reply, I'll start looking into another technique.


See you soon,


Edit : Ok, just did some research. Limited user accounts will not show in Safe Mode, so we have a big problem there, Cecilia. If you cannot get access to one of those admin accounts, there's not much I can do to clean that computer I'm afraid...

I'll wait for your answer then.



Link to comment
Share on other sites

Manage to run Combofix.exe(firefox.exe) using normal mode. Problem now is internet connection doesn't seem to work. I did the repair.




ComboFix 10-10-25.01 - Cecilia 26/10/2010 11:58:56.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.181 [GMT 8:00]

Running from: c:\documents and settings\Cecilia\Desktop\Firefox.exe



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



c:\windows\Downloaded Program Files\popcaploader.inf









c:\windows\system32\drivers\NDIS.sys . . . is infected!!



((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))










((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))



2010-10-26 04:18 . 2010-10-26 04:18 91648 ----a-w- C:\cp1185.nls

2010-10-25 10:28 . 2010-10-25 10:27 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-25 10:28 . 2010-10-25 10:27 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-25 10:19 . 2010-10-25 10:19 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-25 01:35 . 2010-10-25 01:35 -------- d-----w- c:\documents and settings\Cecilia\Application Data\Philipp Winterberg

2010-10-25 01:35 . 2010-10-25 10:18 -------- d-----w- c:\program files\Free RAR Extract Frog

2010-10-25 01:27 . 2010-10-25 01:27 -------- d-----w- c:\program files\Common Files\Java

2010-10-22 04:19 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-22 04:19 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-13 00:47 . 2010-10-14 00:34 -------- d-----w- c:\program files\TweakNow RegCleaner

2010-10-13 00:47 . 2010-10-14 00:34 -------- d-----w- c:\documents and settings\Cecilia\Application Data\TweakNow RegCleaner

2010-10-13 00:04 . 2010-10-13 00:04 208896 ----a-w- c:\windows\Ckyfea.exe

2010-10-12 10:27 . 2010-10-12 10:27 -------- d-----w- c:\documents and settings\Cecilia\Application Data\IObit

2010-10-12 10:27 . 2010-10-12 10:27 -------- d-----w- c:\program files\IObit

2010-10-12 08:50 . 2010-10-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-09-30 04:55 . 2010-09-30 04:55 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys



(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-09-09 07:03 . 2010-09-09 07:03 0 ----a-w- c:\documents and settings\Cecilia\reset.cmd



------- Sigcheck -------


[-] 2007-04-18 01:56 . !HASH: COULD NOT OPEN FILE !!!!! . 281348 . . [------] . . c:\windows\system32\drivers\ndis.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown




"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-09-28 2407632]



"SiSPower"="SiSPower.dll" [2005-05-27 49152]

"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]

"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]

"LorraineSpy"="c:\windows\LorraineSpyingOnCecilia.vbs" [2007-08-15 2307]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]





[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]

2004-12-11 04:03 446464 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center]




"EnableFirewall"= 0 (0x0)



"c:\\Program Files\\Messenger\\msmsgs.exe"=


"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=




"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"3360:TCP"= 3360:TCP:WWW

"53:UDP"= 53:UDP:DNS

"25:UDP"= 25:UDP:SMTP

"1114:TCP"= 1114:TCP:lkebf


R2 ELTNLPT;ELTNLPT;c:\windows\system32\drivers\eltnlpt.sys [02/02/2005 4:26 PM 17272]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

S2 hsobzr;Boot Image;c:\windows\system32\svchost.exe -k netsvcs [01/01/1980 3:00 PM 14336]

S2 khweq;Task Update;c:\windows\system32\svchost.exe -k netsvcs [01/01/1980 3:00 PM 14336]

S2 newycb;Support Time;c:\windows\system32\svchost.exe -k netsvcs [01/01/1980 3:00 PM 14336]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [30/09/2010 12:55 PM 38976]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs





Contents of the 'Scheduled Tasks' folder


2010-10-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 10:20]



------- Supplementary Scan -------


uStart Page = hxxp://www.bing.com/?scope=web&mkt=en-US&FORM=W0LH

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\http://www.update

DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} - hxxps://skyfexfree.net/Client/ClientFree.cab


- - - - ORPHANS REMOVED - - - -


WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard






catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-26 12:16

Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully

hidden files: 0




Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net

Windows 5.1.2600


device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84FF7EC5]<<

1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8518A030]

2 ntkrnlpa[0x804EF0BC] -> CLASSPNP.SYS[0xF750605B] -> \Device\Harddisk0\DR0[0x8518A030]

3 CLASSPNP[0xF750605B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000065[0x8518C650]

4 ntkrnlpa[0x804EF0BC] -> ACPI.sys[0xF739C620] -> \Device\00000065[0x8518C650]

5 ACPI[0xF739C620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x85195D98]

[0x850B71F8] -> IRP_MJ_CREATE -> 0x84FF7EC5

6 ntkrnlpa[0x804EF0BC] -> UNKNOWN[0x84FF7EC8] -> [0x85195D98]

kernel: MBR read successfully

detected hooks:

\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD800BB-22JHC0______________________05.01C05#5&19dfbfbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

\Driver\Disk -> CLASSPNP.SYS @ 0xf7509fc3

\Driver\ACPI -> ACPI.sys @ 0xf739ccb8

\Driver\atapi DriverStartIo -> 0x84FF7AEA

\Driver\atapi -> atapi.sys @ 0xf732e7b4

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

SecurityProcedure -> ntkrnlpa.exe @ 0x80582abe

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

SecurityProcedure -> ntkrnlpa.exe @ 0x80582abe

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7239bc3

PacketIndicateHandler -> NDIS.sys @ 0xf7245b21

SendHandler -> NDIS.sys @ 0xf7239d33

user & kernel MBR OK

sectors 156301232 (+254): user != kernel





"ServiceDll"="c:\program files\Internet Explorer\lftgg.dll"










--------------------- LOCKED REGISTRY KEYS ---------------------



@Denied: (A 2) (Everyone)














@Denied: (A 2) (Everyone)










--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'explorer.exe'(2232)









------------------------ Other Running Processes ------------------------


c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Norton AntiVirus\IWP\NPFMntor.exe


c:\program files\Windows Media Player\WMPNetwk.exe







Completion time: 2010-10-26 12:25:45 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-26 04:25


Pre-Run: 58,789,662,720 bytes free

Post-Run: 58,745,630,720 bytes free



[boot loader]



[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect


- - End Of File - - 420F591402B8FECD34DBD08A569327B9

Link to comment
Share on other sites

Nice job ! So that means your account isn't totally limited after all, because ComboFix would not have run if it were strictly limited.


Still some infected files left there. If the connection isn't working, that means you have access to another compouter, right ? You'll need to download more tools, so you would need another computer and a USB stick to transfer files over to the infected machine... Is that possible right now ?

Link to comment
Share on other sites

I'm a little confused because you are replying to me right now...lol


Ok, here we go :


Copy and paste the content of the Code below into a new Notepad file (Notepad, not WordPad) :





[HKEY_LOCAL_MACHINE\software\microsoft\security center]


- Now, save this file by naming it CFScript.txt

(correct spelling on the name is crucial here)

- Bring this file over to the infected machine's Desktop ;

- Drag/drop this file onto ComboFix (Firefox.exe) and this will launch ComboFix for a full run again ;

- Once the run has completed, please post the content of that log here in your reply.

- Try your connection again.

- Also : let me know if there's any way you can install an antivirus on that machine...


I'll be around for another 45 minutes or so...

Link to comment
Share on other sites

Nice :mrgreen:


Ok, I'll post instructions for another tool right away, so you can download that one as well and bring it to the infected machine. To make this easier, here is a complete guide on how to run this tool named TDSSKiller :



Scroll down a bit to "Automated Removal Instructions for the TDSS, Alureon, or TDL3 Rootkit using TDSSKiller:"


.. and follow those steps to the letter. You might want to print that page for easy reference, or simply save it and bring it over, since you won't be able to read that page from the infected machine.


Do this after ComboFix. Once done, post both the ComboFix and TDSSKiller logs here, using two separate posts.


Good luck :wink:



Link to comment
Share on other sites

One more post from me, because I know you won't be at work anymore when I wake up.


After you've run ComboFix and TDSSKiller, check your internet connection. If it works, then launch MBAM (I know you already have it) and try to update it, then run a Quick Scan with it. Let it fix anything it finds, then post the log here please.


If you still don't have a connection, we'll figure out a way to get it back on Wednesday (tomorrow night for me).


See you back here soon, for your laptop at home probably...



Link to comment
Share on other sites

No need to apologize, Cecilia. ;-)


A few things you need to know :


- Many forum helpers simply refuse to help with business computers, for a few reasons :

> There are often restrictions set on them which makes our job very difficult.

> Whether it's large or small companies, they should have pros looking after their computers so those pros should be called in to fix problems. Forum helpers are volunteers and we don't really wish to spend time fixing problems that IT departments are being paid to fix.

> Companies should have tight measures in place to avoid infections, because many infections install backdoors that allow remote attackers to access the whole content of the network ; financial data, personal data, confidential company stuff, etc...


- Another important point : communication is important when trying to fix computers over the Internet (on forums), because we helpers don't have physical access to machines so we need you to help us along. When we ask questions and don't get answers, we get stuck real quick... I know it's not easy, especially with difficult infections, but cooperation is the key to success.


Now, I understand you want that connection fixed, but it's not that easy... with infections still active. So now I really need answers to a few questions, please :


1) Can you download stuff from another computer and bring it over to the infected machine ?


2) How many machines are there on the company network, and how do you guys connect to the Internet ? Through a simple router, a large one, a server ?


3) You mentionned that there are "shares" on your network : having one infected computer inside the network can cause major headaches if a worm gets in and starts infecting other machines, so... are you aware of any problems with other computers on that network ? Problems similar to the ones you're having ?


4) On the infected computer, do you have access to the Control Panel, Network Connections and Device Manager ?


Once we have all that sorted, I'll be able to figure out a way to fix the connection, hopefully...


Thanks, and hang in there :-)



Link to comment
Share on other sites

1) Can you download stuff from another computer and bring it over to the infected machine ? through Network Sharing


2) How many machines are there on the company network, and how do you guys connect to the Internet ? Through a simple router, a large one, a server ? 4 PCs & 1 Laptop through simple D-link router.


3) You mentionned that there are "shares" on your network : having one infected computer inside the network can cause major headaches if a worm gets in and starts infecting other machines, so... are you aware of any problems with other computers on that network ? Problems similar to the ones you're having ? I don't think there are problems similar to mine for the others computers


4) On the infected computer, do you have access to the Control Panel, Network Connections and Device Manager ? I do have access to them

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...